Link Search Menu Expand Document

Alerts to SecureX Incidents

Workflow #0059

This workflow is triggered by a webhook for an alert from Cisco Secure Cloud Insights. When a webhook is received, the alert data is parsed and a new SecureX incident is created.

GitHub


Change Log

Date Notes
Feb 10, 2022 - Initial release

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Threat Response - Create Incident
    • Threat Response - Generate Access Token
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Cloud Insights

Workflow Steps

  1. Extract the data from the alert JSON
  2. Check if extraction was successful
    • If not, end the workflow
  3. Format the event data
  4. Fetch an access token for the Threat Response API
  5. Create a new incident

Configuration

  • When you import this workflow, a webhook, event, and trigger will be created. You’ll need to go to the webhooks section of SecureX orchestration to get your webhook’s URL. Then, you need to configure Secure Cloud Insights to send alerts to this URL.

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default