Link Search Menu Expand Document

Impact Red Remediation

Workflow #0013

This workflow checks Threat Response for incidents generated by Cisco Secure Firewall (formerly Firepower) Impact Red events every 10 minutes. If matching incidents are found, an investigation is performed to identify related observables including endpoints, domains, file hashes, and users. After investigation is complete, approval will be requested to perform automated remediation. If approved, the observables discovered will be remediated (remediation actions vary by observable type).

GitHub


Requirements

Note: You may have an old version of the Webex Teams - Post Message to Room atomic. To ensure the best experience with this workflow, be sure to import the latest version of this atomic from the GitHub_Target_Atomics repository!


Workflow Steps

  1. Fetch any necessary global variables and set the environment URLs for SecureX and Threat Response
  2. Request a list of Impact Red events for the past 10 minutes
  3. If the request was successful, convert the list of incidents to a table
  4. For each incident:
    • Make sure the Threat Response access token is still valid
    • Fetch this incident’s full bundle (including sightings and other relationships)
    • Convert the incident’s sightings to a table
    • For each sighting:
      • Use Python to process the sighting and extract the information we want
      • Check if domains need to be blocked. If so:
        • Defang each domain and add it to the table of actions to take later
      • Convert the sighting’s observables to a table
      • For each observable:
        • Get the observable’s verdict from Threat Response
        • If this is a malicious IP address, update the Malicious IP local variable
        • Enrich the observable using Threat Response
        • Check if there were any results from AMP. If not, skip this observable
        • Use Python to extract file hashes from the AMP results and convert the hashes to a table
        • For each file hash:
          • Check if the file hash was delivered by email by looking for SMA Email sightings in Threat Response
          • Add it to the table of actions to take later
      • Check if there’s a computer in AMP with the internal IP extracted earlier. If there is:
        • Get the computer object from AMP and extract some information about it
        • Add the computer GUID to the table of actions to take later
      • Execute Orbital queries to get a list of users logged into the computer and take a forensic snapshot
      • Check if fetching a list of logged in users succeeded. If so:
        • Convert the results into a list we can parse and loop through
        • For each user:
          • Check if a matching user exists in Duo and, if so, add the user to the table of actions to take later
    • Create an approval request to perform automated remediation
    • Send Webex notifications
    • Wait for approval
      • If the request was denied, send a Webex teams message and end the workflow
      • If the request was approved:
        • For each action in the table of pending actions:
          • Check which type of action it is and take action accordingly
            • For domains: block in Umbrella
            • For file hashes: add to AMP simple custom detection list
            • For computer GUIDs: enable AMP host isolation
            • For Duo users: move to a Duo DENY group
        • Create a ServiceNow ticket documenting the remediation steps
        • Send a final Webex teams message with a summary of steps taken

Configuration

  • By default, the workflow is configured to run every 10 minutes using the 0013 - Firepower - Impact Red Remediation schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
    • Open the workflow in the workflow editor
    • Scroll down to the Triggers section of the workflow’s properties and click Firepower Impact Red Incident Polling
    • Uncheck the Disable Trigger box and click Save

Local Variables

  • Provide the workflow your Duo Security Admin API information by either:
    • Storing the information in global variables and using the Fetch Global Variables group at the beginning of the workflow to update the Duo Hostname, Duo Integration Key, and Duo Secret Key local variables; or
    • Remove the variables from the Fetch Global Variables group and add your information directly to the corresponding local variables
  • Set Duo Deny User Group to the ID of the user group you want Duo users added to during remediation. You can get this ID from the URL of the group’s page in the Duo admin panel. For example: DGWP6584D8PORPPC9H01
  • Set Duo Username Suffix. If you need to add something like a domain to your usernames before searching them in Duo, you can use this variable to append a value to all Duo usernames. For example: @company.com
  • Set ServiceNow Instance URL to your ServiceNow instance’s URL. For example: mycompany.service-now.com
  • See this page for information on configuring the workflow for Webex Teams

Activities

  • If you change the schedule for this workflow, you need to adjust the Calculate time 10 minutes ago activity’s Adjustment input variable to match the new schedule. As in, if you change the schedule to every 30 minutes, you would need to subtract 1800 seconds instead of 600
  • Set Service Now User ID on ServiceNow - Create Incident towards the end of the workflow
  • Update Firepower Impact Red remediation approval with:
    • A Task Requestor
    • A Task Owner
    • One or more Task Assignees
  • If your AMP for Endpoints module isn’t named AMP for Endpoints in SecureX, you need to update the JSONPath Query on the Check for AMP results activity with your module’s name
  • If your SMA Email module isn’t named SMA Email in SecureX, you need to update the JSONPath Query on the Check for SMA Email results activity with your module’s name
  • If your Umbrella module isn’t named Umbrella in SecureX, you need to update the JSONPath Query on the Extract Umbrella Actions activity with your module’s name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
None Created by default
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Duo Security HTTP Endpoint Protocol: HTTPS
Host: <api hostname>.duosecurity.com
Path: None
None Be sure to use the API Hostname from your Duo integration
Orbital_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
Orbital_Credentials Created by default
Orbital_Target HTTP Endpoint Protocol: HTTPS
Host: orbital.amp.cisco.com
Path: /v0
None Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex Teams activities are removed

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
Orbital_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password