Repeat Incident Alerting
Workflow #0070
This workflow sends alerts via Webex if a specific quantity of similar incidents are generated in SecureX within a specified period of time. Alerting can be done for all incidents (by leaving “Aggregation Field” blank) or can be done by aggregating incidents by a certain field (specified in “Aggregation Field”).
This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.
Change Log
Date | Notes |
---|---|
Aug 16, 2022 | - Initial release |
Sep 7, 2022 | - Updated to support SecureX Tokens |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Search Incidents
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- (Optional) Cisco Webex
Workflow Steps
- Fetch global variables and detect region
- Calculate/format the date to search from
- Search incidents
- Aggregate the results and generate a list of alerts to send
- For each alert generated, send a Webex message
Configuration
- This workflow is designed to run on a schedule. You need to create a schedule and then add it as a trigger within the workflow
- Set the
Aggregation Field
local variable to the field to aggregate the number of incidents by. If you leave this blank, all incidents will count towards the threshold. If you provide a field here, such as “title,” an alert will only generate if there areAlert Threshold
incidents with the sameAggregation Field
inTime Period
- Set the
Alert Threshold
local variable to the number of incidents that must occur within theTime Period
before an alert is generated - Set the
Time Period
local variable to the number of minutes within which to aggregate results. As in, if there areAlert Threshold
incidents within this time period an alert will be generated - See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | CTR_Credentials | Created by default |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None | Not necessary if Webex activities are removed |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | SecureX Token | See this page |