Threat Hunting Events to Incidents
Workflow #0012
This workflow periodically checks Cisco Secure Endpoint for SecureX Threat Hunting events. When an event is returned, the workflow collects information from it and creates a casebook and incident in Cisco SecureX to document what happened. This workflow is designed to run every 5 minutes on a schedule.
Change Log
Date | Notes |
---|---|
Feb 19, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Create Casebook
- Threat Response - Create Incident
- Threat Response - Create Relationship
- Threat Response - Create Sighting
- Threat Response - Generate Access Token
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint
Workflow Steps
- Detect the region/environment being used
- Calculate date/times
- Fetch events from Secure Endpoint
- Check if events were returned, if not end the workflow
- For each event:
- Extract the event’s information
- Format the information for SecureX
- Create an incident, casebook, and sighting
Configuration
- By default, the workflow is configured to run every 5 minutes using the 0012 - Secure Endpoint - Threat Hunting Events to Incidents schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
- Open the workflow in the workflow editor
- Scroll down to the Triggers section of the workflow’s properties and click Secure Endpoint Event Polling
- Uncheck the Disable Trigger box and click Save
Activities
- If you change the schedule for this workflow, you will need to adjust the
Calculate time 5 minutes ago
activity’sAdjustment
input variable to match the new schedule. As in, if you change the schedule to every 10 minutes, you would need to subtract600
seconds instead of300
- All of the Threat Response activities default to a
TLP Value
ofamber
. You can modify this if you want to use different values
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
AMP_Target | HTTP Endpoint | Protocol: HTTPS Host: api.amp.cisco.com Path: /v1 | AMP_Credentials | Created by default |
CTR_For_Access_Token | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | CTR_Credentials | Created by default |
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | None | Created by default |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
AMP_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
CTR_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |