Alerts to SecureX Incidents
Workflow #0059
This workflow is triggered by a webhook for an alert from Cisco Secure Cloud Insights. When a webhook is received, the alert data is parsed and a new SecureX incident is created.
Change Log
| Date | Notes |
|---|---|
| Feb 10, 2022 | - Initial release |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Create Incident
- Threat Response - Generate Access Token
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Cloud Insights
Workflow Steps
- Extract the data from the alert JSON
- Check if extraction was successful
- If not, end the workflow
- Format the event data
- Fetch an access token for the Threat Response API
- Create a new incident
Configuration
- When you import this workflow, a webhook, event, and trigger will be created. You’ll need to go to the webhooks section of SecureX orchestration to get your webhook’s URL. Then, you need to configure Secure Cloud Insights to send alerts to this URL.
Targets
Target Group: Default TargetGroup
| Target Name | Type | Details | Account Keys | Notes |
|---|---|---|---|---|
| CTR_For_Access_Token | HTTP Endpoint | Protocol: HTTPSHost: visibility.amp.cisco.comPath: /iroh | CTR_Credentials | Created by default |
| Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPSHost: private.intel.amp.cisco.comPath: None | None | Created by default |
Account Keys
| Account Key Name | Type | Details | Notes |
|---|---|---|---|
| CTR_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |