Link Search Menu Expand Document

Incident Endpoint Enrichment

Workflow #0024

This workflow fetches Cisco Secure Firewall incidents and conducts automated enrichment to see if additional data can be found about the endpoint that caused the event. The source of the event is searched in Cisco Secure Endpoint and if a matching endpoint is found, a casebook and sighting are created with more details.

GitHub


Requirements


Workflow Steps

  1. Generate an access token for Threat Response
  2. Fetch incidents for the past hour
  3. Loop through each incident:
    • Get the incident’s relationships
    • Refresh the Threat Response token (if necessary)
    • Loop through each relationship:
      • Extract the sighting ID and fetch it
      • Extract the target IP from the sighting
      • Check if we got an IP address:
        • Search the IP in Secure Endpoint
        • If an endpoint was found:
          • Fetch its details
          • Create a casebook and more detailed sighting

Configuration

  • By default, the workflow is configured to run every hour using the 0024 - Secure Firewall - Incident Endpoint Enrichment schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
    • Open the workflow in the workflow editor
    • Scroll down to the Triggers section of the workflow’s properties and click Firewall Incident Polling
    • Uncheck the Disable Trigger box and click Save

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default