On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Block Observable - Setup

Workflow #0015A

This workflow creates a series of indicators and feeds for various observable types in Cisco Threat Response. These feeds can then be added to Cisco Secure Firewall (or other compatible platforms) to block observables.

This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.

GitHub


Change Log

Date Notes
Apr 19, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics
Aug 31, 2022 - Updated to support SecureX Tokens

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • None
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Firewall

Important Notes

  • This workflow is only designed to be run once after initial import. Its purpose is to configure pre-requisites for workflow 0015B.
  • At the end of the workflow, the Output Text variable will contain a list of feed URLs for each observable type. You’ll need to configure these feeds in Secure Firewall using the instructions here.
  • The feeds created by this workflow can also be used by other platforms, both from Cisco or from third parties.

Workflow Steps

  1. For each observable type:
    • Search for an indicator for this observable type
    • Check if the indicator was found:
      • If it was, extract the indicator ID
      • If it wasn’t, create the indicator
    • Search for a feed for this observable type
    • Check if the feed was found:
      • If it was, extract the feed view URL
      • If it wasn’t, create the feed

Configuration

Local Variables

  • The template used to name indicators created by this workflow can be changed in Indicator Name
  • The template used to name feeds created by this workflow can be changed in Feed Name

Adding Feeds to Secure Firewall

Once this workflow has executed, you need to configure Secure Firewall to pull data from the feeds created. First, you need to get the feed URLs from either SecureX Threat Response or the workflow output. Then, you need to add the feed URLs to Secure Firewall.

Getting the Feed URLs (from Threat Response)

  1. In SecureX Threat Response, click on the Intelligence tab
  2. On the left menu, click on Feeds
  3. You should see five Secure_Firewall_SecureX_Private_Feed feeds
  4. For each feed, make a note of the observable type in the feed title and the feed URL

Getting the Feed URLs (from workflow output)

  1. In SecureX orchestration, open this workflow in the workflow editor and then click the Runs button at the top
  2. Select the most recent run of the workflow (you may need to change the timeframe depending on how long ago you ran it)
  3. Scroll down the workflow’s properties and look for the Output Text variable
  4. Click on the variable and copy the value

Adding Feeds to Secure Firewall

Next, the feeds created by this workflow need to be configured in Secure Firewall. Here’s a sample of the output from the setup workflow:

Feed View URL for IPv4: https://private.intel.amp.cisco.com:443/ctia/feed/feed-12345678-4b75-4c93-8c04-ca9c12f81972/view.txt?s=12345678-2bbb-45d8-a2cb-8693118f26bd
Feed View URL for IPv6: https://private.intel.amp.cisco.com:443/ctia/feed/feed-12345678-82eb-4da2-8f39-f512ff669a87/view.txt?s=12345678-fea0-4116-af47-14fc3cbba392
Feed View URL for Domain: https://private.intel.amp.cisco.com:443/ctia/feed/feed-12345678-60ae-483c-a111-02f3a6987a67/view.txt?s=12345678-f45e-40aa-9aa7-0899b5da3002
Feed View URL for URL: https://private.intel.amp.cisco.com:443/ctia/feed/feed-12345678-dc77-44e0-9984-fc26170d4893/view.txt?s=12345678-b203-4af7-a9fc-8e4dbffc1fc3
Feed View URL for SHA256: https://private.intel.amp.cisco.com:443/ctia/feed/feed-12345678-b1d4-4b87-885c-0d3e4b834423/view.txt?s=12345678-58f3-48a1-bbbe-cdd71933503c
  1. In Secure Firewall, navigate to Intelligence and then Sources
  2. Click the plus icon to add a new feed and use these values:
    • Delivery: URL
    • Type: Flat File
    • Content: (the type of observable this feed is for: IPv6, IPv6, Domain, URL, SHA256)
    • URL: Feed URL from the workflow output
    • Name: (a descriptive name for the source)
    • Action: Block
    • Update Every (minutes): 30 (you can customize this if you want)
  3. Click Save
  4. Repeat for the other 4 feeds

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
CTR_Credentials Created by default

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page