Use case: Reducing risk from vulnerabilities in your infrastructure through highly automated, risk prioritized detection and response.
This workflow pulls discovered critical vulnerabilities for critical assets within Kenna Risk-based vulnerability management system, where a fix is available to remediate the vulnerabilities in question. For each fix, the ServiceNow ticket is created to kick-off remediation activity. The workflow then reaches out to Cisco Secure Firewall to discover existing Snort 3 rules that detect those CVEs. Upon approval from Security Analyst, the Snort rules are then enabled automatically in Cisco Secure Firewall to provide protection while the Patch Management Team is working on a plan to remediate vulnerabilities on critical assets.
The following system atomics are used by this workflow:
Kenna - Get All Fixes
Kenna - Search Vulnerabilities
SecureX - SSE Proxy - Send Request
The following atomic actions must be imported before you can import this workflow:
ServiceNow - Create Incident (CiscoSecurity_Atomics)
Service Now - Add Work Note to Incident (CiscoSecurity_Atomics)
The targets and account keys listed at the bottom of the page
ServiceNow
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
CTR_API | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh |
None | Created by default |
Kenna_Target | HTTP Endpoint | Protocol: HTTPS Host: api.kennasecurity.com Path: None |
None | |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api |
ServiceNow_Credentials | Be sure to use your instance URL |
SXO Webhook Target | HTTP Endpoint | Protocol: HTTPS Host: securex-ao.us.security.cisco.com Path: /webhooks/ |
None | Refer to documentation for more information about configuring webhooks |
Account Key Name | Type | Details | Notes |
---|---|---|---|
SecureX Token | Bearer Token | Created by default | |
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |
FMC Rules Override with Approval Request
.API Token
local variable (or, if you have an API key in a global variable already, set the local variable to the global’s value using the Fetch Global Variables
group at the beginning of the workflow)Kenna Instance URL
local variable to the URL of your Kenna instance (for example: customer.kennasecurity.com
)Risk Meter Group ID
local variable to the ID of the risk meter group you want the workflow to process. You can get this by viewing the group in your Kenna console and looking at the page URL. The group ID should be after search_id=
. For example, in this URL the group ID is 123456: /explore?search_id=123456&name=....
Risk Score Threshold
local variable to the minimum risk score you want the workflow to process. Anything with a risk score less than this value will be ignoredFMC Domain UUID
, FMC Device ID
and FMC Policy ID
local variables to configure FMC digital patching capabilityServiceNow User ID
local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key
or, if the account has the appropriate permissions, can be a different userTicket Limit
local variable with the maximum number of ServiceNow tickets you want the workflow to create per executionFor more information about working with SecureX Orchestration, please visit the following DevNet Learning Lab.
Please test this properly before implementing in a production environment. This is a sample workflow!
Oxana Sannikova (osanniko@cisco.com)
Owner
Contributors
Categories
Products
Cisco XDRProgramming Languages
License
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community