Link Search Menu Expand Document

Isolate Endpoints and Block Hashes from Alarms

Workflow #0032

This workflow gets events from Cisco Secure Network Analytics (SNA) for the past 24 hours based on the event name provided. It then fetches associated flows and compiles information necessary to isolate related hosts and block file hashes in Cisco Secure Endpoint. At the end, a Webex Teams message is sent with a summary.

GitHub


Change Log

Date Notes
Jun 17, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Secure Endpoint - Get Connector GUID
    • Secure Endpoint - Isolate Host
    • SNA - Get Flows by IP Addresses
    • SNA - Get Security Events by Name
    • SNA - Get Tenants
    • SNA - Get Tokens
    • Webex Teams - Post Message to Room
    • Webex Teams - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed below
  • A SecureX orchestration remote with connectivity to your Secure Network Analytics instance
  • (Optional) A Webex Teams access token and room name to post messages to
  • Cisco Secure Endpoint
  • Cisco Secure Network Analytics (SNA)

Workflow Steps

  1. Fetch global variables
  2. Get Secure Network Analytics tokens and tenant information
  3. Calculate dates and times
  4. Get security events from Secure Network Analytics
  5. Parse events to table
  6. Fetch file list information from Secure Endpoint
  7. For each security event:
    • Extract event attributes
    • Get related flows and parse out file hashes
    • Attempt to locate matching hosts in Secure Endpoint and, if found, isolate them
    • Conver the file hashes to a table and add each one to the file lists in Secure Endpoint
  8. Send a Webex Teams message with a summary

Configuration

  • Set the Secure Endpoint Application List Name local variable to the name of the application file list to add hashes to
  • Set the Secure Endpoint Simple Detection List Name local variable to the name of the SCD list to add hashes to
  • Set the SNA Event Name local variable to the name of the events you want to take action on
  • Add your Secure Network Analytics API username and password to SNA Username and SNA Password (or, if you have them stored in global variables, use the Fetch Global Variables group at the beginning of the workflow to update the local variables)
  • Set the SNA Tenant Name to the name of the tenant you want to work in
  • See this page for information on configuring the workflow for Webex Teams
  • By default, the workflow is configured to run every 24 hours using the 0032 - SNA - Isolate Endpoints and Block Hashes from Alarms schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
    • Open the workflow in the workflow editor
    • Scroll down to the Triggers section of the workflow’s properties and click Alarm Event Polling
    • Uncheck the Disable Trigger box and click Save

Targets

Note: If your Secure Network Analytics deployment is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use it with orchestration.

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default
Secure Network Analytics HTTP Endpoint Protocol: HTTPS
Host: your-sna-management-center.yourdomain
Path: None
None  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex Teams activities are removed

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default