Impact Red Remediation
Workflow #0013
This workflow checks Cisco Threat Response for incidents generated by Cisco Secure Firewall Impact Red events every 10 minutes. If matching incidents are found, an investigation is performed to identify related observables including endpoints, domains, file hashes, and users. After investigation is complete, approval will be requested to perform automated remediation. If approved, the observables discovered will be remediated (remediation actions vary by observable type).
This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.
Change Log
| Date | Notes |
|---|---|
| Feb 19, 2021 | - Initial release |
| Sep 10, 2021 | - Updated to use the new system atomics |
| Aug 31, 2022 | - Updated to support SecureX Tokens |
| Oct 31, 2022 | - Minor bug fix which could cause workflow failure if no observables were extracted from a sighting (Issue #199) |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Duo - Admin - Add User to Group
- Duo - Admin - Get User
- Orbital - Query Endpoint
- Secure Endpoint - Get Computer by GUID
- Secure Endpoint - Get Connector GUID
- Threat Response - Deliberate Observable
- Threat Response - Enrich Observable
- Threat Response - Generate Access Token
- Threat Response - List Response Actions
- Threat Response - Trigger Response Action
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (Github_Target_Atomics)
- The targets and account keys listed at the bottom of the page
- A ServiceNow instance and API account
- Cisco Secure Endpoint with Orbital
- Cisco Secure Firewall
- Cisco Umbrella
- (Optional) Cisco Webex
- Duo Security
Workflow Steps
- Fetch any necessary global variables and set the environment URLs for SecureX and Threat Response
- Request a list of Impact Red events for the past 10 minutes
- If the request was successful, convert the list of incidents to a table
- For each incident:
- Make sure the Threat Response access token is still valid
- Fetch this incident’s full bundle (including sightings and other relationships)
- Convert the incident’s sightings to a table
- For each sighting:
- Use Python to process the sighting and extract the information we want
- Check if domains need to be blocked. If so:
- Defang each domain and add it to the table of actions to take later
- Convert the sighting’s observables to a table
- For each observable:
- Get the observable’s verdict from Threat Response
- If this is a malicious IP address, update the
Malicious IPlocal variable - Enrich the observable using Threat Response
- Check if there were any results from Secure Endpoint. If not, skip this observable
- Use Python to extract file hashes from the Secure Endpoint results and convert the hashes to a table
- For each file hash:
- Check if the file hash was delivered by email by looking for SMA Email sightings in Threat Response
- Add it to the table of actions to take later
- Check if there’s a computer in Secure Endpoint with the internal IP extracted earlier. If there is:
- Get the computer object from Secure Endpoint and extract some information about it
- Add the computer GUID to the table of actions to take later
- Execute Orbital queries to get a list of users logged into the computer and take a forensic snapshot
- Check if fetching a list of logged in users succeeded. If so:
- Convert the results into a list we can parse and loop through
- For each user:
- Check if a matching user exists in Duo and, if so, add the user to the table of actions to take later
- Create an approval request to perform automated remediation
- Send Webex notifications
- Wait for approval
- If the request was denied, send a Webex message and end the workflow
- If the request was approved:
- For each action in the table of pending actions:
- Check which type of action it is and take action accordingly
- For domains: block in Umbrella
- For file hashes: add to Secure Endpoint simple custom detection list
- For computer GUIDs: enable Secure Endpoint host isolation
- For Duo users: move to a Duo DENY group
- Check which type of action it is and take action accordingly
- Create a ServiceNow ticket documenting the remediation steps
- Send a final Webex message with a summary of steps taken
- For each action in the table of pending actions:
Configuration
- By default, the workflow is configured to run every 10 minutes using the 0013 - Firepower - Impact Red Remediation schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
- Open the workflow in the workflow editor
- Scroll down to the Triggers section of the workflow’s properties and click Firepower Impact Red Incident Polling
- Uncheck the Disable Trigger box and click Save
Local Variables
- Provide the workflow your Duo Security Admin API information by either:
- Storing the information in global variables and using the
Fetch Global Variablesgroup at the beginning of the workflow to update theDuo Hostname,Duo Integration Key, andDuo Secret Keylocal variables; or - Remove the variables from the
Fetch Global Variablesgroup and add your information directly to the corresponding local variables
- Storing the information in global variables and using the
- Set
Duo Deny User Groupto the ID of the user group you want Duo users added to during remediation. You can get this ID from the URL of the group’s page in the Duo admin panel. For example:DGWP6584D8PORPPC9H01 - Set
Duo Username Suffix. If you need to add something like a domain to your usernames before searching them in Duo, you can use this variable to append a value to all Duo usernames. For example:@company.com - Set
ServiceNow Instance URLto your ServiceNow instance’s URL. For example:mycompany.service-now.com - See this page for information on configuring the workflow for Webex
Activities
- If you change the schedule for this workflow, you need to adjust the
Calculate time 10 minutes agoactivity’sAdjustmentinput variable to match the new schedule. As in, if you change the schedule to every 30 minutes, you would need to subtract1800seconds instead of600 - Set
Service Now User IDonServiceNow - Create Incidenttowards the end of the workflow - Update
Firepower Impact Red remediation approvalwith:- A
Task Requestor - A
Task Owner - One or more
Task Assignees
- A
- If your Secure Endpoint module isn’t named
AMP for Endpointsin SecureX, you need to update theJSONPath Queryon theCheck for Secure Endpoint resultsactivity with your module’s name - If your SMA Email module isn’t named
SMA Emailin SecureX, you need to update theJSONPath Queryon theCheck for SMA Email resultsactivity with your module’s name - If your Umbrella module isn’t named
Umbrellain SecureX, you need to update theJSONPath Queryon theExtract Umbrella Actionsactivity with your module’s name
Targets
Target Group: Default TargetGroup
| Target Name | Type | Details | Account Keys | Notes |
|---|---|---|---|---|
| AMP_Target | HTTP Endpoint | Protocol: HTTPSHost: api.amp.cisco.comPath: /v1 | AMP_Credentials | Created by default |
| CTR_API | HTTP Endpoint | Protocol: HTTPSHost: visibility.amp.cisco.comPath: /iroh | CTR_Credentials | Created by default |
| Duo Security | HTTP Endpoint | Protocol: HTTPSHost: <api hostname>.duosecurity.comPath: None | None | Be sure to use the API Hostname from your Duo integration |
| Orbital_For_Access_Token | HTTP Endpoint | Protocol: HTTPSHost: visibility.amp.cisco.comPath: /iroh | Orbital_Credentials | Created by default |
| Orbital_Target | HTTP Endpoint | Protocol: HTTPSHost: orbital.amp.cisco.comPath: /v0 | None | Created by default |
| Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPSHost: private.intel.amp.cisco.comPath: None | None | Created by default |
| ServiceNow | HTTP Endpoint | Protocol: HTTPSHost: <instance>.service-now.comPath: /api | ServiceNow_Credentials | Be sure to use your instance URL |
| Webex Teams | HTTP Endpoint | Protocol: HTTPSHost: webexapis.comPath: None | None | Not necessary if Webex activities are removed |
Account Keys
| Account Key Name | Type | Details | Notes |
|---|---|---|---|
| AMP_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
| CTR_Credentials | SecureX Token | See this page | |
| Orbital_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
| ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |