Link Search Menu Expand Document

Investigate Retrospective Alerts

Workflow #0025

This workflow monitors a mailbox for retrospective detection alerts from Cisco Secure Email. When an alert is received via Cisco Secure Endpoint for a file hash, an investigation is conducted to determine if there were any sightings for the hash. If there are sightings, an instant message is sent with details.

GitHub


Change Log

Date Notes
Apr 16, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Threat Response - Enrich Observable
    • Threat Response - Generate Access Token
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Email
  • Cisco Secure Endpoint
  • (Optional) Cisco Webex
  • (Optional) A webhook URL for the Microsoft Teams channel to post messages to (see: this page)

Workflow Steps

  1. Fetch global variables (optional)
  2. Extract the information we need from the email
  3. Generate an access token for Threat Response
  4. Enrich the file hash to look for sightings
  5. Extract the sightings
  6. Check if there were any, if not end the workflow
  7. Compile the sighting data for the past 30 days
  8. Send instant message notifications

Configuration

  • Set the Secure Endpoint Module Name local variable to the name of your Secure Endpoint module in SecureX (this is often AMP for Endpoints)
  • You must create an account key with your mailbox’s credentials and then update the 0025 - Retrospective Alert Mailbox target with that account key. While you’re editing the target, be sure to add your email server’s information
  • When the workflow imports, the trigger will show in an errored state because the account key and target needed to be updated. After configuring your account key and target, go into the workflow, click on the trigger in the workflow’s properties, uncheck the Disable Trigger box, and click Save
  • See this page for information on configuring the workflow for Webex

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
None Created by default
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Microsoft Teams Webhook HTTP Endpoint Protocol: HTTPS
Host: your-tenant.webhook.office.com
Path: /the-rest-of-the-webhook-url
None  
0025 - Retrospective Alert Mailbox IMAP Endpoint Configured for your IMAP server 0025 - Retrospective Alert Mailbox Credentials  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
0025 - Retrospective Alert Mailbox Credentials Email Credentials Username: Mailbox Username
Password: Mailbox Password