Vulnerabilities to ServiceNow Incidents
Workflow #0021
This workflow periodically checks for “Vulnerable Application Detected” events in Cisco Secure Endpoint. If events are found, the associated CVEs are checked to see if they meet the threshold configured in the workflow. If the threshold is met for at least one of the endpoint’s vulnerabilities, a ServiceNow incident is opened.
Change Log
Date | Notes |
---|---|
Apr 8, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Jan 11, 2022 | - Fixed an issue with a Python script not converting numbers to strings properly |
Aug 31, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Secure Endpoint - Get Events
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint
- ServiceNow
Workflow Steps
- Calculate the time 24 hours ago
- While there are events to process:
- Get events from Secure Endpoint
- Convert the events to a table
- Loop through each event:
- Extract attributes from the event
- Convert the list of vulnerabilities to text
- Check if the CVE threshold was met. If it was, open a ServiceNow incident
- Check if there’s another page of events
- If there is, update the paging variables and continue
- If there isn’t, end the workflow
Configuration
- Set the
CVE Score Threshold
local variable to the minimum CVE score you want to generate incidents for. This is 6.5 by default - By default, the workflow is configured to run once a day using the 0021 - Secure Endpoint - Vulnerabilities to ServiceNow Incidents schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
- Open the workflow in the workflow editor
- Scroll down to the Triggers section of the workflow’s properties and click Secure Endpoint Event Polling
- Uncheck the Disable Trigger box and click Save
- Update the
ServiceNow - Create Incident
activity with the username you want incidents opened as (in addition to any other changes to the ticket properties you want) - If you change the schedule for this workflow, you will need to adjust the
Calculate time 24 hours ago
activity’sAdjustment
input variable to match the new schedule. As in, if you change the schedule to every 2 days, you would need to subtract172800
seconds instead of86400
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
AMP_Target | HTTP Endpoint | Protocol: HTTPS Host: api.amp.cisco.com Path: /v1 | AMP_Credentials | Created by default |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
AMP_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |