On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

SolarWinds Investigation

Workflow #0011

This workflow uses a Talos blog post about the SolarWinds supply chain attack as a source of intelligence. Using observables extracted from the blog post, it conducts an investigation and looks for sightings within your environment. If there are sightings, a variety of actions are taken including creating a Cisco SecureX incident and casebook, creating a ServiceNow incident, sending a Webex message, sending a message on Slack, and sending an email. The workflow also supports automated remediation (with approval). If the resulting approval task is approved, unknown or suspicious file hashes and domains are blocked using Cisco Secure Endpoint and Umbrella respectively. If there are any target endpoints, Cisco Orbital is used to take a forensic snapshot and Secure Endpoint is used to enable host isolation.

This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.

Overview GitHub


Change Log

Date Notes
Jan 22, 2021 - Initial release
Jun 24, 2021 - Updated the user agent header being used to fetch blog posts from Talos
Sep 10, 2021 - Updated to use the new system atomics
Aug 31, 2022 - Updated to support SecureX Tokens
Feb 16, 2023 - Minor tweak to how blog posts are stripped of HTML (Issue #230)

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Orbital - Query Endpoint
    • Threat Response - Create Casebook
    • Threat Response - Create Incident
    • Threat Response - Create Relationship
    • Threat Response - Deliberate Observable
    • Threat Response - Enrich Observable
    • Threat Response - Generate Access Token
    • Threat Response - Inspect for Observables
    • Threat Response - List Response Actions
    • Threat Response - Trigger Response Action
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Endpoint with Orbital
  • Cisco Umbrella
  • (Optional) Cisco Webex
  • (Optional) A Slack access token and a channel name to post messages to
  • ServiceNow

Workflow Steps

  1. Fetch any necessary global variables and set the environment URLs for SecureX and Threat Response
  2. Fetch the blog post content and strip out any HTML
  3. Inspect the blog post content for observables
  4. Loop through each observable and get its Threat Response disposition
  5. For observables that weren’t clean, conduct Threat Response enrichment to get sightings
    • For modules with sightings, extract the sightings and targets for use later
  6. Generate a summary of the workflow’s findings in HTML (for email and ServiceNow), markdown (for Webex and Threat Response), and mrkdwn (for Slack)
  7. Create a ServiceNow incident ticket
  8. Create the SecureX casebook and incident
  9. Add a work note to the ServiceNow incident with a link to investigate in Threat Response
  10. Generate the text for an approval task and request automated remediation
  11. Send notifications:
    • Webex
    • Slack
    • Email
  12. Wait for the approval task to be completed
  13. If completed and approved:
    • Fetch the Cisco Secure Endpoint and Umbrella module instance IDs from Threat Response
    • Loop through each observable:
      • If it’s a file hash, add it to the Secure Endpoint simple custom detections list using Threat Response
      • If it’s a domain, block it in Umbrella using Threat Response
    • Loop through each target:
      • Fetch an access token for Orbital (using the Threat Response - Generate Access Token atomic)
      • Request a forensic snapshot of the endpoint using Cisco Orbital
      • Isolate the endpoint using Secure Endpoint

Configuration

Local Variables

  • Set Email Addresses to Notify to the email addresses you want notifications sent to
  • Set ServiceNow Instance URL to the URL of your instance (for example: mycompany.service-now.com). If you don’t want to use ServiceNow, you need to disable all of the ServiceNow activities and then remove any references to them
  • If you want to use Slack:
    • Provide the workflow your Slack API token by either:
      • Storing your token in a global variable and using the Fetch Global Variables group at the beginning of the workflow to update the Slack Token local variable; or
      • Remove the Slack Token from the Fetch Global Variables group and add your token directly to the Slack Token local variable
    • Set Slack Channel to the name of the channel you want messages sent to
  • See this page for information on configuring the workflow for Webex

Activities

  • Set Service Now User ID on ServiceNow - Create Incident
  • Update SolarWinds remediation approval with:
    • A Task Requestor
    • A Task Owner
    • One or more Task Assignees
  • If your Cisco Secure Endpoint module isn’t named AMP for Endpoints in SecureX, you need to update the JSONPath Query on the Extract Secure Endpoint Actions activity with your module’s name
  • If your Cisco Umbrella module isn’t named Umbrella in SecureX, you need to update the JSONPath Query on the Extract Umbrella Actions activity with your module’s name

Targets

Target Group: Default TargetGroup

By default, the Default TargetGroup may not include SMTP Endpoint targets. If this is the case, you will need to update the target group and add SMTP Endpoint to the target types included. More information about target groups can be found here.

Target Name Type Details Account Keys Notes
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Email Endpoint SMTP Endpoint Configured for your SMTP server Email Credentials account key  
Orbital_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
Orbital_Credentials Created by default
Orbital_Target HTTP Endpoint Protocol: HTTPS
Host: orbital.amp.cisco.com
Path: /v0
None Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
CTR_Credentials Created by default
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL
Slack HTTP Endpoint Protocol: HTTPS
Host: slack.com
Path: /api
None Not necessary if Slack activities are removed
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page
Email Credentials Email Credentials Username: Mailbox Username
Password: Mailbox Password
 
Orbital_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password