Multiple Low or Medium Alerts to ServiceNow
Workflow #0048
This workflow searches alerts in Cisco Secure Endpoint for hosts with multiple low or medium severity events. If any endpoints are found, a ServiceNow incident ticket is opened.
Change Log
Date | Notes |
---|---|
Nov 2, 2021 | - Initial release |
Sep 7, 2022 | - Minor updates to naming and descriptions |
Requirements
- The following system atomics are used by this workflow:
- Secure Endpoint - Get Computer by GUID
- Secure Endpoint - Get Events
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint
- ServiceNow
Workflow Steps
- Fetch events from Cisco Secure Endpoint
- Parse the events and update local variables
- Convert the hosts to a table and select all hosts with 2 or more alerts
- For each host:
- Fetch its full host record and extract some fields
- Append this host to the ServiceNow ticket text
- Check if there are any hosts to report on:
- If there are, create a ServiceNow incident ticket
Configuration
- Set the
Days to Search
local variable to how many days of events you want to aggregate - Set the
Secure Endpoint Region
local variable based on the Secure Endpoint region you’re using - Set the
ServiceNow User ID
local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
AMP_Target | HTTP Endpoint | Protocol: HTTPS Host: api.amp.cisco.com Path: /v1 | AMP_Credentials | Created by default |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
AMP_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |