Threat Detected Events to Incidents
Workflow #0026
This workflow periodically checks Cisco Secure Endpoint for Threat Detected events. When an event is returned, the workflow collects information from it and creates a casebook and incident in Cisco SecureX to document what happened. This workflow is designed to run every 5 minutes on a schedule.
This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.
Change Log
Date | Notes |
---|---|
Apr 16, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Sep 1, 2022 | - Updated to support SecureX Tokens |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Secure Endpoint - Get Events
- Threat Response - Create Casebook
- Threat Response - Create Incident
- Threat Response - Create Relationship
- Threat Response - Create Sighting
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint
Workflow Steps
- Detect the region/environment being used
- Calculate date/times
- Fetch events from Secure Endpoint
- Check if events were returned, if not end the workflow
- For each event:
- Extract the event’s information
- Format the information for SecureX
- Create an incident, casebook, and sighting
Configuration
- By default, the workflow is configured to run every 5 minutes using the 0026 - Secure Endpoint - Threat Detected Events to Incidents schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
- Open the workflow in the workflow editor
- Scroll down to the Triggers section of the workflow’s properties and click Secure Endpoint Event Polling
- Uncheck the Disable Trigger box and click Save
Activities
- If you change the schedule for this workflow, you will need to adjust the
Calculate time 5 minutes ago
activity’sAdjustment
input variable to match the new schedule. As in, if you change the schedule to every 10 minutes, you would need to subtract600
seconds instead of300
- All of the Threat Response activities default to a
TLP Value
ofamber
. You can modify this if you want to use different values
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
AMP_Target | HTTP Endpoint | Protocol: HTTPS Host: api.amp.cisco.com Path: /v1 | AMP_Credentials | Created by default |
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | CTR_Credentials | Created by default |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
AMP_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
CTR_Credentials | SecureX Token | See this page |