Ransomware Alerts to SecureX and ServiceNow
Workflow #0044
This workflow was developed and is supported by Cohesity
This workflow pushes Cohesity Helios ransomware alerts to SecureX Threat Response incidents with matching sightings and ServiceNow incidents.
Change Log
Date | Notes |
---|---|
Sep 24, 2021 | - Initial release |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- None
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Cohesity Helios
- ServiceNow
Workflow Steps
- Execute a Python script to fetch alerts from Cohesity and create corresponding incidents in SecureX
- Convert the list of alerts to a table
- For each alert:
- Create a ServiceNow incident
Configuration
- Set the
Helios API Key
local variable to your Cohesity Helios API key - Set the
SecureX API Client ID
andSecureX API Secret
local variables to your API client’s ID and secret (more information) - Set the
Number of Hours
local variable to the number of hours ago you want to start fetching alerts from - Set the
ServiceNow User ID
local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user - If you want the workflow to run automatically, enable the
Cohesity Ransomware Alerts
trigger in the workflow’s property to enable it to run on a schedule
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |