Search PSIRT Advisories (SSE)
Workflow #0075
This workflow collects Cisco PSIRT Security Advisories and device details from your Secure Firewall Management Center. The workflow then checks each advisory and compares it to your Firepower devices to determine if any of your managed devices are affected by the advisory. If vulnerable devices are found, a Webex message is posted and a ServiceNow ticket is created.
There are two different ways to integrate Secure Firewall with orchestration. For more information about these two methods and which to use, please see this page.
This workflow expects the new "SecureX Token" account key. For more information about this, please see this page.
Change Log
Date | Notes |
---|---|
Sep 7, 2022 | - Initial release |
Jan 31, 2023 | - Fix to API path in the SecureX - SSE Proxy - Get Device Details activity |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- API Console - Generate Access Token
- Cisco PSIRT openVuln - Search Advisories by Product Name
- SecureX - SSE Proxy - Send Request
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident
- The targets and account keys listed below
- Cisco API Console API Key with openVuln Permissions
- Cisco Secure Firewall
- Cisco Webex
- ServiceNow
Workflow Steps
- Validate workflow configuration
- Assemble a list of managed firewall devices
- Build the search terms for the PSIRT API
- Fetch a list of advisories and, for each advisory:
- Check for any impacted devices were found. If so:
- Send a Webex message and update the HTML for ServiceNow
- Check for any impacted devices were found. If so:
- Check for any error messages (if so: send a Webex message and end the workflow)
- Check for HTML results (if so: open a ServiceNow ticket)
Configuration
- If you don’t already have an API client for the Cisco PSIRT openVuln API:
- Log into the Cisco API Console and click the “Register a New App” button
- Give the app a name (for example: SecureX Orchestration)
- Check the “Client Credentials” box under the “OAuth2 Credentials” section
- Check the “Cisco PSIRT openVuln API” box
- Agree to the Terms of Service and click the “Register” button
- Add the API key and secret to an HTTP Basic Authentication account key as described below
- Enable or disable the keyword search local variables depending on which platforms you want to look for (ASA and/or Firepower)
- Set the
ServiceNow User ID
local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user - Set the
Domain UUID
to the UUID of the FMC domain you want the workflow to make changes to. If you’re using the default domain, you can leave the default value - Set the
Device ID
to the ID of the device to send the command to in SSE. This can be obtained from the device’s summary page in SSE, the Devices page in the Administration section of SecureX, or by using the “SecureX - SSE Proxy - List Devices” atomic - If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
- See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Cisco SSO | HTTP Endpoint | Protocol: HTTPS Host: cloudsso.cisco.com Path: /as | Cisco API Console Credentials | |
Cisco API Console | HTTP Endpoint | Protocol: HTTPS Host: api.cisco.com Path: None | None | |
CTR_API | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | CTR_Credentials | Created by default |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
Cisco API Console Credentials | HTTP Basic Authentication | Username: API Key _Password: Client Secret | |
CTR_Credentials | SecureX Token | See this page | |
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |