Generate Casebook with Top Hosts and Peers
Workflow #0034
Response Workflow
This workflow fetches the top 10 hosts and peers that communicated with the IP address pivoted on from Cisco Secure Network Analytics (SNA). The lists of IPs are then added to a SecureX casebook. Supported observable: ip
This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.
Change Log
Date | Notes |
---|---|
Jun 17, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Sep 7, 2022 | - Updated to support SecureX Tokens |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Secure Network Analytics - Get Tenants
- Secure Network Analytics - Get Tokens
- Secure Network Analytics - Get Top Hosts by IP Address
- Secure Network Analytics - Get Top Peers by IP Address
- Threat Response - Create Casebook
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- A SecureX orchestration remote with connectivity to your Secure Network Analytics instance
- Cisco Secure Network Analytics (SNA)
Workflow Steps
- Make sure the observable type provided is supported
- Fetch global variables
- Calculate date 24 hours ago
- Get Secure Network Analytics tokens and tenant information
- Fetch and parse the top peers
- Fetch and parse the top hosts
- Make sure at least one of the queries returned data
- Create a casebook in SecureX
Configuration
- Add your Secure Network Analytics API username and password to
SNA Username
andSNA Password
(or, if you have them stored in global variables, use theFetch Global Variables
group at the beginning of the workflow to update the local variables) - Set the
SNA Tenant Name
to the name of the tenant you want to work in - If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Note: If your Secure Network Analytics deployment is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use it with orchestration.
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | CTR_Credentials | Created by default |
Secure Network Analytics | HTTP Endpoint | Protocol: HTTPS Host: your-sna-management-center.yourdomain Path: None | None |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | SecureX Token | See this page |