This SecureX orchestration workflow looks for SecureX Threat Response new incidents and then creates a ServiceNow incident for any found.
The URL will be a different depending on the region your account is in:
Note: We have used free developer ServiceNow instance to test this orchestration workflow.
In SecureX Orchestration, go to Targets section in the left hand side menu, select New Target, choose HTTP Endpoint target type and apply configuration according to the screenshot below.
Note: CTR_API and CTR_For_Access_Token are the standard targets that are pre-configured in SecureX orchestration out of the box.
Go to Account Keys section in the left hand side menu, select New Account Key, choose HTTP Basic Authentication account key type and configure the key according to the screenshot below.
In order to send notifications via Webex Teams, the target needs to be configured to reach it's API. In SecureX Orchestration, go to Targets in the left hand side menu, select New Target, and apply configuration according to the screenshot below.
Make sure the display name of the target matches exactly (Webex Teams).
It is assumed that Webex Teams Room for notifications will be created in advance (see prerequisites section).
Create Teams Room and add all necessary people. SXO will need to know the Room ID in order to send notifications. The easiest way to find it out - add roomid@webex.bot
to your room and it will reply to you with the private message containing the room id.
RoomID bot is developed by Cisco to assist Developers with obtaining Room ID information.
In SecureX orchestration, choose in the menu on the left Variables -> Global Variables -> New Variable.
Create new variable of string type with a unique display name (e.g. "SXO Notifications Space"), paste Room ID as a value and click Submit.
In order to send the Webex Teams messages, you have two options:
SXO workflow is represented by the file in JSON format, that contains definitions and description of all the activities, targets, variables and atomic workflows that are in use. In SecureX orchestration left hand-side menu, go to Workflows -> Atomic Actions -> Import -> Browse and import the atomic workflows.
Note: Refer to documentation for more information about workflow import options: https://ciscosecurity.github.io/sxo-05-security-workflows/importing
In SecureX orchestration left hand-side menu, go to Workflows -> My Workflows -> Import -> Browse and import the workflow called sxo-santa-tracker-workflow.
You will be presented with the following warning:
Don't get scared and click "Update" :)
Copy your personal Webex API Token or your Bots' API Token into the VALUE field. This is Secure String variable and it will be stored securely in the SXO.
You should see the new workflow being added to the list. Click on the workflow when import is complete.
If import was successful, you should see zero warnings at the top of the workflow canvas.
As the workflow progresses, you should see activities turning green. Don't be alarmed if some activities turn red, it is expected behavior.
You can return to previous runs information by clicking
VIEW RUNS
inside the workflow or going to Runs in the left hand-side menu.
Please test this properly before implementing in a production environment. This is a sample workflow!
Oxana Sannikova (Cisco)
Owner
Contributors
Categories
Products
WebexProgramming Languages
License
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community