On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Get New Blog Posts

Workflow #0076

This workflow fetches the Google Threat Analytics Group’s Intelligence Blog RSS feed and converts individual blog posts into Cisco SecureX casebooks if they contain suspicious observables. These casebooks can then be investigated with one click in Cisco Threat Response.

GitHub

Change Log

Date Notes
Dec 20, 2022 - Initial release

See the Important Notes page for more information about updating workflows

Requirements

  • The following system atomics are used by this workflow:
    • Threat Response - Create Casebook
    • Threat Response - Deliberate Observable
    • Threat Response - Enrich Observable
    • Threat Response - Inspect for Observables
    • Webex - Search for Room
    • Webex - Post Message to Room
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • (Optional) Cisco Webex

Workflow Steps

This workflow is designed to run on a schedule to periodically check the Google TAG blog for new posts.

  1. Fetch and validate global variables
  2. Get the RSS feed XML
  3. If not successful, end the workflow
  4. Get the last build date from XML body
  5. Check if the build date has changed (if not, end the workflow)
  6. Convert the feed XML into JSON and parse out each post’s information
  7. For each blog post:
    • Check if the post has been posted since the last run of the workflow, if not, skip it
    • Run a sub-workflow to parse this single blog post
  8. Update the global variables last modified date and last run date

Sub-Workflow Steps

These steps are executed for each new or updated blog post the parent workflow discovers on the Google TAG blog.

  1. Fetch the blog post content and strip out any HTML
  2. Inspect the blog post content for observables
  3. Loop through each observable and get its Threat Response disposition
  4. For observables that weren’t clean, conduct Threat Response enrichment to get sightings
  5. For modules with sightings, build the text to post to the casebook and Webex
  6. Create the SecureX casebook and, if a Webex room is provided, post a message to Webex

Configuration

  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
  • See this page for information on configuring the workflow for Webex

Targets

Parent Workflow

Target Name Type Details Account Keys Notes
Google TAG Blog HTTP Endpoint Protocol: HTTPS
Host: blog.google
Path: /threat-analysis-group/rss		 None  

Sub-Workflow

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh		 CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None		 None Created by default
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None		 None Not necessary if Webex activities are removed

Account Keys

Sub-Workflow

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page