This repository is deprecated; please follow the main search page or use the ‘Related code repos’ widget on the right side of the current page.

License: CISCO published

swe_anyconnect_amp_securex_orchestration

Workflow of SecureX Action Orchestrator module.
Disclaimer: This code requires to be implemented in SecureX Orcehstrator.

Author:

  • Hanna Jabbour

Motivation

The goal of this workflow is to trigger a response based on a Stealtwhatch Alarm/Event. The alarm is shared from Stealhwatch to Cisco SecureX Incident Manager through the SWE SecureX integration implemented with Stealtwhatch version 7.2.1. The incident details are read and parsed by the SecureX Orchestrator, the information extracted includes the source IP of the alarm and the time stamps. This information is then used to extract flows and process hashes from Stealthwatch, the process hashes and IPs are used to provide a response using AMP, The process hash is blocked across the enterprise and the host is isolated.

alt text

Scenario

  • Remote or local worker connected to the network.
  • The end device has AnyConnect and AMP for endpoint installed for endpoint security and connectivity
  • AnyConnect is integrated with SWE to share process information and flow information
  • Stealthwatch is monitoring the network end to end
  • Stealthwatch is integrated with Cisco Threat Resposne, SecureX Orcehstrator.

alt text

Workflow steps

alt text

  1. Device initiate a suspicious behavior (The device monitored by Stealthwatch, has AMP and Anyconnect installed)
  2. SWE triggers an alarm and send it to Threat Resposne as an incident
  3. SecureX Orcehstrator parse the incident details, indulding IP and time frame
  4. SecureX Orcehstrator query Stealthwatch for the flows and process hashes involved in the communication occuring at that time frame from that specific IP.
  5. Find AMP Identified (GUID) assosiated with the IP that is the source of the malicious behavior
  6. Block the Process Hashes extracted from SWE, using AMP
  7. Isolate host with AMP
  8. Send a message to a webex teams room notifying about the endpoint isolation and the proceess hashes blocking

alt text

alt text

How to use it

Action Orchestration configuration

  • Log into Action Orchestration

  • Click on workflow tab

  • Click on import

  • Import from: "browse"

  • Paste JSON file content into text box - First Import SWE GetSecurityEvent Details.json Then Import Automate SWE AMP trigger.json

  • Check "import as a new workflow (clone) when importing the "Automate SWE AMP Trigger.Json" only

  • Click on import

  • Once Prompted for your AMP credentials use the API Credentials for your AMP enviorment

  • Once prompted for your Stealthwatch credentials use your admin user and password

  • Now the workflow is imported. You can click on it and will be able to modify it

  • Click on "Webex Teams Post a Message" and include:

alt text

alt text

View code on GitHub

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.