Top MacOS IR Indicators to ServiceNow
Workflow #0058
Response Workflow
This workflow runs multiple Oribtal queries on the endpoint provided to look for top incident response indicators of compromise. The results are then posted to a ServiceNow incident. Supported observables: ip
, mac_address
, amp_computer_guid
, hostname
Change Log
Date | Notes |
---|---|
Feb 8, 2022 | - Initial release |
Sep 7, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Orbital - Query Endpoint
- Threat Response - Generate Access Token
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint with Orbital
- ServiceNow
Workflow Steps
- Check if the observable type provided is supported
- Detect the region
- Run Orbital queries for:
- Operating system information
- Logged in user details
- Recent logins
- Downloaded files
- Home directory files
- Hosts in host file
- Mounted volumes
- High memory processes
- Non-system processes
- Installed programs
- Browser extensions
- Network connections
- Open files for logged in user
- Launchd items
- Cronjobs
- Services in application layer firewall
- Homebrew packages
- Kernel extensions
- Log results in a ServiceNow incident
Configuration
- Update the
ServiceNow User ID
local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user - Update the
ServiceNow - Create Incident
activity at the end of the workflow with any changes to the ticket properties you want
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Orbital_For_Access_Token | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | Orbital_Credentials | Created by default |
Orbital_Target | HTTP Endpoint | Protocol: HTTPS Host: orbital.amp.cisco.com Path: /v0 | None | Created by default |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
Orbital_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |