Incident Endpoint Enrichment
Workflow #0024
This workflow fetches Cisco Secure Firewall incidents and conducts automated enrichment to see if additional data can be found about the endpoint that caused the event. The source of the event is searched in Cisco Secure Endpoint and if a matching endpoint is found, a casebook and sighting are created with more details.
This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.
Change Log
Date | Notes |
---|---|
Apr 19, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Sep 1, 2022 | - Updated to support SecureX Tokens |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Secure Endpoint - Get Computer by GUID
- Secure Endpoint - Get Connector GUID
- Threat Response - Create Casebook
- Threat Response - Create Relationship
- Threat Response - Create Sighting
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint
Workflow Steps
- Fetch incidents for the past hour
- Loop through each incident:
- Get the incident’s relationships
- Loop through each relationship:
- Extract the sighting ID and fetch it
- Extract the target IP from the sighting
- Check if we got an IP address:
- Search the IP in Secure Endpoint
- If an endpoint was found:
- Fetch its details
- Create a casebook and more detailed sighting
Configuration
- By default, the workflow is configured to run every hour using the 0024 - Secure Firewall - Incident Endpoint Enrichment schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
- Open the workflow in the workflow editor
- Scroll down to the Triggers section of the workflow’s properties and click Firewall Incident Polling
- Uncheck the Disable Trigger box and click Save
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
AMP_Target | HTTP Endpoint | Protocol: HTTPS Host: api.amp.cisco.com Path: /v1 | AMP_Credentials | Created by default |
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | CTR_Credentials | Created by default |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
AMP_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
CTR_Credentials | SecureX Token | See this page |