On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Top MacOS IR Indicators to ServiceNow

Workflow #0058

Response Workflow

This workflow runs multiple Oribtal queries on the endpoint provided to look for top incident response indicators of compromise. The results are then posted to a ServiceNow incident. Supported observables: ip, mac_address, amp_computer_guid, hostname

GitHub

---

Change Log

Date	Notes
Feb 8, 2022	- Initial release
Sep 7, 2022	- Minor updates to naming and descriptions

See the Important Notes page for more information about updating workflows

---

Requirements

• The following system atomics are used by this workflow:
  • Orbital - Query Endpoint
  • Threat Response - Generate Access Token
• The following atomic actions must be imported before you can import this workflow:
  • ServiceNow - Create Incident (CiscoSecurity_Atomics)
• The targets and account keys listed at the bottom of the page
• Cisco Secure Endpoint with Orbital
• ServiceNow

---

Workflow Steps

1. Check if the observable type provided is supported
2. Detect the region
3. Run Orbital queries for:
   • Operating system information
   • Logged in user details
   • Recent logins
   • Downloaded files
   • Home directory files
   • Hosts in host file
   • Mounted volumes
   • High memory processes
   • Non-system processes
   • Installed programs
   • Browser extensions
   • Network connections
   • Open files for logged in user
   • Launchd items
   • Cronjobs
   • Services in application layer firewall
   • Homebrew packages
   • Kernel extensions
4. Log results in a ServiceNow incident

---

Configuration

• Update the ServiceNow User ID local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
• Update the ServiceNow - Create Incident activity at the end of the workflow with any changes to the ticket properties you want

---

Targets

Target Group: Default TargetGroup

Target Name	Type	Details	Account Keys	Notes
Orbital_For_Access_Token	HTTP Endpoint	Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh	Orbital_Credentials	Created by default
Orbital_Target	HTTP Endpoint	Protocol: HTTPS Host: orbital.amp.cisco.com Path: /v0	None	Created by default
ServiceNow	HTTP Endpoint	Protocol: HTTPS Host: <instance>.service-now.com Path: /api	ServiceNow_Credentials	Be sure to use your instance URL

---

Account Keys

Account Key Name	Type	Details	Notes
Orbital_Credentials	HTTP Basic Authentication	Username: Client ID Password: Client Secret	Created by default
ServiceNow_Credentials	HTTP Basic Authentication	Username: ServiceNow User ID Password: ServiceNow Password