Get Health Alerts (SSE)
Workflow #0072
This workflow retrieves health monitor alerts from a Cisco Secure Firewall Management Center and, if alerts are returned, documents them in ServiceNow and sends a Webex message.
There are two different ways to integrate Secure Firewall with orchestration. For more information about these two methods and which to use, please see this page.
This workflow expects the new "SecureX Token" account key. For more information about this, please see this page.
Change Log
Date | Notes |
---|---|
Sep 7, 2022 | - Initial release |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Secure Firewall - SSE - Get Device Details
- Secure Firewall - SSE - Get Health Alerts
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Cisco Secure Firewall (software version 7.2 or newer)
- Cisco Webex
- ServiceNow
Workflow Steps
- Fetch global variables
- Set the workflow run URL based on region
- Search for the Webex room provided
- Validate required variables are provided
- Build the search filter
- Fetch matching health alerts
- Check if any alerts were found:
- If not, end the workflow
- If there were alerts:
- Parse the alerts to markdown and HTML
- Create ServiceNow ticket
- Post the workflow result to Webex
Configuration
- Set the
Minutes to Search
local variable to how many minutes into the past you want to search for alerts. If running the workflow on a schedule, this should be the same as the scheduled interval - Set
Status Code Red
and/orStatus Code Yellow
totrue
. At least one of these must be enabled - Set the
Domain UUID
to the UUID of the FMC domain you want the workflow to make changes to. If you’re using the default domain, you can leave the default value - Set the
Device ID
to the ID of the device to send the command to in SSE. This can be obtained from the device’s summary page in SSE, the Devices page in the Administration section of SecureX, or by using the “SecureX - SSE Proxy - List Devices” atomic - Update the
ServiceNow User ID
local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user - By default, this workflow is configured to run on demand. You can create a schedule if you want it to run at a set interval
- See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
CTR_API | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | CTR_Credentials | Created by default |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | SecureX Token | See this page | |
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |