swe_anyconnect_amp_securex_orchestration
Workflow of SecureX Action Orchestrator module.
Disclaimer: This code requires to be implemented in SecureX Orcehstrator.
Author:
Motivation
The goal of this workflow is to trigger a response based on a Stealtwhatch Alarm/Event. The alarm is shared from Stealhwatch to Cisco SecureX Incident Manager through the SWE SecureX integration implemented with Stealtwhatch version 7.2.1. The incident details are read and parsed by the SecureX Orchestrator, the information extracted includes the source IP of the alarm and the time stamps. This information is then used to extract flows and process hashes from Stealthwatch, the process hashes and IPs are used to provide a response using AMP, The process hash is blocked across the enterprise and the host is isolated.
Scenario
- Remote or local worker connected to the network.
- The end device has AnyConnect and AMP for endpoint installed for endpoint security and connectivity
- AnyConnect is integrated with SWE to share process information and flow information
- Stealthwatch is monitoring the network end to end
- Stealthwatch is integrated with Cisco Threat Resposne, SecureX Orcehstrator.
Workflow steps
- Device initiate a suspicious behavior (The device monitored by Stealthwatch, has AMP and Anyconnect installed)
- SWE triggers an alarm and send it to Threat Resposne as an incident
- SecureX Orcehstrator parse the incident details, indulding IP and time frame
- SecureX Orcehstrator query Stealthwatch for the flows and process hashes involved in the communication occuring at that time frame from that specific IP.
- Find AMP Identified (GUID) assosiated with the IP that is the source of the malicious behavior
- Block the Process Hashes extracted from SWE, using AMP
- Isolate host with AMP
- Send a message to a webex teams room notifying about the endpoint isolation and the proceess hashes blocking
How to use it
Action Orchestration configuration
-
Log into Action Orchestration
-
Click on workflow tab
-
Click on import
-
Import from: "browse"
-
Paste JSON file content into text box - First Import SWE GetSecurityEvent Details.json Then Import Automate SWE AMP trigger.json
-
Check "import as a new workflow (clone) when importing the "Automate SWE AMP Trigger.Json" only
-
Click on import
-
Once Prompted for your AMP credentials use the API Credentials for your AMP enviorment
-
Once prompted for your Stealthwatch credentials use your admin user and password
-
Now the workflow is imported. You can click on it and will be able to modify it
-
Click on "Webex Teams Post a Message" and include: