Endpoint IOCs from File Hash
Workflow #0057
Response Workflow
Searches Cisco Secure Malware Analytics for IOCs related to the file hash provided. If IOCs are found with Orbital queries, the queries are executed on all endpoints running Orbital. The Orbital results are then checked to see if any hosts may be vulnerable to the IOCs and the results are documented in a ServiceNow incident ticket. Supported observables: sha1
, sha256
, md5
Note: This workflow uses the Orbital - Query All Endpoints atomic which will send queries to all of your endpoints at the same time. Depending on the size of your environment, this could result in a spike in network traffic and CPU usage. The queries are executed with a timeout of 10 minutes, so results will only be reported for endpoints that respond to the queries within that 10 minute window.
Change Log
Date | Notes |
---|---|
Jan 27, 2022 | - Initial release |
Sep 7, 2022 | - Minor updates to naming and descriptions |
Requirements
- The following system atomics are used by this workflow:
- Orbital - Query All Endpoints
- Secure Malware Analytics - Get Sample Analysis
- Secure Malware Analytics - Get Samples by File Hash
- Threat Response - Generate Access Token
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Cisco Orbital
- Cisco Secure Malware Analytics
- ServiceNow
Workflow Steps
- Fetch global variables
- Make sure the observable provided is supported
- Make sure a ServiceNow user was provided
- Create a table for IOCs
- Fetch samples for the file hash given
- Check if any samples were found:
- If not, end the workflow
- If some were:
- Extract the sample IDs and fetch each sample’s details
- For each sample, add its IOCs into the IOC table
- Check if there were any IOCs with Orbital queries
- If not, end the workflow
- If there were queries:
- Execute each query and add the results to the IOC table
- Loop through each Orbital query result and assemble the ticket text
- Open the ServiceNow incident
Configuration
- Update the
ServiceNow User ID
local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user - Update the
ServiceNow - Create Incident
activity at the end of the workflow with any changes to the ticket properties you want - Provide the workflow your Secure Malware Analytics API token by either:
- Storing your token in a global variable and using the
Fetch Global Variables
group at the beginning of the workflow to update theSecure Malware Analytics API Key
local variable; or - Remove the
Secure Malware Analytics API Key
from theFetch Global Variables
group and add your token directly to theSecure Malware Analytics API Key
local variable
- Storing your token in a global variable and using the
- This workflow assumes it’s running in the North America region. If you’re using Orbital and/or Secure Malware Analytics in other regions, you’ll need to update the URLs for these products in the
Parse the results
Python activity - If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Orbital_For_Access_Token | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | Orbital_Credentials | Created by default |
Orbital_Target | HTTP Endpoint | Protocol: HTTPS Host: orbital.amp.cisco.com Path: /v0 | None | Created by default |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
ThreatGrid_Target | HTTP Endpoint | Protocol: HTTPS Host: panacea.threatgrid.com Path: None | None | Created by default |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
Orbital_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |