Investigate Retrospective Alerts
Workflow #0025
This workflow monitors a mailbox for retrospective detection alerts from Cisco Secure Email. When an alert is received via Cisco Secure Endpoint for a file hash, an investigation is conducted to determine if there were any sightings for the hash. If there are sightings, an instant message is sent with details.
This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.
Change Log
Date | Notes |
---|---|
Apr 16, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Sep 1, 2022 | - Updated to support SecureX Tokens |
Feb 16, 2023 | - Updated workflow JSON to avoid an import failure (Issue #231) |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Enrich Observable
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- Microsoft Teams - Post Message via Webhook (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Cisco Secure Email
- Cisco Secure Endpoint
- (Optional) Cisco Webex
- (Optional) A webhook URL for the Microsoft Teams channel to post messages to (see: this page)
Workflow Steps
- Fetch global variables (optional)
- Extract the information we need from the email
- Enrich the file hash to look for sightings
- Extract the sightings
- Check if there were any, if not end the workflow
- Compile the sighting data for the past 30 days
- Send instant message notifications
Configuration
- Set the
Secure Endpoint Module Name
local variable to the name of your Secure Endpoint module in SecureX (this is oftenAMP for Endpoints
) - You must create an account key with your mailbox’s credentials and then update the
0025 - Retrospective Alert Mailbox
target with that account key. While you’re editing the target, be sure to add your email server’s information - When the workflow imports, the trigger will show in an errored state because the account key and target needed to be updated. After configuring your account key and target, go into the workflow, click on the trigger in the workflow’s properties, uncheck the Disable Trigger box, and click Save
- See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
CTR_API | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | CTR_Credentials | Created by default |
Microsoft Teams Webhook | HTTP Endpoint | Protocol: HTTPS Host: your-tenant.webhook.office.com Path: /the-rest-of-the-webhook-url | None | |
0025 - Retrospective Alert Mailbox | IMAP Endpoint | Configured for your IMAP server | 0025 - Retrospective Alert Mailbox Credentials | |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None | Not necessary if Webex activities are removed |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | SecureX Token | See this page | |
0025 - Retrospective Alert Mailbox | Email Credentials | Username: Mailbox Username Password: Mailbox Password |