Link Search Menu Expand Document

Investigate Retrospective Alerts

Workflow #0025

This workflow monitors a mailbox for retrospective detection alerts from Cisco Secure Email. When an alert is received via Cisco Secure Endpoint (formerly AMP) for a file hash, an investigation is conducted to determine if there were any sightings for the hash. If there are sightings, an instant message is sent with details.

GitHub


Requirements

Note: You may have an old version of the Webex Teams - Post Message to Room atomic. To ensure the best experience with this workflow, be sure to import the latest version of this atomic from the GitHub_Target_Atomics repository!


Workflow Steps

  1. Fetch global variables (optional)
  2. Extract the information we need from the email
  3. Generate an access token for Threat Response
  4. Enrich the file hash to look for sightings
  5. Extract the sightings
  6. Check if there were any, if not end the workflow
  7. Compile the sighting data for the past 30 days
  8. Send instant message notifications

Configuration

  • Set the Secure Endpoint Module Name local variable to the name of your Secure Endpoint module in SecureX (this is often AMP for Endpoints)
  • You must create an account key with your mailbox’s credentials and then update the 0025 - Retrospective Alert Mailbox target with that account key. While you’re editing the target, be sure to add your email server’s information
  • When the workflow imports, the trigger will show in an errored state because the account key and target needed to be updated. After configuring your account key and target, go into the workflow, click on the trigger in the workflow’s properties, uncheck the Disable Trigger box, and click Save
  • See this page for information on configuring the workflow for Webex Teams

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
None Created by default
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Microsoft Teams Webhook HTTP Endpoint Protocol: HTTPS
Host: your-tenant.webhook.office.com
Path: /the-rest-of-the-webhook-url
None  
0025 - Retrospective Alert Mailbox IMAP Endpoint Configured for your IMAP server 0025 - Retrospective Alert Mailbox Credentials  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex Teams activities are removed

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
0025 - Retrospective Alert Mailbox Credentials Email Credentials Username: Mailbox Username
Password: Mailbox Password