Link Search Menu Expand Document

Generate Casebook with Top Hosts and Peers

Workflow #0034

Response Workflow

When triggered, this workflow fetches the top 10 hosts and peers that communicated with the IP address pivoted on from Secure Network Analytics. The lists of IPs are then added to a SecureX Threat Response casebook.

Hint: If you want to change the name of this workflow in the pivot menu, change its display name.

GitHub


Requirements


Workflow Steps

  1. Make sure the observable type provided is supported
  2. Fetch global variables
  3. Calculate date 24 hours ago
  4. Get SNA tokens and tenant information
  5. Fetch and parse the top peers
  6. Fetch and parse the top hosts
  7. Make sure at least one of the queries returned data
  8. Create a casebook in SecureX

Configuration

  • Add your SNA API username and password to SNA Username and SNA Password (or, if you have them stored in global variables, use the Fetch Global Variables group at the beginning of the workflow to update the local variables)
  • Set the SNA Tenant Name to the name of the tenant you want to work in
  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default
Secure Network Analytics HTTP Endpoint Protocol: HTTPS
Host: your-sna-management-center.yourdomain
Path: None
None  

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default