Link Search Menu Expand Document

Isolate Endpoints and Block Hashes from Alarms

Workflow #0032

This workflow gets events from Secure Network Analytics (formerly Stealthwatch Enterprise) for the past 24 hours based on the event name provided. It then fetches associated flows and compiles information necessary to isolate related hosts and block file hashes in Secure Endpoint (formerly known as AMP for Endpoints). At the end, a Webex Teams message is sent with a summary.

GitHub


Requirements

Note: You may have an old version of the Webex Teams - Post Message to Room atomic. To ensure the best experience with this workflow, be sure to import the latest version of this atomic from the GitHub_Target_Atomics repository!


Workflow Steps

  1. Fetch global variables
  2. Get SNA tokens and tenant information
  3. Calculate dates and times
  4. Get security events from SNA
  5. Parse events to table
  6. Fetch file list information from Secure Endpoint
  7. For each security event:
    • Extract event attributes
    • Get related flows and parse out file hashes
    • Attempt to locate matching hosts in Secure Endpoint and, if found, isolate them
    • Conver the file hashes to a table and add each one to the file lists in Secure Endpoint
  8. Send a Webex Teams message with a summary

Configuration

  • Set the Secure Endpoint Application List Name local variable to the name of the application file list to add hashes to
  • Set the Secure Endpoint Simple Detection List Name local variable to the name of the SCD list to add hashes to
  • Set the SNA Event Name local variable to the name of the events you want to take action on
  • Add your SNA API username and password to SNA Username and SNA Password (or, if you have them stored in global variables, use the Fetch Global Variables group at the beginning of the workflow to update the local variables)
  • Set the SNA Tenant Name to the name of the tenant you want to work in
  • See this page for information on configuring the workflow for Webex Teams
  • By default, the workflow is configured to run every 24 hours using the 0032 - SNA - Isolate Endpoints and Block Hashes from Alarms schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
    • Open the workflow in the workflow editor
    • Scroll down to the Triggers section of the workflow’s properties and click Alarm Event Polling
    • Uncheck the Disable Trigger box and click Save

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default
Secure Network Analytics HTTP Endpoint Protocol: HTTPS
Host: your-sna-management-center.yourdomain
Path: None
None  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex Teams activities are removed

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default