Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Get New Blog Posts

Workflow #0001

This workflow consumes the Talos Intelligence Blog RSS feed and converts individual blog posts into Cisco SecureX casebooks if they contain suspicious observables. These casebooks can then be investigated with one click in Cisco Threat Response.

This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.

GitHub


Important Note

This workflow has two components: a parent workflow and a sub-workflow. Importing the parent will import both. We also provide the sub-workflow separately as Talos - Single Blog Post to SecureX Casebook.


Change Log

Date Notes
Nov 24, 2020 - Initial release
Feb 20, 2021 - Updated to use new sub-workflow based on updated workflow 0002
- Updated to use new Threat Response atomics
- Fixed an issue where the Threat Response token could expire during investigation (Issue #2)
- Added auto-detection for the Threat Response environment URL
- Changed how the Webex message and casebook summary are generated to be more reliable and useful
Jun 24, 2021 - Updated the user agent header being used to fetch blog posts from Talos
Sep 10, 2021 - Updated to use the new system atomics
Nov 12, 2021 - Updated the workflow based on a change to the Talos blog XML (The origLink field is now called link)
Apr 5, 2022 - Fixed the Post URL link markdown for the SecureX casebook
Jul 25, 2022 - Updated to handle the new Talos blog feed format (Issue #177)
Aug 31, 2022 - Updated to support SecureX Tokens
Nov 8, 2022 - Updated to use the new Talos RSS feed
Nov 14, 2022 - Updated to stop trimming blog post titles

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Threat Response - Create Casebook
    • Threat Response - Deliberate Observable
    • Threat Response - Enrich Observable
    • Threat Response - Inspect for Observables
    • Webex - Search for Room
    • Webex - Post Message to Room
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • (Optional) Cisco Webex

Workflow Steps

This workflow is designed to run on a schedule to periodically check the Talos blog for new posts.

  1. Get the RSS feed XML
  2. If the Etag is the same or there aren’t any recent updates, end the workflow
  3. Get the updated Etag and Last-Modified headers
  4. Convert the feed XML into JSON and parse out each post’s information
  5. For each blog post:
    • Check if the post has been updated since the last run of the workflow (if not, skip it)
    • Run a sub-workflow to parse the single blog post
  6. Update the global variables with the new Etag and Last-Modified date

Sub-Workflow Steps

These steps are executed for each new or updated blog post the parent workflow discovers on the Talos blog.

  1. Fetch the blog post content and strip out any HTML
  2. Inspect the blog post content for observables
  3. Loop through each observable and get its Threat Response disposition
  4. For observables that weren’t clean, conduct Threat Response enrichment to get sightings
  5. For modules with sightings, build the text to post to Webex
  6. Create the SecureX casebook and, if a teams room is provided, post a message to Webex

Configuration

  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
  • See this page for information on configuring the workflow for Webex

Targets

Parent Workflow

Target Name Type Details Account Keys Notes
Talos Blog RSS HTTP Endpoint Protocol: HTTPS
Host: blog.talosintelligence.com
Path: /rss/
None  

Sub-Workflow

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Sub-Workflow

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page