Link Search Menu Expand Document

Single Blog Post to SecureX Casebook

Workflow #0002

This workflow parses a single Talos blog post and converts it into a SecureX casebook. This casebook can then be investigated with one click in Threat Response.

GitHub


Important Note

This workflow is an adaptation of the sub-workflow used by the Talos - Get New Blog Posts workflow. Modifying this workflow won’t cause any issues with the other Talos workflow as it’s completely separate. We’re providing this workflow separately in case you want to adapt it for something else or play with it without the complexity of the parent workflow.


Change Log

Date Notes
Nov 24, 2020 - Initial release
Feb 5, 2021 - Updated to use new Threat Response v2 atomics
- Fixed an issue where the Threat Response token could expire during investigation (Issue #2)
- Added auto-detection for the Threat Response environment URL
- Changed how the Webex message and casebook summary are generated to be more reliable and useful
Jun 24, 2021 - Updated the user agent header being used to fetch blog posts from Talos

See the Important Notes page for more information about updating workflows


Requirements

Important Notes

  • The latest version of this workflow uses new Threat Response v2 atomic actions. You may need to import these before updating the workflow.
  • You may have an old version of the Webex Teams - Post Message to Room atomic. To ensure the best experience with this workflow, be sure to import the latest version of this atomic from the GitHub_Target_Atomics repository!

Workflow Steps

This workflow is designed to parse a single blog post into a casebook.

  1. Fetch the blog post content and strip out any HTML
  2. Request a Threat Response access token and inspect the blog post content for observables
  3. Loop through each observable and get its Threat Response disposition
  4. For observables that weren’t clean, conduct Threat Response enrichment to get sightings
  5. For modules with sightings, build the text to post to Webex
  6. Create the Threat Response casebook and, if a teams room is provided, post a message to Webex

Configuration

  • See this page for information on configuring the workflow for Webex Teams

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
None Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex Teams activities are removed

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default