SolarWinds Investigation
Workflow #0011
This workflow uses a Talos blog post about the SolarWinds supply chain attack as a source of intelligence. Using observables extracted from the blog post, it conducts an investigation and looks for sightings within your environment. If there are sightings, a variety of actions are taken including creating a Cisco SecureX incident and casebook, creating a ServiceNow incident, sending a Webex message, sending a message on Slack, and sending an email. The workflow also supports automated remediation (with approval). If the resulting approval task is approved, unknown or suspicious file hashes and domains are blocked using Cisco Secure Endpoint and Umbrella respectively. If there are any target endpoints, Cisco Orbital is used to take a forensic snapshot and Secure Endpoint is used to enable host isolation.
Change Log
Date | Notes |
---|---|
Jan 22, 2021 | - Initial release |
Jun 24, 2021 | - Updated the user agent header being used to fetch blog posts from Talos |
Sep 10, 2021 | - Updated to use the new system atomics |
Aug 31, 2022 | - Updated to support SecureX Tokens |
Feb 16, 2023 | - Minor tweak to how blog posts are stripped of HTML (Issue #230) |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Orbital - Query Endpoint
- Threat Response - Create Casebook
- Threat Response - Create Incident
- Threat Response - Create Relationship
- Threat Response - Deliberate Observable
- Threat Response - Enrich Observable
- Threat Response - Generate Access Token
- Threat Response - Inspect for Observables
- Threat Response - List Response Actions
- Threat Response - Trigger Response Action
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Add Work Note to Incident (CiscoSecurity_Atomics)
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- Slack - Send Message to Channel (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint with Orbital
- Cisco Umbrella
- (Optional) Cisco Webex
- (Optional) A Slack access token and a channel name to post messages to
- ServiceNow
Workflow Steps
- Fetch any necessary global variables and set the environment URLs for SecureX and Threat Response
- Fetch the blog post content and strip out any HTML
- Inspect the blog post content for observables
- Loop through each observable and get its Threat Response disposition
- For observables that weren’t clean, conduct Threat Response enrichment to get sightings
- For modules with sightings, extract the sightings and targets for use later
- Generate a summary of the workflow’s findings in HTML (for email and ServiceNow), markdown (for Webex and Threat Response), and mrkdwn (for Slack)
- Create a ServiceNow incident ticket
- Create the SecureX casebook and incident
- Add a work note to the ServiceNow incident with a link to investigate in Threat Response
- Generate the text for an approval task and request automated remediation
- Send notifications:
- Webex
- Slack
- Wait for the approval task to be completed
- If completed and approved:
- Fetch the Cisco Secure Endpoint and Umbrella module instance IDs from Threat Response
- Loop through each observable:
- If it’s a file hash, add it to the Secure Endpoint simple custom detections list using Threat Response
- If it’s a domain, block it in Umbrella using Threat Response
- Loop through each target:
- Fetch an access token for Orbital (using the
Threat Response - Generate Access Token
atomic) - Request a forensic snapshot of the endpoint using Cisco Orbital
- Isolate the endpoint using Secure Endpoint
- Fetch an access token for Orbital (using the
Configuration
Local Variables
- Set
Email Addresses to Notify
to the email addresses you want notifications sent to - Set
ServiceNow Instance URL
to the URL of your instance (for example:mycompany.service-now.com
). If you don’t want to use ServiceNow, you need to disable all of the ServiceNow activities and then remove any references to them - If you want to use Slack:
- Provide the workflow your Slack API token by either:
- Storing your token in a global variable and using the
Fetch Global Variables
group at the beginning of the workflow to update theSlack Token
local variable; or - Remove the
Slack Token
from theFetch Global Variables
group and add your token directly to theSlack Token
local variable
- Storing your token in a global variable and using the
- Set
Slack Channel
to the name of the channel you want messages sent to
- Provide the workflow your Slack API token by either:
- See this page for information on configuring the workflow for Webex
Activities
- Set
Service Now User ID
onServiceNow - Create Incident
- Update
SolarWinds remediation approval
with:- A
Task Requestor
- A
Task Owner
- One or more
Task Assignees
- A
- If your Cisco Secure Endpoint module isn’t named
AMP for Endpoints
in SecureX, you need to update theJSONPath Query
on theExtract Secure Endpoint Actions
activity with your module’s name - If your Cisco Umbrella module isn’t named
Umbrella
in SecureX, you need to update theJSONPath Query
on theExtract Umbrella Actions
activity with your module’s name
Targets
Target Group: Default TargetGroup
By default, the Default TargetGroup
may not include SMTP Endpoint
targets. If this is the case, you will need to update the target group and add SMTP Endpoint
to the target types included. More information about target groups can be found here.
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
CTR_API | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | CTR_Credentials | Created by default |
Email Endpoint | SMTP Endpoint | Configured for your SMTP server | Email Credentials account key | |
Orbital_For_Access_Token | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | Orbital_Credentials | Created by default |
Orbital_Target | HTTP Endpoint | Protocol: HTTPS Host: orbital.amp.cisco.com Path: /v0 | None | Created by default |
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | CTR_Credentials | Created by default |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Slack | HTTP Endpoint | Protocol: HTTPS Host: slack.com Path: /api | None | Not necessary if Slack activities are removed |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None | Not necessary if Webex activities are removed |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | SecureX Token | See this page | |
Email Credentials | Email Credentials | Username: Mailbox Username Password: Mailbox Password | |
Orbital_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |