In this workflow we will reach out to SWC for Inbound Port Scan Alerts. Once we have the alert we will query SWC again for all the observations about that alert. We create a SecureX Orchestration Approval Request and a Webex Teams Alerts message. In the Webex Teams alert message there will be a redirect link to the SWC Alert page, SecureX Threat Response Investigation prepopulated with all the SWC observables, and the SecureX Orchestration Approval request. The next step is to automate adding the attacker IP address to a network object in CDO, then merging the network object into the Global_Blocklist network group.
Prerequisites:
Please follow the below steps exactly to get started!
Click on IMPORT.
Next we will need to fill some API keys and details before we can run this workflow.
First let's update SWC_Target. On the main page of Orchestration, go to Targets, select SWC_Target, and change the host to your SWC base url. Please retrieve your base URL by looking at the URL of your SWC portal. For example if your URL was https://acme.obsrvbl.com/v2/#/settings/site/api-credentials, then you would need acme.obsrvbl.com/api/v3/ as your base URL target (SWC_Target).
Note: make sure not to select an activity when looking for the global workflow properties.
Next we update the cdo_api_key input variable. Select the cdo_api_key variable, and enter your token in the Value field and save.You can generate a CDO API token by logging into your Cisco Defense Orchestrator portal. Go to Settings, General Setting, and generate a token under My Tokens.
Now we need to update the wxt_access_token. Select the wxt_access_token variable, and enter your token in the Value field and save. Please retrieve your Webex key from: https://developer.webex.com/docs/api/getting-started. Please be aware that the personal token from the getting started page only works for 12 hours. Please follow these steps to request a "bot" token: https://developer.webex.com/docs/integrations.
Finally we need to update the wxt_room_id variable. Select the wxt_room_id variable, and enter your Webex Teams room id in the Value field and save. Please retrieve the Webex room ID by creating a new space or finding an existing one via these link: https://developer.webex.com/docs/api/v1/rooms/list-rooms. You can also add the roomid@webex.bot bot to the room and it will send you the roomId in a private message and then remove itself from the room.
Now it is time to test, click on RUN in the top right of your window, and eveyrhting shopuld be working now. If not try troubleshooting by click on the activity that is colored red.
DISABLE TRIGGER
checkbox. This can be found in the workflow properties in the right menu pane.Note: make sure not to select an activity when looking for the global workflow properties.
Owner
Contributors
Categories
Programming Languages
License
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community