Link Search Menu Expand Document

Endpoint IOCs from File Hash

Workflow #0057

Response Workflow

Searches Cisco Secure Malware Analytics for IOCs related to the file hash provided. If IOCs are found with Orbital queries, the queries are executed on all endpoints running Orbital. The Orbital results are then checked to see if any hosts may be vulnerable to the IOCs and the results are documented in a ServiceNow incident ticket. Supported observables: sha1, sha256, md5

Note: This workflow uses the Orbital - Query All Endpoints atomic which will send queries to all of your endpoints at the same time. Depending on the size of your environment, this could result in a spike in network traffic and CPU usage. The queries are executed with a timeout of 10 minutes, so results will only be reported for endpoints that respond to the queries within that 10 minute window.

GitHub


Change Log

Date Notes
Jan 27, 2022 - Initial release

Requirements

  • The following system atomics are used by this workflow:
    • Orbital - Query All Endpoints
    • Secure Malware Analytics - Get Sample Analysis
    • Secure Malware Analytics - Get Samples by File Hash
    • Threat Response - Generate Access Token
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Cisco Orbital
  • Cisco Secure Malware Analytics
  • ServiceNow

Workflow Steps

  1. Fetch global variables
  2. Make sure the observable provided is supported
  3. Make sure a ServiceNow user was provided
  4. Create a table for IOCs
  5. Fetch samples for the file hash given
  6. Check if any samples were found:
    • If not, end the workflow
    • If some were:
      • Extract the sample IDs and fetch each sample’s details
      • For each sample, add its IOCs into the IOC table
  7. Check if there were any IOCs with Orbital queries
    • If not, end the workflow
    • If there were queries:
      • Execute each query and add the results to the IOC table
  8. Loop through each Orbital query result and assemble the ticket text
  9. Open the ServiceNow incident

Configuration

  • Update the ServiceNow User ID local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • Update the ServiceNow - Create Incident activity at the end of the workflow with any changes to the ticket properties you want
  • Provide the workflow your Secure Malware Analytics API token by either:
    • Storing your token in a global variable and using the Fetch Global Variables group at the beginning of the workflow to update the Secure Malware Analytics API Key local variable; or
    • Remove the Secure Malware Analytics API Key from the Fetch Global Variables group and add your token directly to the Secure Malware Analytics API Key local variable
  • This workflow assumes it’s running in the North America region. If you’re using Orbital and/or Secure Malware Analytics in other regions, you’ll need to update the URLs for these products in the Parse the results Python activity
  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Orbital_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
Orbital_Credentials Created by default
Orbital_Target HTTP Endpoint Protocol: HTTPS
Host: orbital.amp.cisco.com
Path: /v0
None Created by default
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL
ThreatGrid_Target HTTP Endpoint Protocol: HTTPS
Host: panacea.threatgrid.com
Path: None
None Created by default

Account Keys

Account Key Name Type Details Notes
Orbital_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password