On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Search PSIRT Advisories (Remote)

Workflow #0067

This workflow collects Cisco PSIRT Security Advisories and device details from your Secure Firewall Management Center. The workflow then checks each advisory and compares it to your Firepower devices to determine if any of your managed devices are affected by the advisory. If vulnerable devices are found, a Webex message is posted and a ServiceNow ticket is created.

There are two different ways to integrate Secure Firewall with orchestration. For more information about these two methods and which to use, please see this page.

GitHub


Change Log

Date Notes
Aug 1, 2022 - Initial release
Sep 7, 2022 - Name modified to reflect this workflow using orchestration remote

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • API Console - Generate Access Token
    • Cisco PSIRT openVuln - Search Advisories by Product Name
    • Secure Firewall - Get Access Token
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
    • ServiceNow - Create Incident
  • The targets and account keys listed below
  • Cisco API Console API Key with openVuln Permissions
  • Cisco Secure Firewall
  • Cisco Webex
  • ServiceNow

Workflow Steps

  1. Validate workflow configuration
  2. Assemble a list of managed firewall devices
  3. Build the search terms for the PSIRT API
  4. Fetch a list of advisories and, for each advisory:
    • Check for any impacted devices were found. If so:
      • Send a Webex message and update the HTML for ServiceNow
  5. Check for any error messages (if so: send a Webex message and end the workflow)
  6. Check for HTML results (if so: open a ServiceNow ticket)

Configuration

  • If you don’t already have an API client for the Cisco PSIRT openVuln API:
    • Log into the Cisco API Console and click the “Register a New App” button
    • Give the app a name (for example: SecureX orchestration)
    • Check the “Client Credentials” box under the “OAuth2 Credentials” section
    • Check the “Cisco PSIRT openVuln API” box
    • Agree to the Terms of Service and click the “Register” button
    • Add the API key and secret to an HTTP Basic Authentication account key as described below
  • Enable or disable the keyword search local variables depending on which platforms you want to look for (ASA and/or Firepower)
  • Set the ServiceNow User ID local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
  • See this page for information on configuring the workflow for Webex

Targets

Target Group: Default TargetGroup

Note: If your FMC is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use FMC with orchestration.

Target Name Type Details Account Keys Notes
Cisco SSO HTTP Endpoint Protocol: HTTPS
Host: cloudsso.cisco.com
Path: /as
Cisco API Console Credentials  
Cisco API Console HTTP Endpoint Protocol: HTTPS
Host: api.cisco.com
Path: None
None  
FMC Target HTTP Endpoint Protocol: HTTPS
Host: your-firewall-management-center
Path: api/
FMC API Credentials  
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None  

Account Keys

Account Key Name Type Details Notes
Cisco API Console Credentials HTTP Basic Authentication Username: API Key
_Password:
Client Secret
 
FMC API Credentials HTTP Basic Authentication Username: FMC Username
Password: FMC Password
Account must have API permissions
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password