Threat Hunting Events to Incidents
Workflow #0012
This workflow periodically checks a Secure Endpoint (formerly AMP for Endpoints) instance for SecureX Threat Hunting events. When an event is returned, the workflow collects information from it and creates a casebook and incident in Threat Response to document what happened. This workflow is designed to run every 5 minutes on a schedule.
Requirements
- The following atomic actions must be imported before you can import this workflow:
- Threat Response v2 - Create Casebook (Github_Target_Atomics)
- Threat Response v2 - Create Incident (Github_Target_Atomics)
- Threat Response v2 - Create Relationship (Github_Target_Atomics)
- Threat Response v2 - Create Sighting (Github_Target_Atomics)
- Threat Response v2 - Generate Access Token (Github_Target_Atomics)
- The targets and account keys listed below
Workflow Steps
- Detect the region/environment being used
- Calculate date/times
- Fetch events from Secure Endpoint
- Check if events were returned, if not end the workflow
- For each event:
- Extract the event’s information
- Format the information for Threat Response
- Create an incident, casebook, and sighting
Configuration
- By default, the workflow is configured to run every 5 minutes using the 0012 - Secure Endpoint - Threat Hunting Events to Incidents schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
- Open the workflow in the workflow editor
- Scroll down to the Triggers section of the workflow’s properties and click Secure Endpoint Event Polling
- Uncheck the Disable Trigger box and click Save
Activities
- If you change the schedule for this workflow, you will need to adjust the
Calculate time 5 minutes agoactivity’sAdjustmentinput variable to match the new schedule. As in, if you change the schedule to every 10 minutes, you would need to subtract600seconds instead of300 - All of the Threat Response activities default to a
TLP Valueofamber. You can modify this if you want to use different values
Targets
Target Group: Default TargetGroup
| Target Name | Type | Details | Account Keys | Notes |
|---|---|---|---|---|
| AMP_Target | HTTP Endpoint | Protocol: HTTPSHost: api.amp.cisco.comPath: /v1 | AMP_Credentials | Created by default |
| CTR_For_Access_Token | HTTP Endpoint | Protocol: HTTPSHost: visibility.amp.cisco.comPath: /iroh | CTR_Credentials | Created by default |
| Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPSHost: private.intel.amp.cisco.comPath: None | None | Created by default |
Account Keys
| Account Key Name | Type | Details | Notes |
|---|---|---|---|
| AMP_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
| CTR_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |