NOTE: This is sample code and needs to be tested properly before using in production!
- Problem Statement
- Solution
- Design Overview
- Currently Supported Solutions and roadmap
- Prerequisites
- Installation
- Authors
- Contact
- When faced with an attack that generates multiple alerts in multiple consoles, it can be difficult to quickly recognize that these alerts are all part of a common attack campaign.
- Too many alerts can result in “Alert Fatigue” which leads to critical alerts being missed or overlooked
- Management requires a simple monitoring platform to keep them abreast of an evolving situation.
-
Use SecureX Orchestration to assess, deduplicate and notify multiple alerts
-
Organizations need to get timely notification of an attack campaign within a common messaging platform, regardless of:
- the number of alerts
- from which product they originate
-
This objective is achieved through :
- Continuous monitoring of Umbrella and/or Secure EP Security events (loop)
- Near real time Incident creation and update (grouped by endpoint hostname, no duplicate event)
- Near real time notification on new or updated incident (no duplicate notification for same event occurring multiple times)
- Statistic tables
- Continuous Run
-
Main Workflow
- Collect
- Incident - Notification - Statistics
- Cisco Secure Endpoint (Event)
- Cisco Umbrella (Event)
- Cisco SecureX (Incident)
- Cisco Webex (Notification)
Other messaging and Incident platforms have “stub” placeholder code for future integration :
- TheHive
- ServiceNow
- MS Teams
- Umbrella reporting API Key. Documentation
- Umbrella Org ID
- Cisco Secure EP API key. Documentation
- Cisco Teams Bot for SecureX and a Cisco Teams Room. Documentation
- Cisco Threat Response API key. Documentation
- Logon to SecureX via: https://sign-on.security.cisco.com/.
NOTE: If you don't have a SecureX Account, please follow the Quick Start Guide.
-
Go to "Account Keys" and create the following accounts. If they already exist under a different name, use them in next step.
-
Cisco Secure Endpoint - Account Keys (if use)
- *Account Key Type set to HTTP Basic Authentication
- Display Name set to AMP_Credentials
- username: Cisco SecureEP API : 3rd Party API Client ID
- Password: Cisco Secure EP API : API Key
- Authentication option: Basic
-
Cisco Umbrella - Account Keys (if use)
- *Account Key Type set to HTTP Basic Authentication
- Display Name set to Umbrella_Reporting_API
- username: Umbrella Reporting API : Client ID
- Password: Umbrella ReportingE API : Secret
- Authentication option: Basic
-
-
Go to "Targets" and create the following accounts. If they already exists under a different display name and you can't rename or duplicate them, you will have to modify Target Criteria in the workflow.
-
Cisco Secure Endpoint - Target (if use)
- Target Type set to HTTP Endpoint
- Dislay Name set to AMP_Target
- No Account Key set to false
- Default Account keys set to AMP_Credrentials
- Protocol set to HTTPS
- Host set to api.amp.cisco.com or api.eu.amp.cisco.com
- Port set to 443
- Path set to /v1
-
Cisco Umbrella - Target (if use)
- Target Type set to HTTP Endpoint
- Display Name set to Cisco Umbrella Reporting V1
- No Account Key set to false
- Default Account keys set to Umbrella_Reporting_API_
- Protocol set to HTTPS
- Host set to reports.api.umbrella.com
- Port set to 443
-
Cisco Webex
- Target Type set to HTTP Endpoint
- Display Name set to Webex Teams
- No Account Key set to true
- Protocol set to HTTPS
- Host set to webexapis.com
- Port set to 443
-
Private CTIA
- Target Type set to HTTP Endpoint
- Display Name set to Private_CTIA_Target
- No Account Key set to true
- Protocol set to HTTPS
- Host set to private.intel.amp.cisco.com or private.eu.intel.amp.cisco.com
- Port set to 443
-
-
Go to Variables and Create or verify global variables for your Webex Token
- Webex Token
- Data Type set to Secure String
- Display Name set to Webex Bot Token
- Scope set to Global
- Value set to "YOUR WEBEX BOT TOKEN"
- Webex Token
- Import SXO Atomic Actions from Github
- Go to Workflows select "Atomic Actions" and IMPORT Atomoc Actions
This step is a pre-requirement to successful import the workflow in the next step!
- Import the following from Git SX-AO-AtomicActions
- Cisco-Secure-EP-Get-critical-cloud-IOC
- Webex - Simple adaptive card
- Create TheHive case ( if you are not planing to integrate TheHive, just add a random value as Bearer Token )
- CTR - Get Incident Details
- CTR - Update Incident
- Cisco Umbrella- Get Last security event Table
- Import the following from Cisco Security/Atomics
- Webex Teams - Search for Room
- Threat Response v2 - Create Relationship
- Microsoft Teams - Post Adaptive Card via Webhook
- Threat Response v2 - Generate Access Token
- Threat Response v2 - Create Casebook
- Threat Response v2 - Create Incident
- Import the Workflow
-
Go to Workflows and IMPORT the following workflow from SX-AO
- RT-Monitoring-SecureEP-Umbrella-Notification-Incident
- Open and edit the imported workflow
-
Adjust following variables to fit with your needs*
-
Umbrella_Org_ID set to Your Umbrella Org ID got from Umbrella console URL
-
Webex Room set to the Webex room name used for notification. Remember to add you BOT to this room
-
Enable and fill the first block Set Variables Webex Bot Token in the first group admin/Set Variables from Global/Notification Systems/Cisco Webex Enable
- Variable to update set to Global Variable Webex Bot Token (step3)
- Enable the trigger to run the workflow every 5 minutes
- Run the workflow
- Before a first run or if a previous run failed, go to Variables and reset the following global Variables
- AO_Enrichment_Running set to False
- AO-AMP_Last_detection_date set to the oldest event date you want to collect in Cisco Secure EP (in format YYYY-MM-DDThh:mm:ss)
- AO-Umbrella_Last_detection_date set to the oldest event date you want to collect in Cisco Umbrella (in format YYYY-MM-DDThh:mm:ss)
- To clear detection table, import and use the workflow RT-Monitoring-Clear-detection-stats-table
- Moritz Wenz, Phil Wood, Sven Kutzer, Ivan Berlinson (Cisco)