Isolate an Endpoint with tier-2 Approval
Overview
=> Goal: Trigger this workflow when you have suspicion of an endpoint being targetted in an ongoing attack.
=> Input: amp_computer_guid
(Cisco Secure Endpoint identifier for a device)
Workflow Steps:
- Create an approval request to isolate the target endpoint.
- Send a notification to the SOC Webex Space to investigate the target endpoint further.
- Waits for approval...
- If approved, isolate an endpoint if given an observable that can identify an endpoint (e.g Cisco Secure Endpoint GUID) and send notification to SOC Webex Space.
Installation
- Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:
- Click on IMPORT to import the workflow:
- Click on Browse and copy paste the content of the isolate_endpoint_with_approval.json file inside of the text window.
- Click on IMPORT. Open up the workflow after importing it. You will now need to update 2 values, the Webex Access Token and the Webex Room ID (pro-tip: add the Webex Room ID bot to the space you want to use to get the ID):
Note: Please retrieve your Webex key from: https://developer.webex.com/docs/api/getting-started. Please be aware that the personal token from the getting started page only works for 12 hours. Please follow these steps to request a "bot" token: https://developer.webex.com/docs/integrations.
- Now it is time to test, click on RUN in the top right of your window and fill in 2 example values (e.g.
observable_type
: amp_computer_guid
, observable_value:
123456789), and everything should be working now. The workflow will fail as this is not the correct
amp_computer_guid`, but you can test the workflow.
- This workflow is a so called "Response" workflow, and can be triggered from the SecureX Threat Response pivot menu, when clicking on an
amp_computer_guid
:
Notes
- Please test this properly before implementing in a production environment. This is a sample workflow!
Author(s)
- Christopher van der Made (Cisco)