This repository is deprecated; please follow the main search page or use the ‘Related code repos’ widget on the right side of the current page.

License: CISCO
published

Kenna - SecureX Incident Enrichment Automation

IT operations are still very manual today. Customers are always challenged to maintain system health and improve online security. This workflow demonstrates how Cisco SecureX orchestration can be leveraged to automate vulnerability management.

Features

This workflow periodically checks SecureX incidents for Threat Detected Events from Cisco Secure Endpoint. When an incident is returned, the workflow collects all observations from it and reaches to Kenna Security for vulnerabilities information related to executed malware. If information is returned, the workflow updates the incident in SecureX to document the findings. This workflow is designed to run every 5 minutes on a schedule.

Note: Please test this properly before implementing in a production environment. This is a sample workflow!

Prerequisites

In order to leverage Kenna Security malware intelligence for detected vulnerabilities, Kenna Security VI+ License is required.

Steps

[] Fetch incidents from SecureX

[] For each incident:

[]> Extract the observations and target

[]> Search for the asset in Kenna by IP and fetch its asset ID

[]> Fetch asset risk score, priority and vulnerabilities by asset ID

[]> Find all malware associated with open vulnerabilities matching criteria: malware exploitable, has active new breaches and popular targets. (Kenna Security VI+ License required)

[]> Compare with malware in the SecureX incident. If match found, update the incident with Kenna information. Add tags and notes to Kenna asset to link with the incident.

Required Targets and Target Groups

  • Target Group: Default TargetGroup

  • Targets: CTR_For_Access_Token, Private_CTIA_Target, Kenna_Target

Required Account Keys

  • Account Keys: CTR_Credentials

Required Global Variables

  • Secure String: Kenna - Token

Required Local Variables

  • Update Kenna URL local varilable with your Kenna Security instance domain name (e.g. ..kennasecurity.com) in order to properly construct pivot links for Kenna pages.

Required Atomic Workflows

  • Kenna-GetAssetID
  • Kenna-GetAssetVulnerabilities
  • Kenna-ShowMalwareHashes
  • Kenna-ShowVulnerabilityDefinition
  • Kenna-TagAnAsset
  • Kenna-UpdateAssetNotes

Setup instructions

Configure Global Variables

  1. Browse to your SecureX orchestration instance. This will be a different URL depending on the region your account is in:
  1. In the left hand menu, select Variables.

  2. Click New Variable. Data Type - Secure String. Name Kenna - Token.

  3. Provide your Kenna API token.

Note: For more information on Kenna Security APIs, check out API Reference.

Import atomic actions

  1. In the left pane menu, select Workflows. Click on IMPORT to import the workflow:

  1. Click on Browse and copy paste the content of the Kenna-GetAssetID json file file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.

  1. Repeat step 2 for the rest of Atomic actions: Kenna-GetAssetVulnerabilities, Kenna-ShowMalwareHashes, Kenna-ShowVulnerabilityDefinition, Kenna-TagAnAsset, Kenna-UpdateAssetNotes.

Import main workflow

  1. In the left pane menu, select Workflows. Click on IMPORT to import the workflow.

  2. Click on Browse and copy paste the content of the Kenna-SecureXIncidentsEnrichmentWF file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.

  3. Go to My Workflows and open the main workflow Kenna - SecureX Incidents Enrichment. In the properties on the right hand-side, find section Triggers. You will see that the status is - Disabled. Click on the name of the Trigger and change the status to Enabled.

Notes

  • Please test this properly before implementing in a production environment. This is a sample workflow!
  • In order to leverage Kenna Security malware intelligence for detected vulnerabilities, Kenna Security VI+ License is required.

Author(s)

  • Oxana Sannikova, Security Technical Solutions Architect (Cisco)

Use Case

Kenna - SecureX Incident Enrichment Automation

IT operations are still very manual today. Customers are always challenged to maintain system health and improve online security. This workflow demonstrates how Cisco SecureX orchestration can be leveraged to automate vulnerability management.

Watch a demo of this use case here!

Watch a demo of this use case here!

Features

This workflow periodically checks SecureX incidents for Threat Detected Events from Cisco Secure Endpoint. When an incident is returned, the workflow collects all observations from it and reaches to Kenna Security for vulnerabilities information related to executed malware. If information is returned, the workflow updates the incident in SecureX to document the findings. This workflow is designed to run every 5 minutes on a schedule.

SecureX orchestration workflow repository

  • SecureX orchestration provides a no-to-low code approach for building automated workflows.
  • These workflows can interact with various types of resources and systems, whether they’re from Cisco or a third-party.
  • This repository contains atomic actions and workflows that can be imported into SecureX orchestration as well as a variety of documentation.

Atomic Actions

  • Atomic actions are self-contained workflows that are similar to a function in traditional programming.
  • They can consume input, perform various actions, and then return output.
  • They’re designed to be portable, re-usable, and make building workflows more efficient.

Workflows

  • Workflows are the larger component of orchestration and are similar to a script in traditional programming.
  • A workflow can be simple and only have a few actions or be complex and string together many different actions for different products.

Business Case

Service-oriented orchestration provides the agility to model and act on IT services. These features make creating orchestration active and dynamic, and allow for:

  • Defining new, higher-level services in the system, and deploy new services quickly.
  • In real-time, after these new types of services have been defined, creating real-time instances of those new services.
  • Using events to watch for patterns in these services, enabling policy-driven automation.
  • Service-oriented Orchestration combines several industry trends to synthesize a fresh approach to orchestration:

Please continue your reading in this SecureX white paper.

Currently there is no DevNet sandbox yet, however you can find all options to try out SecureX orchestration here!

List of SecureX Learning Labs

Solutions on Ecosystem Exchange

Please check out related solutions on DevNet Ecosystem Exchange.

View code on GitHub

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.