Single Blog Post to SecureX Casebook
Workflow #0002
This workflow takes a Talos blog post, conducts an investigation into it using Cisco Threat Response, and then puts the results in a SecureX casebook. If a Webex room name and bot token are provided, a message with the investigation’s results will be sent.
Important Note
This workflow is an adaptation of the sub-workflow used by the Talos - Get New Blog Posts workflow. Modifying this workflow won’t cause any issues with the other Talos workflow as it’s completely separate. We’re providing this workflow separately in case you want to adapt it for something else or play with it without the complexity of the parent workflow.
Change Log
Date | Notes |
---|---|
Nov 24, 2020 | - Initial release |
Feb 5, 2021 | - Updated to use new Threat Response atomics - Fixed an issue where the Threat Response token could expire during investigation (Issue #2) - Added auto-detection for the Threat Response environment URL - Changed how the Webex message and casebook summary are generated to be more reliable and useful |
Jun 24, 2021 | - Updated the user agent header being used to fetch blog posts from Talos |
Sep 10, 2021 | - Updated to use the new system atomics |
Aug 31, 2022 | - Updated to support SecureX Tokens |
Nov 8, 2022 | - Minor fix to error generation in one of the Python scripts |
Nov 14, 2022 | - Updated to stop trimming blog post titles |
Feb 16, 2023 | - Minor tweak to how blog posts are stripped of HTML (Issue #230) |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Create Casebook
- Threat Response - Deliberate Observable
- Threat Response - Enrich Observable
- Threat Response - Inspect for Observables
- Webex - Search for Room
- Webex - Post Message to Room
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- (Optional) Cisco Webex
Workflow Steps
This workflow is designed to parse a single blog post into a casebook.
- Fetch the blog post content and strip out any HTML
- Inspect the blog post content for observables
- Loop through each observable and get its Threat Response disposition
- For observables that weren’t clean, conduct Threat Response enrichment to get sightings
- For modules with sightings, build the text to post to Webex
- Create the SecureX casebook and, if a teams room is provided, post a message to Webex
Configuration
- See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
CTR_API | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | CTR_Credentials | Created by default |
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | None | Created by default |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None | Not necessary if Webex activities are removed |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | SecureX Token | See this page |