SX-AO

Repository for Cisco SecureX Orchestration Workflows and Atomic Actions

NOTE:
- If you don't have a SecureX Account, please follow the Quick Start Guide.
- Detailed instructions to add iberlinson/SX-AO repositories to you Securex Instance can be found HERE
- How to import a workflow : HERE
- SecureX Orchestration Documentation : HERE

Available Atomics Actions

List and Readme Here*

Available Use Cases (Workflows)

🛎 Cisco Umbrella : Notification on Security Events (Umbrella-Notification-Security-Events)
- Receive a near real time notification in Webex Teams or via Email on a new domain blobked by Umbrella
  - Use SecureX Orchestration to periodically :
    - Get new security event from last check
    - Notify in Webex Teams on new domains blocked seen for the first time in the organization
    - Maintain a statistic table with number of hits for each domain and current notification status
- This workflow can be trigger by a schedule to execute every X minutes
  - Screenshot - Notification Webex
- Use Case and Installations : Detailed informations about the workflow can be found HERE
🔦 Hunt - Search User
- Search for a given user via :
  - Orbital (Account (Monitoring and Logged_In)
  - Secure Endpoint - User Activity (telemetry)
- Notify in Cisco Webex or/and via Email about result
- Create Casebook if user found
  - Screenshot - Notification Webex
- Use Case and Installation : Detailed informations about the workflow can be found HERE
🧽 Cisco Secure EP - Remove Inactive Endpoints
- Cisco Seucre Endpoint : Identify and Remove from computers list endpoints with a last seen over a given number of days (default : 45 days)
  - Include 2-Tiers approval and Notification in Cisco Webex
  - Screenshot - Notification Webex
  - Screenshot - Approval
- Use Case and Installation : Detailed informations about the workflow can be found HERE
TG-Feeds-to-Umbrella-BlockList-2-Tiers-approval
- Download Threat Grid Curated feed and push domain to Cisco Umbrella Destinations Lists.
  - Include 2-Tiers approval and Notification in Cisco Webex
  - Screenshot - Notification Webex
  - Screenshot - Approval
  - Screenshot - Destinations-List
- Use Case and Installation : Detailed informations about the workflow can be found HERE
🛎 RT-Monitoring-SecureEP-Umbrella-Notification-Incident
- Continuous monitoring of Umbrella and/or Secure EP Security events (loop)
- Near real time Incident creation and update (grouped by endpoint hostname, no duplicate event)
- Near real time notification on new or updated incident (no duplicate notification for same event occurring multiple times)
- Statistic tables
  - Screenshot - Notification Webex
  - Screenshot - Incident
- Use Case and Installations : Detailed informations about the workflow can be found HERE

Use Case

SecureX orchestration workflows : TG Feeds to Umbrella BlockList - 2-Tiers Approval

NOTE: This is sample code and needs to be tested properly before using in production!

Periodically check for TG Feed and push domains to Umbrella destinations block list with 2-Tiers approval and notification

Index

Flow

Trigger by an hourly schedule
- Collect current hour TG Feed
- Extract domains in feed
- Get domains list with only unique values
- Notify in Webex Team and Request for approval before adding to block list
- On approval, add each domain to block list

Requirement

Mandatory
- Cisco Umbrella - Management API
- Cisco Malware Analytics Cloud API (AKA Threat Grid)
Optional
- Cisco Webex Token (Bot) - click here to see how you can create a presistent Access Token

Installation steps

Logon to SecureX via: https://sign-on.security.cisco.com/.

NOTE: If you don't have a SecureX Account, please follow the Quick Start Guide.
Go to Menu "Orchestration"
Set up or Verify Targets, Account Keys and Variables

Go to "Account Keys" and create the following account. If it already exists under a different name, use it in step step for "Umbrella target"
- Cisco Umbrella Management API - Account Keys from your Umbrella console
  - Account Key Type set to HTTP Basic Authentication
  - Display Name set to Umbrella_Management_API
  - username: Umbrella Management API : Client ID
  - Password: Umbrella Management API : Secret
  - Authentication option: Basic
Go to "Targets" and create the following accounts. If they already exists under a different display name and you can't rename or duplicate them, you will have to modify Target Criteria in the workflow.
- Cisco Umbrella Management API - Target
  - Target Type set to HTTP Endpoint
  - Display Name set to Cisco Umbrella Management V1
  - No Account Key set to false
  - Default Account keys set to Umbrella_Management_API_
  - Protocol set to HTTPS
  - Host set to management.api.umbrella.com
  - Port set to 443
- Cisco Secure Malware Analytics (Threat Grid)
  - Target Type set to HTTP Endpoint
  - Display Name set to Cisco ThreatGrid
  - No Account Key set to true
  - Protocol set to HTTPS
  - Host set to panacea.threatgrid.com or panacea.threatgrid.eu
  - Port set to 443
- Cisco Webex
  - Target Type set to HTTP Endpoint
  - Display Name set to Webex Teams
  - No Account Key set to true
  - Protocol set to HTTPS
  - Host set to webexapis.com
  - Port set to 443
- Private CTIA (should already exists)
  - Target Type set to HTTP Endpoint
  - Display Name set to Private_CTIA_Target
  - No Account Key set to true
  - Protocol set to HTTPS
  - Host set to private.intel.amp.cisco.com or private.eu.intel.amp.cisco.com
  - Port set to 443
Go to Variables and Create or verify global variables for your TG API and Webex Token
- TG_API
  - Data Type set to Secure String
  - Display Name set to ThreatGrid API
  - Scope set to Global
  - Value set to "YOUR THREATGRID API"
- Webex Token
  - Data Type set to Secure String
  - Display Name set to Webex Bot Token
  - Scope set to Global
  - Value set to "YOUR WEBEX BOT TOKEN"
Go to Variables and verify settings (email) for Task Requestor and Task Approver

Import required Atomic Actions - This step is a pre-requirement to successful import the workflow in step 6

Go to Workflows select "Atomic Actions" and IMPORT Atomoc Actions
- Import the following from Git SX-AO-AtomicActions
  - Webex-Teams-Send-Simple-Adaptive-Card-V2 Link
  - Cisco-Malware-Analytics-TG-Collect-Feed Link
  - Core-Get-List-Table-with-unique-Values Link
- Import the following from Git Cisco Security/Atomics
  - Webex Teams - Search for Room
  - Umbrella - Management V1 - Add Record to Destination List

Import the Workflow

Go to Workflows and IMPORT the following workflow from SX-AO
- TG-Feeds-to-Umbrella-BlockList-2-Tiers-approval Link

Open and edit the imported workflow

Adjust following variables to fit with your needs*
Detection_List_name set to the name of the Umbrella Destinations list to update
Umbrella_Org_ID set to Your Umbrella Org ID got from Umbrella console URL
Webex Room set to the Webex room name used for notification. Remember to add you BOT to this room
TG Feed Name set to one of the following :
- autorun-registry
- banking-dns
- dga-dns
- dll-hijacking-dns
- doc-net-com-dns
- downloaded-pe-dns
- dynamic-dns
- irc-dns
- modified-hosts-dns
- parked-dns
- public-ip-check-dns
- ransomware-dns
- rat-dns
- scheduled-tasks
- sinkholed-ip-dns
- stolen-cert-dns*

Enable and fill the first block Set Variables Tokens
- Variable to update 1 set to Global Variable ThreatGrid API (step3)
- Variable to update 2 set to Global Variable Webex Bot Token (step3)

8. Validate and test the workflow (run)

Enable the Trigger in the workflow if you want the workflow to run automatically every hour.

Author and Contact

Ivan Berlinson (Cisco) - ivberlin@cisco.com