secureX-swc-wxt-alert-wf
In this workflow we will reach out to Stealthwatch Cloud (SWC) for all alerts. If there are any alerts, we will parse the Alert URL and add it to a Webex Teams message.
Prerequisites:
- Cisco Stealthwatch Cloud (SWC) Account (and API key)
- Cisco SecureX Account (and API key)
- Cisco SecureX Orchestration Module enabled and integrated
- Cisco Webex Teams Account (and API key)
Installation Steps
Please follow the below steps exactly to get started!
- Browse to your SecureX orchestration instance. This will be a different URL depending on the region your account is in:
- Click on IMPORT to import the workflow:
- Click on Browse and copy paste the content of the Stealthwatch Cloud - Webex Teams Alerts.json file inside of the text window.
-
Click on IMPORT.
-
Next we will need to fill some API keys and details before we can run this workflow.
-
First let's update SWC_Target. On the main page of Orchestration, go to Targets, select SWC_Target, and change the host to your SWC base url. Please retrieve you base URL by looking at the URL of your SWC portal. For example if your URL was https://acme.obsrvbl.com/v2/#/settings/site/api-credentials, then you would need acme.obsrvbl.com/api/v3/ as your base URL target (SWC_Target).
- Next up we will go back into the imported workflow, and we will update the swc_api_key. In the Stealthwatch Cloud - Webex Teams Alerts workflow global workflow properties, scroll down to Variables, select the swc_api_key variable, and enter your API key in the Value field and save. Please retrieve your SWC API key by loging in to your SWC portal and generate an API key for your use account. To generate an API key, login to your portal and select Settings > Account Management > API Credentials, from there, you can generate a unique API key. A key is tied to a specfic user account.
Note: make sure not to select an activity when looking for the global workflow properties.
-
Now we need to update the wxt_access_token. Select the wxt_access_token variable, and enter your token in the Value field and save. Please retrieve your Webex key from: https://developer.webex.com/docs/api/getting-started. Please be aware that the personal token from the getting started page only works for 12 hours. Please follow these steps to request a "bot" token: https://developer.webex.com/docs/integrations.
-
Finally we need to update the wxt_room_id variable. Select the wxt_room_id variable, and enter your Webex Teams room id in the Value field and save. Please retrieve the Webex room ID by creating a new space or finding an existing one via these link: https://developer.webex.com/docs/api/v1/rooms/list-rooms. You can also add the roomid@webex.bot bot to the room and it will send you the roomId in a private message and then remove itself from the room.
-
Now it is time to test, click on RUN in the top right of your window, and eveyrhting shopuld be working now. If not try troubleshooting by click on the activity that is colored red.
- If successful, you should receive a Webex Team Message in the space you configured above similar to the following
- As a final step you could choose to enable to scheduled trigger for this workflow. This is recommended, as the workflow only retrieves the security events of the last 5 minutes. By scheduling it, the Security analysts will be updated every 5 minutes for potential new malicious activity. To enable the trigger, click on the hyperlink below and uncheck the
DISABLE TRIGGER
checkbox. This can be found in the workflow properties in the right menu pane.
Note: make sure not to select an activity when looking for the global workflow properties.
Notes
- Please test this properly before implementing in a production environment. This is a sample workflow!
- The roadmap will include a webhook based trigger, instead of a scheduled run.
Author(s)
- Ed McNicholas (Cisco)
- Christopher van der Made (Documentation Only) (Cisco)