Link Search Menu Expand Document

Impact Red Remediation

Workflow #0013

This workflow checks Cisco Threat Response for incidents generated by Cisco Secure Firewall Impact Red events every 10 minutes. If matching incidents are found, an investigation is performed to identify related observables including endpoints, domains, file hashes, and users. After investigation is complete, approval will be requested to perform automated remediation. If approved, the observables discovered will be remediated (remediation actions vary by observable type).

GitHub


Change Log

Date Notes
Feb 19, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Duo - Admin - Add User to Group
    • Duo - Admin - Get User
    • Orbital - Query Endpoint
    • Secure Endpoint - Get Computer by GUID
    • Secure Endpoint - Get Connector GUID
    • Threat Response - Deliberate Observable
    • Threat Response - Enrich Observable
    • Threat Response - Generate Access Token
    • Threat Response - List Response Actions
    • Threat Response - Trigger Response Action
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • A ServiceNow instance and API account
  • Cisco Secure Endpoint with Orbital
  • Cisco Secure Firewall
  • Cisco Umbrella
  • (Optional) Cisco Webex
  • Duo Security

Workflow Steps

  1. Fetch any necessary global variables and set the environment URLs for SecureX and Threat Response
  2. Request a list of Impact Red events for the past 10 minutes
  3. If the request was successful, convert the list of incidents to a table
  4. For each incident:
    • Make sure the Threat Response access token is still valid
    • Fetch this incident’s full bundle (including sightings and other relationships)
    • Convert the incident’s sightings to a table
    • For each sighting:
      • Use Python to process the sighting and extract the information we want
      • Check if domains need to be blocked. If so:
        • Defang each domain and add it to the table of actions to take later
      • Convert the sighting’s observables to a table
      • For each observable:
        • Get the observable’s verdict from Threat Response
        • If this is a malicious IP address, update the Malicious IP local variable
        • Enrich the observable using Threat Response
        • Check if there were any results from Secure Endpoint. If not, skip this observable
        • Use Python to extract file hashes from the Secure Endpoint results and convert the hashes to a table
        • For each file hash:
          • Check if the file hash was delivered by email by looking for SMA Email sightings in Threat Response
          • Add it to the table of actions to take later
      • Check if there’s a computer in Secure Endpoint with the internal IP extracted earlier. If there is:
        • Get the computer object from Secure Endpoint and extract some information about it
        • Add the computer GUID to the table of actions to take later
      • Execute Orbital queries to get a list of users logged into the computer and take a forensic snapshot
      • Check if fetching a list of logged in users succeeded. If so:
        • Convert the results into a list we can parse and loop through
        • For each user:
          • Check if a matching user exists in Duo and, if so, add the user to the table of actions to take later
    • Create an approval request to perform automated remediation
    • Send Webex notifications
    • Wait for approval
      • If the request was denied, send a Webex message and end the workflow
      • If the request was approved:
        • For each action in the table of pending actions:
          • Check which type of action it is and take action accordingly
            • For domains: block in Umbrella
            • For file hashes: add to Secure Endpoint simple custom detection list
            • For computer GUIDs: enable Secure Endpoint host isolation
            • For Duo users: move to a Duo DENY group
        • Create a ServiceNow ticket documenting the remediation steps
        • Send a final Webex message with a summary of steps taken

Configuration

  • By default, the workflow is configured to run every 10 minutes using the 0013 - Firepower - Impact Red Remediation schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
    • Open the workflow in the workflow editor
    • Scroll down to the Triggers section of the workflow’s properties and click Firepower Impact Red Incident Polling
    • Uncheck the Disable Trigger box and click Save

Local Variables

  • Provide the workflow your Duo Security Admin API information by either:
    • Storing the information in global variables and using the Fetch Global Variables group at the beginning of the workflow to update the Duo Hostname, Duo Integration Key, and Duo Secret Key local variables; or
    • Remove the variables from the Fetch Global Variables group and add your information directly to the corresponding local variables
  • Set Duo Deny User Group to the ID of the user group you want Duo users added to during remediation. You can get this ID from the URL of the group’s page in the Duo admin panel. For example: DGWP6584D8PORPPC9H01
  • Set Duo Username Suffix. If you need to add something like a domain to your usernames before searching them in Duo, you can use this variable to append a value to all Duo usernames. For example: @company.com
  • Set ServiceNow Instance URL to your ServiceNow instance’s URL. For example: mycompany.service-now.com
  • See this page for information on configuring the workflow for Webex

Activities

  • If you change the schedule for this workflow, you need to adjust the Calculate time 10 minutes ago activity’s Adjustment input variable to match the new schedule. As in, if you change the schedule to every 30 minutes, you would need to subtract 1800 seconds instead of 600
  • Set Service Now User ID on ServiceNow - Create Incident towards the end of the workflow
  • Update Firepower Impact Red remediation approval with:
    • A Task Requestor
    • A Task Owner
    • One or more Task Assignees
  • If your Secure Endpoint module isn’t named AMP for Endpoints in SecureX, you need to update the JSONPath Query on the Check for Secure Endpoint results activity with your module’s name
  • If your SMA Email module isn’t named SMA Email in SecureX, you need to update the JSONPath Query on the Check for SMA Email results activity with your module’s name
  • If your Umbrella module isn’t named Umbrella in SecureX, you need to update the JSONPath Query on the Extract Umbrella Actions activity with your module’s name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
None Created by default
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Duo Security HTTP Endpoint Protocol: HTTPS
Host: <api hostname>.duosecurity.com
Path: None
None Be sure to use the API Hostname from your Duo integration
Orbital_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
Orbital_Credentials Created by default
Orbital_Target HTTP Endpoint Protocol: HTTPS
Host: orbital.amp.cisco.com
Path: /v0
None Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
Orbital_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password