This repository is deprecated; please follow the main search page or use the ‘Related code repos’ widget on the right side of the current page.

Rapid-Threat-Isolation-using-Umbrella-ISE---SecureX-Orchestration-Use-Case

This workflow isolates the compromised host discovered by Umbrella at the Network layer using Cisco ISE. Cisco Umbrella is very effective when it comes to offer protection against cybersecurity threats over Internet. Cisco Umbrella can also discover already compromised systems in your Network by monitoring C2 Call-backs or BOT Call-backs happened at DNS layer.
Once Call-backs discovered, this workflow will fetch comprised system IP Address and then communicate with Cisco ISE to quarantine the End points binds to the discovered IP Address.

Requirements:

This workflow requires following applications:

  • Cisco Umbrella ( Any package, should be integrated with Network via either Virtual Appliance or API integration with Edge devices like Cisco Routers, Meraki MX )
  • Cisco ISE
  • SecureX Remote Appliance
  • Cisco Webex ( Optional, for receiving alerts about the threat )
  • AMP4E ( Optional , for casebooks, threat response )

Workflow Steps:

  • Fetch global variables

  • Fetch last alert from Cisco Umbrella

  • Extract observations from the last alert

  • For last alert:
    Check if the alert is new by comparing the latest alert time saved in global variable
    If it was:

    If comprised device is internal:
    - Communicate with Cisco ISE to isolate the observed IP from the alert
    - Update the global variables with the value of current alert time
    - Post a Webex team message with summary and link to investigate further
    If it is external:
    - Post a Webex team message with summary and link to investigate further

If it wasn’t:
- Update the global variables with the value of current alert time

Configuration Steps:

  • Setting up the SecureX Remote Connector by installing it on-premise Network by following steps mention at below link:
    https://ciscosecurity.github.io/sxo-05-security-workflows/remote
    1
  • Make sure SecureX remote is reachable from ISE
  • Setting up Account Keys in Secure X
  • Setting up Target for ISE which should include remote connector & account keys
    2
    3
  • Import the workflow code. Goto file name"code" in this repository, it is json formatted code which need to be copied and then paste in SecureX Orcuestration.
    4
  • Setting up the variables as listed below:
    5
    6
  • Setting up the ISE Targets as shown below:
    7
  • Make sure trigger is attached to the workflow and enabled
  • Click on validated
    9

Verification:

  • Check trigger is started
    10
  • Click on view runs to check whether workflow is running constantly
    11
  • Open a url https://www.examplebotnetdomain.com
  • You should receive message on webex and case will be created inside secureX casebook
    13

Demo

YouTube link

Links to DevNet Learning Labs

SecureX Orchestration

View code on GitHub

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.