Block Observable
Workflow #0015B
Response Workflow
This workflow blocks an observable on Cisco Secure Firewall by creating a judgement for it in SecureX Threat Response. Once a judgement is created, the observable will appear on a feed which Secure Firewall polls for observable information. Supported observables: domain
, ip
, ipv6
, sha256
, url
This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.
This workflow is similar to workflow 0065 but works differently. Workflow 0065 adds observables to groups by making API calls directly to Secure Firewall, typically through an orchestration remote. This workflow adds observables to feeds in SecureX which Secure Firewall then consumes.
Change Log
Date | Notes |
---|---|
Apr 19, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Aug 31, 2022 | - Updated to support SecureX Tokens |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Create Relationship
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Firewall
Important Notes
- You must create the required indicators and feeds in SecureX Threat Response by running workflow 015A prior to using this workflow.
Workflow Steps
- Convert the observable type to the types we use when creating indicators
- Check if the observable type is supported. If it isn’t, end the workflow and return an error
- Generate a Threat Response access token
- Search for the indicator for this observable type
- Check if we found the indicator. If not, end the workflow and return an error
- Extract the indicator’s ID
- Create a judgement in Threat Response for the observable
- Relate the judgement to the indicator
Configuration
- If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | CTR_Credentials | Created by default |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | SecureX Token | See this page |