On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Multiple Low or Medium Alerts to ServiceNow

Workflow #0048

This workflow searches alerts in Cisco Secure Endpoint for hosts with multiple low or medium severity events. If any endpoints are found, a ServiceNow incident ticket is opened.

GitHub


Change Log

Date Notes
Nov 2, 2021 - Initial release
Sep 7, 2022 - Minor updates to naming and descriptions

Requirements

  • The following system atomics are used by this workflow:
    • Secure Endpoint - Get Computer by GUID
    • Secure Endpoint - Get Events
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Endpoint
  • ServiceNow

Workflow Steps

  1. Fetch events from Cisco Secure Endpoint
  2. Parse the events and update local variables
  3. Convert the hosts to a table and select all hosts with 2 or more alerts
  4. For each host:
    • Fetch its full host record and extract some fields
    • Append this host to the ServiceNow ticket text
  5. Check if there are any hosts to report on:
    • If there are, create a ServiceNow incident ticket

Configuration

  • Set the Days to Search local variable to how many days of events you want to aggregate
  • Set the Secure Endpoint Region local variable based on the Secure Endpoint region you’re using
  • Set the ServiceNow User ID local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password