This repository is deprecated; please follow the main search page or use the ‘Related code repos’ widget on the right side of the current page.

License: CISCO
published

Isolate an Endpoint with tier-2 Approval

Overview

=> Goal: Trigger this workflow when you have suspicion of an endpoint being targetted in an ongoing attack.
=> Input: amp_computer_guid (Cisco Secure Endpoint identifier for a device)

Workflow Steps:

  1. Create an approval request to isolate the target endpoint.
  2. Send a notification to the SOC Webex Space to investigate the target endpoint further.
  3. Waits for approval...
  4. If approved, isolate an endpoint if given an observable that can identify an endpoint (e.g Cisco Secure Endpoint GUID) and send notification to SOC Webex Space.

Installation

  1. Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:
  1. Click on IMPORT to import the workflow:

  1. Click on Browse and copy paste the content of the isolate_endpoint_with_approval.json file inside of the text window.

  1. Click on IMPORT. Open up the workflow after importing it. You will now need to update 2 values, the Webex Access Token and the Webex Room ID (pro-tip: add the Webex Room ID bot to the space you want to use to get the ID):

Note: Please retrieve your Webex key from: https://developer.webex.com/docs/api/getting-started. Please be aware that the personal token from the getting started page only works for 12 hours. Please follow these steps to request a "bot" token: https://developer.webex.com/docs/integrations.

  1. Now it is time to test, click on RUN in the top right of your window and fill in 2 example values (e.g. observable_type: amp_computer_guid, observable_value: 123456789), and everything should be working now. The workflow will fail as this is not the correct amp_computer_guid`, but you can test the workflow.

  1. This workflow is a so called "Response" workflow, and can be triggered from the SecureX Threat Response pivot menu, when clicking on an amp_computer_guid:

Notes

  • Please test this properly before implementing in a production environment. This is a sample workflow!

Author(s)

  • Christopher van der Made (Cisco)
View code on GitHub

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.