Block Observable (SSE)
Workflow #0073
Response Workflow
This workflow takes a URL, domain, IP, or IPv6 observable as input and blocks it on the Secure Firewall Management Center. The observable is added to a new object and the new object is added to an existing object group. A confirmation is sent via Webex. Supported observables: url, ip, ipv6, domain
There are two different ways to integrate Secure Firewall with orchestration. For more information about these two methods and which to use, please see this page.
This workflow expects the new "SecureX Token" account key. For more information about this, please see this page.
Change Log
| Date | Notes |
|---|---|
| Sep 7, 2022 | - Initial release |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Secure Firewall - SSE - Add Network Object to Network Group
- Secure Firewall - SSE - Add URL Object to URL Group
- Secure Firewall - SSE - Create Object
- Secure Firewall - SSE - Get Network Group by Name
- Secure Firewall - SSE - Get URL Group by Name
- Secure Firewall - SSE - Search object by Value
- Webex - Post Message to Room
- Webex - Search for Room
- The targets and account keys listed at the bottom of the page
- Cisco Secure Firewall (software version 7.2 or newer)
- Cisco Webex
Workflow Steps
- Fetch global variables
- Set the workflow run URL based on region
- Search for the Webex room provided
- Validate required variables are provided
- Set the object types based on the observable type
- Search for existing objects for this observable
- Check if an object already exists:
- If it does, use the existing object
- If it doesn’t, create a new object
- Check if we’re working with network or URL objects:
- If network objects:
- Get the network group and check if the object is already in it (if so, end the workflow)
- Add the object to the group and send a confirmation
- If URL objects:
- Get the URL group and check if the object is already in it (if so, end the workflow)
- Add the object to the group and send a confirmation
- If network objects:
Configuration
- Configure the following local variables with the options you want for your Secure Firewall Management Center:
- Access Control Policy
- Access Rule
- Object Name Prefix
- URL Group
- Network Group
- Set the
Domain UUIDto the UUID of the FMC domain you want the workflow to make changes to. If you’re using the default domain, you can leave the default value - Set the
Device IDto the ID of the device to send the command to in SSE. This can be obtained from the device’s summary page in SSE, the Devices page in the Administration section of SecureX, or by using the “SecureX - SSE Proxy - List Devices” atomic - If you want to change the name of this workflow in the pivot menu, change its display name
- See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
| Target Name | Type | Details | Account Keys | Notes |
|---|---|---|---|---|
| CTR_API | HTTP Endpoint | Protocol: HTTPSHost: visibility.amp.cisco.comPath: /iroh | CTR_Credentials | Created by default |
| Webex Teams | HTTP Endpoint | Protocol: HTTPSHost: webexapis.comPath: None | None |
Account Keys
| Account Key Name | Type | Details | Notes |
|---|---|---|---|
| CTR_Credentials | SecureX Token | See this page |