On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Search PSIRT Advisories (SSE)

Workflow #0075

This workflow collects Cisco PSIRT Security Advisories and device details from your Secure Firewall Management Center. The workflow then checks each advisory and compares it to your Firepower devices to determine if any of your managed devices are affected by the advisory. If vulnerable devices are found, a Webex message is posted and a ServiceNow ticket is created.

There are two different ways to integrate Secure Firewall with orchestration. For more information about these two methods and which to use, please see this page.
This workflow expects the new "SecureX Token" account key. For more information about this, please see this page.

GitHub


Change Log

Date Notes
Sep 7, 2022 - Initial release
Jan 31, 2023 - Fix to API path in the SecureX - SSE Proxy - Get Device Details activity

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • API Console - Generate Access Token
    • Cisco PSIRT openVuln - Search Advisories by Product Name
    • SecureX - SSE Proxy - Send Request
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
    • ServiceNow - Create Incident
  • The targets and account keys listed below
  • Cisco API Console API Key with openVuln Permissions
  • Cisco Secure Firewall
  • Cisco Webex
  • ServiceNow

Workflow Steps

  1. Validate workflow configuration
  2. Assemble a list of managed firewall devices
  3. Build the search terms for the PSIRT API
  4. Fetch a list of advisories and, for each advisory:
    • Check for any impacted devices were found. If so:
      • Send a Webex message and update the HTML for ServiceNow
  5. Check for any error messages (if so: send a Webex message and end the workflow)
  6. Check for HTML results (if so: open a ServiceNow ticket)

Configuration

  • If you don’t already have an API client for the Cisco PSIRT openVuln API:
    • Log into the Cisco API Console and click the “Register a New App” button
    • Give the app a name (for example: SecureX Orchestration)
    • Check the “Client Credentials” box under the “OAuth2 Credentials” section
    • Check the “Cisco PSIRT openVuln API” box
    • Agree to the Terms of Service and click the “Register” button
    • Add the API key and secret to an HTTP Basic Authentication account key as described below
  • Enable or disable the keyword search local variables depending on which platforms you want to look for (ASA and/or Firepower)
  • Set the ServiceNow User ID local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • Set the Domain UUID to the UUID of the FMC domain you want the workflow to make changes to. If you’re using the default domain, you can leave the default value
  • Set the Device ID to the ID of the device to send the command to in SSE. This can be obtained from the device’s summary page in SSE, the Devices page in the Administration section of SecureX, or by using the “SecureX - SSE Proxy - List Devices” atomic
  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
  • See this page for information on configuring the workflow for Webex

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Cisco SSO HTTP Endpoint Protocol: HTTPS
Host: cloudsso.cisco.com
Path: /as
Cisco API Console Credentials  
Cisco API Console HTTP Endpoint Protocol: HTTPS
Host: api.cisco.com
Path: None
None  
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None  

Account Keys

Account Key Name Type Details Notes
Cisco API Console Credentials HTTP Basic Authentication Username: API Key
_Password:
Client Secret
 
CTR_Credentials SecureX Token   See this page
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password