NOTE: This workflow has been quality assessed and updated on the official SecureX Orchestration repository. You may import it directly from the CiscoSecurity_Workflows
GitHub.
This sample workflow will retrieve all security events from Meraki for a specific Org ID. It will then filter out Malware Downloaded and IDS Priority 1 events. It then sends deatils for this to a Webex Teams space and create SecureX sightings and incidents. Please make sure to set the 4 variables ('api key meraki', 'api key webex', 'webex space ID' and 'Meraki Org ID') before running (follow the installation steps to do so). You can also run this scheduled by enabling a trigger.
Below you can view the current workflow. Please feel inspired to add to it as you see fit. Please always test thoroughly before using in production!
Below you can see the result of the case in SecureX Casebook. Remember, it can also send a Webex Teams message!
Below you can see the result in Webex Teams, please note the URL, which allows the analyst to easily pivot into an investigation in SecureX Threat Response.:
Below is a screenshot of the investigation in SecureX Threat Response when click on the URL in the Webex Teams notifaction:
Note: To obtain the threat response API keys, create one here: https://securex.us.security.cisco.com/settings/apiClients. Please change the .us. in the url to .eu. or .apjc. respectively for the European or Asian instances. It might be that you have these already created, just make sure it has at least the
Casebook
scope checked. If you are using the EU or APJC instance, you will also need to change the target of theCTRGenerateAccessToken
andCTR Create Casebook
activities in the workflow. You do this by clicking on the activity and scrolling to thetarget
section. Make sure to do this for all 4 related CTR targets! Here is an example:
Note: To obtain your Meraki API key, please follow these steps: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API
Note: Please retrieve your Webex key from: https://developer.webex.com/docs/api/getting-started. Please be aware that the personal token from the getting started page only works for 12 hours. Please follow these steps to request a "bot" token: https://developer.webex.com/docs/integrations.
Meraki Org ID
variable and fill in the Org ID of the Meraki organization that you want to track security events for. More info on this can be found here: https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API#OrganizationsNext click on webex space ID
. You can create a new space or find an existing one via these link: retrieve the Room ID from: https://developer.webex.com/docs/api/v1/rooms/list-rooms. You can also add the roomid@webex.bot bot to the room and it will send you the roomId in a private message and then remove itself from the room.
Now it is time to test, click on RUN in the top right of your window, and eveyrhting shopuld be working now. If not try troubleshooting by click on the activity that is colored red.
DISABLE TRIGGER
checkbox. This can be found in the workflow properties in the right menu pane.Note: make sure not to select an activity when looking for the global workflow properties.
Security solutions generate many alerts. The more security solutions an organization buys, the more alerts that are generated. This use case tries to solve a piece of this, giving IT experts more time to focus on high priority tasks.
The sample workflow will pull Meraki security events, take out the most important ones, and take action based on them. This allows your security analysts and IT experts to have laser focus on those events that matter, and take precise actions with SecureX threat response. It is built on top of the SecureX orchestration feature, that uses a low-to-no-code approach to automation. It will also send Webex Teams alerts and create a case in SecureX Casebook to notify the security analysts of a new high-priority alert. Have a look at the current workflow below:
This is what the case in SecureX Casebook looks like:
This sample workflow is meant as an example of what is possible, and many options are possible from here. Do you have ServiceNow? Go integrate it by dragging a ServiceNow activity in the workflow!
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community