On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Get Health Alerts (Remote)

Workflow #0064

This workflow retrieves health monitor alerts from a Cisco Secure Firewall Management Center and, if alerts are returned, documents them in ServiceNow and sends a Webex message.

There are two different ways to integrate Secure Firewall with orchestration. For more information about these two methods and which to use, please see this page.

GitHub

Change Log

Date Notes
May 4, 2022 - Initial release
May 19, 2022 - Updated to use standard target name FMC Target instead of FMC_Target
Sep 7, 2022 - Name modified to reflect this workflow using orchestration remote

See the Important Notes page for more information about updating workflows

Requirements

  • The following system atomics are used by this workflow:
    • Secure Firewall - Get Access Token
    • Secure Firewall - Get Device Details
    • Secure Firewall - Get Health Alerts
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Firewall
  • Cisco Webex
  • ServiceNow

Workflow Steps

  1. Fetch global variables
  2. Set the workflow run URL based on region
  3. Search for the Webex room provided
  4. Validate required variables are provided
  5. Build the search filter
  6. Fetch a token for FMC
  7. Fetch matching health alerts
  8. Check if any alerts were found:
    • If not, end the workflow
    • If there were alerts:
      • Parse the alerts to markdown and HTML
      • Create ServiceNow ticket
  9. Post the workflow result to Webex

Configuration

  • Set the Minutes to Search local variable to how many minutes into the past you want to search for alerts. If running the workflow on a schedule, this should be the same as the scheduled interval
  • Set Status Code Red and/or Status Code Yellow to true. At least one of these must be enabled
  • Update the ServiceNow User ID local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • By default, this workflow is configured to run on demand. You can create a schedule if you want it to run at a set interval
  • See this page for information on configuring the workflow for Webex

Targets

Target Group: Default TargetGroup

Note: If your FMC is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use FMC with orchestration.

Target Name Type Details Account Keys Notes
FMC Target HTTP Endpoint Protocol: HTTPS
Host: your-firewall-management-center
Path: api/		 FMC API Credentials  
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api		 ServiceNow_Credentials Be sure to use your instance URL
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None		 None  

Account Keys

Account Key Name Type Details Notes
FMC API Credentials HTTP Basic Authentication Username: FMC Username
Password: FMC Password		 Account must have API permissions
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password