Top Windows IR Indicators to ServiceNow
Workflow #0055
Response Workflow
This workflow runs multiple Oribtal queries on the endpoint provided to look for top incident response indicators of compromise. The results are then posted to a ServiceNow incident. Supported observables: ip
, mac_address
, amp_computer_guid
, hostname
Change Log
Date | Notes |
---|---|
Jan 20, 2022 | - Initial release |
Sep 7, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Orbital - Query Endpoint
- Threat Response - Generate Access Token
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint with Orbital
- ServiceNow
Workflow Steps
- Check if the observable type provided is supported
- Detect the region
- Get logged in user name
- Get list of local accounts
- Get user’s “Documents” folder contents
- Get user’s “Downloads” folder contents
- Get user’s “Desktop” folder contents
- Get recent USB activity
- Get recent Office documents
- Get list of installed programs
- Get list of Chrome browser extensions
- Get named pipes
- Get list of processes
- Get list of outbound network connections
- Get list of listening network connections
- Get local DNS cache
- Get list of open shares
- Get list of autoexecute binaries
- Get recent PowerShell activity
- Get host uptime
- Log results in a ServiceNow incident
Configuration
- Update the
ServiceNow User ID
local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user - Update the
ServiceNow - Create Incident
activity at the end of the workflow with any changes to the ticket properties you want
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Orbital_For_Access_Token | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | Orbital_Credentials | Created by default |
Orbital_Target | HTTP Endpoint | Protocol: HTTPS Host: orbital.amp.cisco.com Path: /v0 | None | Created by default |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
Orbital_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |