Ransomware Alerts to SecureX and ServiceNow

Workflow #0044

This workflow was developed and is supported by Cohesity

This workflow pushes Cohesity Helios ransomware alerts to SecureX Threat Response incidents with matching sightings and ServiceNow incidents.

Change Log

Date	Notes
Sep 24, 2021	- Initial release

See the Important Notes page for more information about updating workflows

The following system atomics are used by this workflow:
- None
The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
The targets and account keys listed below
Cohesity Helios
ServiceNow

Execute a Python script to fetch alerts from Cohesity and create corresponding incidents in SecureX
Convert the list of alerts to a table
For each alert:
- Create a ServiceNow incident

Set the Helios API Key local variable to your Cohesity Helios API key
Set the SecureX API Client ID and SecureX API Secret local variables to your API client’s ID and secret (more information)
Set the Number of Hours local variable to the number of hours ago you want to start fetching alerts from
Set the ServiceNow User ID local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
If you want the workflow to run automatically, enable the Cohesity Ransomware Alerts trigger in the workflow’s property to enable it to run on a schedule

Target Group: Default TargetGroup

Target Name	Type	Details	Account Keys	Notes
ServiceNow	HTTP Endpoint	Protocol: `HTTPS` Host: `<instance>.service-now.com` Path: `/api`	ServiceNow_Credentials	Be sure to use your instance URL

Account Key Name	Type	Details	Notes
ServiceNow_Credentials	HTTP Basic Authentication	Username: ServiceNow User ID Password: ServiceNow Password