CVE Hunt to ServiceNow Incident
Workflow #0009
This workflow uses Cisco Orbital to look for endpoints that are vulnerable for a given CVE. For demonstration purposes we use CVE-2020-0796 which has been added to Orbital as a catalog query. After the Orbital query is executed, we open a ServiceNow incident with the results.
Change Log
Date | Notes |
---|---|
Nov 24, 2020 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Aug 31, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Orbital - Query All Endpoints
- Threat Response - Generate Access Token
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint with Orbital
- ServiceNow
Workflow Steps
- Get an API token for Orbital
- Execute a catalog query for all endpoints using Orbital
- Fetch the results of the Orbital query
- Iterate through each result and build a table of vulnerable/not-vulnerable endpoints
- Assemble the text for the ServiceNow incident
- Create the ServiceNow incident ticket
Configuration
- If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
- Update the
ServiceNow User ID
local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user - Update the
ServiceNow - Create Incident
activity towards the end of the workflow with any changes to the ticket properties you want
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Orbital_For_Access_Token | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | Orbital_Credentials | Created by default |
Orbital_Target | HTTP Endpoint | Protocol: HTTPS Host: orbital.amp.cisco.com Path: /v0 | None | Created by default |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
Orbital_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |