This repository is deprecated; please follow the main search page or use the ‘Related code repos’ widget on the right side of the current page.

License: CISCO
published

Cisco SecureX Incident Correlator

Features

  • Correlates sightings into a single incident per target identifier (e.g. hostname, mac address etc.).
  • Creates a new incident if target identifier was not seen before (i.e. no incident was created) or if the incident was closed for that target identifier.
  • If the incident was closed for that target identifier, it will create a new incident and a relationship with the previous incident.
  • Keeps track of amount of sightings per incident. This number is reported via Webex Teams and also stored and updated in the incident description.
  • Also the confidence of the incident is raised, as more sightings are added to an incident.
  • Possible to set different response actions based on number of sightings per incident.
  • This workflow can have multiple modules. The modules trigger this workflow, when a sighting is found for an IoC with a target.
  • Currently the Twitter and Generic module are ready. The RSS feed module is in development. If you have more ideas for modules, please open a GitHub issue or make a GitHub pull request.

Note: Please test this properly before implementing in a production environment. This is a sample workflow!

Note: Please review the sub directories of this repository for the modules.

Example SecureX incident:

Example Webex notifcation:

Required Targets and Accounts keys

  • SecureX Access Token
  • SecureX Private Intel DB (uses SecureX Access Token)
  • Webex Teams

Required Atomic Workflows

Setup instructions

  1. Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:
  1. Click on Browse and copy paste the content of the main_workflow.json file inside of the text window and click Import. Select Import as a new workflow (clone) if you have a previous version of this workflow, and you do not want to overwrite it. Alternatively, you can also import this from GitHub directly.

Note: It is possible to integrate the workflow with Webex Teams. In order to do that, an API Access Token and a Room ID need to be entered in the config.json file. Please retrieve your key from: https://developer.webex.com/docs/api/getting-started. Then create a dedicated Webex Teams space for these notifications and retrieve the Room ID from: https://developer.webex.com/docs/api/v1/rooms/list-rooms. Please be aware that the personal token from the getting started page only works for 12 hours. Please follow these steps to request a token per request: https://developer.webex.com/docs/integrations.

  1. You will be prompted for some credentials and targets. Please follow the instructions to make sure there are no more orange errors in the workflow and you can click VALIDATE in the top right of the workflow edit pane.

  2. Feel free to add more response actions, based on the amount of sightings per incident:

Author(s)

  • Christopher van der Made (Cisco)

Use Case

SecureX orchestration workflow repository

Features

  • SecureX orchestration provides a no-to-low code approach for building automated workflows.
  • This set of workflows correlates sightings into a single incident per target identifier (e.g. hostname, mac address etc.).
  • Creates a new incident if target identifier was not seen before (i.e. no incident was created) or if the incident was closed for that target identifier.
  • If the incident was closed for that target identifier, it will create a new incident and a relationship with the previous incident.
  • Keeps track of amount of sightings per incident. This number is reported via Webex Teams and also stored and updated in the incident description.
  • Possible to set different response actions based on number of sightings per incident.
  • This workflow can have multiple modules. The modules trigger this workflow, when a sighting is found for an IoC with a target.
  • Currently the Twitter and Generic module are ready. The RSS feed module is in development. If you have more ideas for modules, please open a GitHub issue or make a GitHub pull request.

Example module:

Example SecureX incident:

Example Webex notifcation:

Business Case

This set of workflows allows to automate a part of the Threat Hunting process and correlate multiple events into a single incident.

  • Threat Hunting is all about gathering data from Local/Internal Monitoring and Global Intelligence.
  • Threat Hunting is a continuous process and a loop.
  • There are many tools, like SecureX, that can help with this.
  • The SecureX API can automate (parts of) this process and help free up precious time for SOC analysts.

Please continue your reading in this SecureX white paper.

Currently there is no DevNet sandbox yet, however you can find all options to try out these SecureX orchestration learning labs!

List of SecureX Learning Labs

Solutions on Ecosystem Exchange

Please check out related solutions on DevNet Ecosystem Exchange.

View code on GitHub
  • Owner

  • Contributors

    +1Github contributor
  • Categories

  • Programming Languages

  • License

    Other

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.