Link Search Menu Expand Document

Vulnerabilities to ServiceNow Incidents

Workflow #0021

This workflow periodically checks for “Vulnerable Application Detected” events in Cisco Secure Endpoint (formerly known as AMP). If events are found, the associated CVEs are checked to see if they meet the threshold configured in the workflow. If the threshold is met for at least one of the endpoint’s vulnerabilities, a ServiceNow incident is opened.

GitHub


Requirements


Workflow Steps

  1. Calculate the time 24 hours ago
  2. While there are events to process:
    • Get events from Secure Endpoint
    • Convert the events to a table
    • Loop through each event:
      • Extract attributes from the event
      • Convert the list of vulnerabilities to text
      • Check if the CVE threshold was met. If it was, open a ServiceNow incident
    • Check if there’s another page of events
      • If there is, update the paging variables and continue
      • If there isn’t, end the workflow

Configuration

  • Set the CVE Score Threshold local variable to the minimum CVE score you want to generate incidents for. This is 6.5 by default
  • By default, the workflow is configured to run once a day using the 0021 - Secure Endpoint - Vulnerabilities to ServiceNow Incidents schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
    • Open the workflow in the workflow editor
    • Scroll down to the Triggers section of the workflow’s properties and click Secure Endpoint Event Polling
    • Uncheck the Disable Trigger box and click Save
  • Update the ServiceNow - Create Incident activity with the username you want incidents opened as (in addition to any other changes to the ticket properties you want)
  • If you change the schedule for this workflow, you will need to adjust the Calculate time 24 hours ago activity’s Adjustment input variable to match the new schedule. As in, if you change the schedule to every 2 days, you would need to subtract 172800 seconds instead of 86400

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password