Secure Meter XD (written SMXD) is an automated private security intelligence framework to help automate internal observable judgements to improve alert fidelity and automated response inside of SecureX Orchestrator.
Use cases :
SMXD - Raise Observable judgement
SMXD - Lower Observable judgement
SMXD - Exclude Observable
SMXD - Raise Risk Score v2
SMXD - Lower Risk Score v2
SMXD - Validate Observable Type
SMXD - Get Judgement and Score
SMXD - Create Judgement
Threat Reponse v2 - Generate Access Token
To start using SMXD in your SecureX environment, here are the steps:
Secure Meter XD can be use manually by clicking on "Exclude", "Raise" or "lower" workflows on the contextuel menu of SecureX.
Secure Meter XD can also be added to any existing workflow where internal observables are collected or identified. The "Increment" variable can be modified from 1 to 5 to represent the criticality of the security events for the identified internal observable. The "Expiration_in_Days" set the expiration time frame for CTIA Judgement at the creation.
If your existing workflow output Observables JSON, here who you can integrate SMXD.
*SMXD - Unit Testing Workflow
can be use to test the SMXD framework.
SMXD - Email Report Workflow
can be use to generate and send by email a daily reportSMXD - SMXD - Get informations from indicators Atomic Action
is requiredAt the end of each SMXD worflows an optional response workflow can be add to response to threat based on the disposition of the internal observable.
SMXD - Response actions based on disposition v2
"SMXD - Response actions based on disposition v2" workflow is a very flexible and will run even if you do not have a subscription for some of theses Cisco response action.
The workflow come with pre-configured response actions:
And it include section to add your own response action from a Third-party per example.
Theses atomic actions are available from the Cisco SecureX Orchestration Github repo at https://github.com/CiscoSecurity/sxo-05-security-workflows/tree/Main/Atomics
SWC - Add to watchlist
AMP - Get Connector GUID
AMP - Get Group by Name
AMP - Move Computer to Group
Duo Admin - Get User
Duo Admin - Remove User from Group
Duo Admin - Add User to Group
Duo Admin - Block User by UserID
Azure Graph - Get Access Token
Azure Graph - Get User
https://www.youtube.com/watch?v=asXN3m9fV5U
https://ciscosecurity.github.io/sxo-05-security-workflows/
Please send your comments and suggestions to Kevin (kcouderc@cisco.com) and Alexandre (aargeris@cisco.com)
Automated private security intelligence framework to help automate internal observable judgements to improve alert fidelity and automated response inside of SecureX Orchestrator.
Some highlights of the use case:
For more information about Cisco SecureX, you can check out this DevNet site.
Check out the Learning Labs on DevNet:
Owner
Contributors
Categories
Products
MerakiProgramming Languages
License
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community