On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Get Health Alerts (SSE)

Workflow #0072

This workflow retrieves health monitor alerts from a Cisco Secure Firewall Management Center and, if alerts are returned, documents them in ServiceNow and sends a Webex message.

There are two different ways to integrate Secure Firewall with orchestration. For more information about these two methods and which to use, please see this page.

This workflow expects the new "SecureX Token" account key. For more information about this, please see this page.

GitHub

---

Change Log

Date	Notes
Sep 7, 2022	- Initial release

See the Important Notes page for more information about updating workflows

---

Requirements

• The following system atomics are used by this workflow:
  • Secure Firewall - SSE - Get Device Details
  • Secure Firewall - SSE - Get Health Alerts
  • Webex - Post Message to Room
  • Webex - Search for Room
• The following atomic actions must be imported before you can import this workflow:
  • ServiceNow - Create Incident (CiscoSecurity_Atomics)
• The targets and account keys listed at the bottom of the page
• Cisco Secure Firewall (software version 7.2 or newer)
• Cisco Webex
• ServiceNow

---

Workflow Steps

1. Fetch global variables
2. Set the workflow run URL based on region
3. Search for the Webex room provided
4. Validate required variables are provided
5. Build the search filter
6. Fetch matching health alerts
7. Check if any alerts were found:
   • If not, end the workflow
   • If there were alerts:
     • Parse the alerts to markdown and HTML
     • Create ServiceNow ticket
8. Post the workflow result to Webex

---

Configuration

• Set the Minutes to Search local variable to how many minutes into the past you want to search for alerts. If running the workflow on a schedule, this should be the same as the scheduled interval
• Set Status Code Red and/or Status Code Yellow to true. At least one of these must be enabled
• Set the Domain UUID to the UUID of the FMC domain you want the workflow to make changes to. If you’re using the default domain, you can leave the default value
• Set the Device ID to the ID of the device to send the command to in SSE. This can be obtained from the device’s summary page in SSE, the Devices page in the Administration section of SecureX, or by using the “SecureX - SSE Proxy - List Devices” atomic
• Update the ServiceNow User ID local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
• By default, this workflow is configured to run on demand. You can create a schedule if you want it to run at a set interval
• See this page for information on configuring the workflow for Webex

---

Targets

Target Group: Default TargetGroup

Target Name	Type	Details	Account Keys	Notes
CTR_API	HTTP Endpoint	Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh	CTR_Credentials	Created by default
ServiceNow	HTTP Endpoint	Protocol: HTTPS Host: <instance>.service-now.com Path: /api	ServiceNow_Credentials	Be sure to use your instance URL
Webex Teams	HTTP Endpoint	Protocol: HTTPS Host: webexapis.com Path: None	None

---

Account Keys

Account Key Name	Type	Details	Notes
CTR_Credentials	SecureX Token		See this page
ServiceNow_Credentials	HTTP Basic Authentication	Username: ServiceNow User ID Password: ServiceNow Password