Link Search Menu Expand Document

Threat Detected Events to Incidents

Workflow #0026

This workflow periodically checks a Secure Endpoint instance for Threat Detected events. When an event is returned, the workflow collects information from it and creates a casebook and incident in Threat Response to document what happened. This workflow is designed to run every 5 minutes on a schedule.

GitHub


Requirements


Workflow Steps

  1. Detect the region/environment being used
  2. Calculate date/times
  3. Fetch events from Secure Endpoint
  4. Check if events were returned, if not end the workflow
  5. For each event:
    • Extract the event’s information
    • Format the information for Threat Response
    • Create an incident, casebook, and sighting

Configuration

  • By default, the workflow is configured to run every 5 minutes using the 0026 - Secure Endpoint - Threat Detected Events to Incidents schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
    • Open the workflow in the workflow editor
    • Scroll down to the Triggers section of the workflow’s properties and click Secure Endpoint Event Polling
    • Uncheck the Disable Trigger box and click Save

Activities

  • If you change the schedule for this workflow, you will need to adjust the Calculate time 5 minutes ago activity’s Adjustment input variable to match the new schedule. As in, if you change the schedule to every 10 minutes, you would need to subtract 600 seconds instead of 300
  • All of the Threat Response activities default to a TLP Value of amber. You can modify this if you want to use different values

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default