Code ExchangeSearchRepository
This repository is deprecated; please follow the main search page or use the ‘Related code repos’ widget on the right side of the current page.

External Port Scan Blocklist SecureX Orchestration Workflow

In this workflow we will reach out to SWC for Inbound Port Scan Alerts. Once we have the alert we will query SWC again for all the observations about that alert. We create a SecureX Orchestration Approval Request and a Webex Teams Alerts message. In the Webex Teams alert message there will be a redirect link to the SWC Alert page, SecureX Threat Response Investigation prepopulated with all the SWC observables, and the SecureX Orchestration Approval request. The next step is to automate adding the attacker IP address to a network object in CDO, then merging the network object into the Global_Blocklist network group.

Prerequisites:

  1. Cisco Stealthwatch Cloud (SWC) Account (and API key)
  2. Cisco SecureX Account (and API key)
  3. Cisco Webex Teams Account (and API key)
  4. Cisco Defense Orchestrator (CDO) Account (and API key)
    • Network Object created in CDO named Global_Blocklist

https://youtu.be/450wiTWiH1E

Alt text

Installation Steps

Please follow the below steps exactly to get started!

  1. Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:
  1. Click on IMPORT to import the workflow:

  1. Click on Browse and copy paste the content of the secureX-ext-port-scan-blocklist-wf.json file inside of the text window.

  1. Click on IMPORT.

  2. Next we will need to fill some API keys and details before we can run this workflow.

  3. First let's update SWC_Target. On the main page of Orchestration, go to Targets, select SWC_Target, and change the host to your SWC base url. Please retrieve your base URL by looking at the URL of your SWC portal. For example if your URL was https://acme.obsrvbl.com/v2/#/settings/site/api-credentials, then you would need acme.obsrvbl.com/api/v3/ as your base URL target (SWC_Target).

  1. Next up we will go back into the imported workflow, and we will update the swc_api_key. In the External Port Scan Blocklist Workflow global workflow properties, scroll down to Variables, select the swc_api_key variable, and enter your API key in the Value field and save. Please retrieve your SWC API key by loging in to your SWC portal and generate an API key for your use account. To generate an API key, login to your portal and select Settings > Account Management > API Credentials, from there, you can generate a unique API key. A key is tied to a specfic user account.

Note: make sure not to select an activity when looking for the global workflow properties.

  1. Next we update the cdo_api_key input variable. Select the cdo_api_key variable, and enter your token in the Value field and save.You can generate a CDO API token by logging into your Cisco Defense Orchestrator portal. Go to Settings, General Setting, and generate a token under My Tokens.

  2. Now we need to update the wxt_access_token. Select the wxt_access_token variable, and enter your token in the Value field and save. Please retrieve your Webex key from: https://developer.webex.com/docs/api/getting-started. Please be aware that the personal token from the getting started page only works for 12 hours. Please follow these steps to request a "bot" token: https://developer.webex.com/docs/integrations.

  3. Finally we need to update the wxt_room_id variable. Select the wxt_room_id variable, and enter your Webex Teams room id in the Value field and save. Please retrieve the Webex room ID by creating a new space or finding an existing one via these link: https://developer.webex.com/docs/api/v1/rooms/list-rooms. You can also add the roomid@webex.bot bot to the room and it will send you the roomId in a private message and then remove itself from the room.

  4. Now it is time to test, click on RUN in the top right of your window, and eveyrhting shopuld be working now. If not try troubleshooting by click on the activity that is colored red.

  1. If successful, you should receive a Webex Team Message in the space you configured above similar to the following

  1. As a final step you could choose to enable to scheduled trigger for this workflow. This is recommended, as the workflow only retrieves the security events of the last 5 minutes. By scheduling it, the Security analysts will be updated every hour for potential new malicious activity. To enable the trigger, click on the trigger in the global workflow properties and uncheck the DISABLE TRIGGER checkbox. This can be found in the workflow properties in the right menu pane.

Note: make sure not to select an activity when looking for the global workflow properties.

Notes

  • Please test this properly before implementing in a production environment. This is a sample workflow!
  • The roadmap will include a webhook based trigger, instead of a scheduled run.

Author(s)

  • Ed McNicholas (Cisco)
  • Christopher van der Made (Documentation Only) (Cisco)
View code on GitHub

  • Owner

    eemcnicholas

  • Contributors

    +2Github contributors

  • Categories

  • Programming Languages

  • License

    Other
Related code repos

    Code Exchange Community

    Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
    Disclaimer:
    Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.