Search PSIRT Advisories (Remote)
Workflow #0067
This workflow collects Cisco PSIRT Security Advisories and device details from your Secure Firewall Management Center. The workflow then checks each advisory and compares it to your Firepower devices to determine if any of your managed devices are affected by the advisory. If vulnerable devices are found, a Webex message is posted and a ServiceNow ticket is created.
There are two different ways to integrate Secure Firewall with orchestration. For more information about these two methods and which to use, please see this page.
Change Log
Date | Notes |
---|---|
Aug 1, 2022 | - Initial release |
Sep 7, 2022 | - Name modified to reflect this workflow using orchestration remote |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- API Console - Generate Access Token
- Cisco PSIRT openVuln - Search Advisories by Product Name
- Secure Firewall - Get Access Token
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident
- The targets and account keys listed below
- Cisco API Console API Key with openVuln Permissions
- Cisco Secure Firewall
- Cisco Webex
- ServiceNow
Workflow Steps
- Validate workflow configuration
- Assemble a list of managed firewall devices
- Build the search terms for the PSIRT API
- Fetch a list of advisories and, for each advisory:
- Check for any impacted devices were found. If so:
- Send a Webex message and update the HTML for ServiceNow
- Check for any impacted devices were found. If so:
- Check for any error messages (if so: send a Webex message and end the workflow)
- Check for HTML results (if so: open a ServiceNow ticket)
Configuration
- If you don’t already have an API client for the Cisco PSIRT openVuln API:
- Log into the Cisco API Console and click the “Register a New App” button
- Give the app a name (for example: SecureX orchestration)
- Check the “Client Credentials” box under the “OAuth2 Credentials” section
- Check the “Cisco PSIRT openVuln API” box
- Agree to the Terms of Service and click the “Register” button
- Add the API key and secret to an HTTP Basic Authentication account key as described below
- Enable or disable the keyword search local variables depending on which platforms you want to look for (ASA and/or Firepower)
- Set the
ServiceNow User ID
local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user - If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
- See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Note: If your FMC is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use FMC with orchestration.
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Cisco SSO | HTTP Endpoint | Protocol: HTTPS Host: cloudsso.cisco.com Path: /as | Cisco API Console Credentials | |
Cisco API Console | HTTP Endpoint | Protocol: HTTPS Host: api.cisco.com Path: None | None | |
FMC Target | HTTP Endpoint | Protocol: HTTPS Host: your-firewall-management-center Path: api/ | FMC API Credentials | |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
Cisco API Console Credentials | HTTP Basic Authentication | Username: API Key _Password: Client Secret | |
FMC API Credentials | HTTP Basic Authentication | Username: FMC Username Password: FMC Password | Account must have API permissions |
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |