Isolate Endpoints and Block Hashes from Alarms
Workflow #0032
This workflow gets events from Cisco Secure Network Analytics (SNA) for the past 24 hours based on the event name provided. It then fetches associated flows and compiles information necessary to isolate related hosts and block file hashes in Cisco Secure Endpoint. At the end, a Webex message is sent with a summary.
Change Log
| Date | Notes |
|---|---|
| Jun 17, 2021 | - Initial release |
| Sep 10, 2021 | - Updated to use the new system atomics |
| Sep 7, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Secure Endpoint - Get Connector GUID
- Secure Endpoint - Isolate Host
- Secure Network Analytics - Get Flows by IP Addresses
- Secure Network Analytics - Get Security Events by Name
- Secure Network Analytics - Get Tenants
- Secure Network Analytics - Get Tokens
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- A SecureX orchestration remote with connectivity to your Secure Network Analytics instance
- Cisco Secure Endpoint
- Cisco Secure Network Analytics (SNA)
- (Optional) Cisco Webex
Workflow Steps
- Fetch global variables
- Get Secure Network Analytics tokens and tenant information
- Calculate dates and times
- Get security events from Secure Network Analytics
- Parse events to table
- Fetch file list information from Secure Endpoint
- For each security event:
- Extract event attributes
- Get related flows and parse out file hashes
- Attempt to locate matching hosts in Secure Endpoint and, if found, isolate them
- Conver the file hashes to a table and add each one to the file lists in Secure Endpoint
- Send a Webex message with a summary
Configuration
- Set the
Secure Endpoint Application List Namelocal variable to the name of the application file list to add hashes to - Set the
Secure Endpoint Simple Detection List Namelocal variable to the name of the SCD list to add hashes to - Set the
SNA Event Namelocal variable to the name of the events you want to take action on - Add your Secure Network Analytics API username and password to
SNA UsernameandSNA Password(or, if you have them stored in global variables, use theFetch Global Variablesgroup at the beginning of the workflow to update the local variables) - Set the
SNA Tenant Nameto the name of the tenant you want to work in - See this page for information on configuring the workflow for Webex
- By default, the workflow is configured to run every 24 hours using the 0032 - SNA - Isolate Endpoints and Block Hashes from Alarms schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
- Open the workflow in the workflow editor
- Scroll down to the Triggers section of the workflow’s properties and click Alarm Event Polling
- Uncheck the Disable Trigger box and click Save
Targets
Note: If your Secure Network Analytics deployment is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use it with orchestration.
Target Group: Default TargetGroup
| Target Name | Type | Details | Account Keys | Notes |
|---|---|---|---|---|
| AMP_Target | HTTP Endpoint | Protocol: HTTPSHost: api.amp.cisco.comPath: /v1 | AMP_Credentials | Created by default |
| Secure Network Analytics | HTTP Endpoint | Protocol: HTTPSHost: your-sna-management-center.yourdomainPath: None | None | |
| Webex Teams | HTTP Endpoint | Protocol: HTTPSHost: webexapis.comPath: None | None | Not necessary if Webex activities are removed |
Account Keys
| Account Key Name | Type | Details | Notes |
|---|---|---|---|
| AMP_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |