thousand-eyes-securex-response
Cisco ThousandEyes response workflow for SecureX
This SecureX response workflow allows users to right click on domain and url observable from Cisco SecureX threat response and check whether they are reachable from ThousandEyes endpoint agents. This is important for multiple reasons. First of all, an analyst can check whether a potential harmfull destination is reachable, and thus can cause a threat (e.g. a Command&Control server). Second it can also be used to verify the policy enforcement across your organization. Cisco ThousandEyes can for example be used to verify a domain block in Cisco Umbrella, offering a good SASE use case. Obviously there are more use cases that this is usefull for.
Features
- Searches for group_id of agents to start instant test from;
- Creates HTTP instant endpoint test for agents (with earlier queried group_id) to verify of domain is reachable;
- If domain/URL is reachable it will send a Webex Teams notifaction to warn that policy is not enforced;
- Vice versa, if domain/URL is not reachable, it will send a confirmation via Webex Teams that policy is enforced.
Note: Please test this properly before implementing in a production environment. This is a sample workflow!
Required Targets
- Webex Teams
- ThousandEyes (api.thousandeyes.com)
Required Account Keys
- Webex Teams Token (stored as Secure String in workflow variables)
- ThousandEyes (Basic Auth: username and secret, associated with target)
Required Global Variables
- ThousandEyes_group_id
Required Atomic Workflows
- Webex Teams - Post Message to Room
Setup instructions
- Browse to your SecureX orchestration instance. This will be a different URL depending on the region your account is in:
- US: https://securex-ao.us.security.cisco.com/orch-ui/workflows/
- EU: https://securex-ao.eu.security.cisco.com/orch-ui/workflows/
- APJC: https://securex-ao.apjc.security.cisco.com/orch-ui/workflows/
Import main workflow
-
In the left pane menu, select Workflows. Click on IMPORT to import the workflow.
-
Click on Browse and copy paste the content of the workflow.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.
-
After importing, please make sure that you update the account keys for the ThousandEyes target.
-
Also, please fill in the Webex Token as workflow variable. The best option for this is a Webex bot, since the token will then not expire.
Note: If you prefer to use a different chat app, please change the last activities of the workflow to your liking.
- You will also need a groupId of the set of ThousandEyes agents you want to run the test from. There is a skipped group in the workflow that you can use to find this ID, and then set it as global variable. Enter the group name as workflow variable and unskip this to find the ID. After running once you can skip the group again.
- If you know the ID already you can also directly set it as global variable:
Usage
You may use the response action via the drop down menu in SecureX threat response like so:
This will result in the following type of notifications in Webex Teams:
Notes
- Please test this properly before implementing in a production environment. This is a sample workflow!
- In a future version enterprise agents will be added.
Author(s)
- Christopher van der Made (Cisco)
- Primoz Secnik Kolman (Cisco)
Use Case
Cisco ThousandEyes response workflow for SecureX
- SecureX orchestration provides a no-to-low code approach for building automated workflows.
- These workflows can interact with various types of resources and systems, whether they’re from Cisco or a third-party.
- This repository contains a workflow that can be imported into SecureX orchestration.
Business Case
This SecureX response workflow allows users to right click on domain and url observable from Cisco SecureX threat response and check whether they are reachable from Cisco ThousandEyes endpoint agents. This is important for multiple reasons. First of all, an analyst can check whether a potential harmfull destination is reachable, and thus can cause a threat (e.g. a Command&Control server). Second it can also be used to verify the policy enforcement across your organization. Cisco ThousandEyes can for example be used to verify a domain block in Cisco Umbrella, offering a good SASE use case. Obviously there are more use cases that this is usefull for.
Usage
You may use the response action via the drop down menu in SecureX threat response like so:
This will result in the following type of notifactions in Webex Teams:
Related Sandbox
Currently there is no DevNet sandbox yet, however you can find all options to try out SecureX orchestration here!
List of SecureX Learning Labs
- Please try out this SecureX DevNet learning lab to try this yourself.
- Please also check out the SecureX microsite on DevNet!
Solutions on Ecosystem Exchange
Please check out related solutions on DevNet Ecosystem Exchange.
Owner
Contributors
Github contributorCategories
Products
ThousandEyesWebexProgramming Languages
License
Other
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View CommunityCisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.