This repository is deprecated; please follow the main search page or use the ‘Related code repos’ widget on the right side of the current page.

Problem Statement.

Currently to update a Simple Custome Detection (SCD) sha-256 block list the MSSP partner must “log-in” to each tenants Secure Endpoint (AMP) instance and perform configuration manually for each customer. Example, imagine doing this procedure for 200+ Secure Endpoint tenants. This could also be done via API, via multiple posts. This does not scale well and impacts efficiency of MSSP operations staff and thereby service revenue margins for the partner. Secondarily, it would create additional work to create multiple integrations with different MSSP 3rd party platforms.

Key Customer/Partner outcomes:

Automation to improve operational efficiency from hours to seconds. This particular workflow can be leveraged for similar tasks like Application Block Lists as well. A simple starting framework for other use cases that require common action across multiple MSSP Secure Endpoint customers. Also provides a framework for SecureX threat response capabilities for investigating & remediating threats across multiple customers “simultaneously” via response context menu's.

Pre-Requisites

  • Acquire each tenant/customer API keys from Secure Endpoint MSSP Console
  • Utilize Copy-AMP-MSSP-CREDS.json workflow to add Secure Endpoint customer tenant API keys into Group Target
  • Configure each tenant customer with Outbreak Control Blocklist-Simple Custom Detection using common name across all tenant customers (e.g. MSSP_SOC_BLOCK)
    OutbreakControl
  • Add the common name Outbreak Control-Simple Custom Detection list in relevant Computer group policies in each tenant customer.
    CustomerPolicy

Worflow Operation

Loop through each MSSP customer and do the following:

  1. Get all Simple Custom Detection Lists (SCD)
  2. Create a table with each SCD list name & GUID
  3. Select SCD list table entry with name "MSSP_SOC_BLOCK" and extract list GUID
  4. Update customer SCD list GUID named MSSP_SOC_BLOCK with input SHA-256 value
  5. Verify input SHA-256 is contanined in SCD list named "MSSP_SOC_BLOCK"
  6. Creates table for Successful and Failed updates for each customer.

MSSP_SOC_BLOCK_Workflow

Required Global Variable

Create Global Variable MSSP customer credentials using Copy-ADD-AMP-MSSP-CREDS.json to aggregate MSSP customer API account keys used in this workflow.

Required Targets

  • AMP Target
  • AMP MSSP Target Group - contains all MSSP customer targets

Required Account Keys

  • Account keys for each individual AMP-MSSP Customer
  • Global MSSP Account Keys

Setup Information

Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:

Import both workflows.

  • Copy-ADD-AMP-MSSP-CREDS.json
  • AMP MSSP Customer Block List.json

Running Workflow

  • SecureX Orchestration directly
    SXO_RUN

  • Threat Response context menu in SecureX Threat Response
    SX_CTR

  • SecureX browser plug-in.
    SX_BROWSER

  • Secure Endpoint Customer/Tenant console
    ENDPOINT_CONSOLE

Notes

  • In this workflow the named SCD List "MSSP_SOC_BLOCK" could be any name for the SCD, but it must be consistent across all customers to succeed.

Learning Labs

View code on GitHub

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.