Ransomware Alerts to SecureX and ServiceNow

This workflow pushes Cohesity Helios ransomware alerts to SecureX Threat Response incidents with matching sightings and ServiceNow incidents.

GitHub

Change Log

See the Important Notes page for more information about updating workflows

Requirements

• The following system atomics are used by this workflow:
  • None
• The following atomic actions must be imported before you can import this workflow:
  • ServiceNow - Create Incident (CiscoSecurity_Atomics)
• The targets and account keys listed at the bottom of the page
• Cohesity Helios
• ServiceNow

Workflow Steps

1. Execute a Python script to fetch alerts from Cohesity and create corresponding incidents in SecureX
2. Convert the list of alerts to a table
3. For each alert:
   • Create a ServiceNow incident

Configuration

• Set the Helios API Key local variable to your Cohesity Helios API key
• Set the SecureX API Client ID and SecureX API Secret local variables to your API client’s ID and secret (more information)
• Set the Number of Hours local variable to the number of hours ago you want to start fetching alerts from
• Set the ServiceNow User ID local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
• If you want the workflow to run automatically, enable the Cohesity Ransomware Alerts trigger in the workflow’s property to enable it to run on a schedule

Targets

Target Group: Default TargetGroup

Account Keys