Link Search Menu Expand Document

Block Observables

Workflow #0015B

Response Workflow

This workflow blocks an observable on Cisco Secure Firewall by creating a judgement for it in SecureX Threat Response. Once a judgement is created, the observable will appear on a feed which Secure Firewall polls for observable information. Supported observables: domain, ip, ipv6, sha256, url

GitHub


Change Log

Date Notes
Apr 19, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Threat Response - Create Relationship
    • Threat Response - Generate Access Token
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed below
  • Cisco Secure Firewall

Important Notes

  • You must create the required indicators and feeds in SecureX Threat Response by running workflow 015A prior to using this workflow.

Workflow Steps

  1. Convert the observable type to the types we use when creating indicators
  2. Check if the observable type is supported. If it isn’t, end the workflow and return an error
  3. Generate a Threat Response access token
  4. Search for the indicator for this observable type
  5. Check if we found the indicator. If not, end the workflow and return an error
  6. Extract the indicator’s ID
  7. Create a judgement in Threat Response for the observable
  8. Relate the judgement to the indicator

Configuration

  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default