Alerts to SecureX Incidents
Workflow #0059
This workflow is triggered by a webhook for an alert from Cisco Secure Cloud Insights. When a webhook is received, the alert data is parsed and a new SecureX incident is created.
This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.
Change Log
| Date | Notes |
|---|---|
| Feb 10, 2022 | - Initial release |
| Sep 7, 2022 | - Updated to support SecureX Tokens |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Create Incident
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Cloud Insights
Workflow Steps
- Extract the data from the alert JSON
- Check if extraction was successful
- If not, end the workflow
- Format the event data
- Create a new incident
Configuration
- When you import this workflow, a webhook, event, and trigger will be created. You’ll need to go to the webhooks section of SecureX orchestration to get your webhook’s URL. Then, you need to configure Secure Cloud Insights to send alerts to this URL.
Targets
Target Group: Default TargetGroup
| Target Name | Type | Details | Account Keys | Notes |
|---|---|---|---|---|
| Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPSHost: private.intel.amp.cisco.comPath: None | CTR_Credentials | Created by default |
Account Keys
| Account Key Name | Type | Details | Notes |
|---|---|---|---|
| CTR_Credentials | SecureX Token | See this page |