Link Search Menu Expand Document

SolarWinds Investigation

Workflow #0011

This workflow uses a Talos blog post about the SolarWinds supply chain attack as a source of intelligence. Using observables extracted from the blog post, it conducts an investigation and looks for sightings within your environment. If there are sightings, a variety of actions are taken including creating a Threat Response incident and casebook, creating a ServiceNow incident, sending a Webex Teams message, sending a message on Slack, and sending an email. The workflow also supports automated remediation (with approval). If the resulting approval task is approved, unknown or suspicious file hashes and domains are blocked using AMP and Umbrella respectively. If there are any target endpoints, Orbital is used to take a forensic snapshot and AMP is used to enable host isolation.

Overview GitHub


Change Log

Date Notes
Jan 22, 2021 - Initial release
Jun 24, 2021 - Updated the user agent header being used to fetch blog posts from Talos

See the Important Notes page for more information about updating workflows


Requirements

Note: You may have an old version of the Webex Teams - Post Message to Room atomic. To ensure the best experience with this workflow, be sure to import the latest version of this atomic from the GitHub_Target_Atomics repository!


Workflow Steps

  1. Fetch any necessary global variables and set the environment URLs for SecureX and Threat Response
  2. Fetch the blog post content and strip out any HTML
  3. Request a Threat Response access token and inspect the blog post content for observables
  4. Loop through each observable and get its Threat Response disposition
  5. For observables that weren’t clean, conduct Threat Response enrichment to get sightings
    • For modules with sightings, extract the sightings and targets for use later
  6. Generate a summary of the workflow’s findings in HTML (for email and ServiceNow), markdown (for Webex Teams and Threat Response), and mrkdwn (for Slack)
  7. Create a ServiceNow incident ticket
  8. Create the Threat Response casebook and incident
  9. Add a work note to the ServiceNow incident with a link to investigate in Threat Response
  10. Generate the text for an approval task and request automated remediation
  11. Send notifications:
    • Webex Teams
    • Slack
    • Email
  12. Wait for the approval task to be completed
  13. If completed and approved:
    • Fetch an access token for Threat Response
    • Fetch the AMP and Umbrella module instance IDs from Threat Response
    • Loop through each observable:
      • If it’s a file hash, add it to the AMP simple custom detections list using Threat Response
      • If it’s a domain, block it in Umbrella using Threat Response
    • Loop through each target:
      • Fetch an access token for Orbital (using the Threat Response v2 - Generate Access Token atomic)
      • Request a forensic snapshot of the endpoint using Orbital
      • Isolate the endpoint using AMP for Endpoints

Configuration

Local Variables

  • Set Email Addresses to Notify to the email addresses you want notifications sent to
  • Set ServiceNow Instance URL to the URL of your instance (for example: mycompany.service-now.com). If you don’t want to use ServiceNow, you need to disable all of the ServiceNow activities and then remove any references to them
  • If you want to use Slack:
    • Provide the workflow your Slack API token by either:
      • Storing your token in a global variable and using the Fetch Global Variables group at the beginning of the workflow to update the Slack Token local variable; or
      • Remove the Slack Token from the Fetch Global Variables group and add your token directly to the Slack Token local variable
    • Set Slack Channel to the name of the channel you want messages sent to
  • See this page for information on configuring the workflow for Webex Teams

Activities

  • Set Service Now User ID on ServiceNow - Create Incident
  • Update SolarWinds remediation approval with:
    • A Task Requestor
    • A Task Owner
    • One or more Task Assignees
  • If your AMP for Endpoints module isn’t named AMP for Endpoints in SecureX, you need to update the JSONPath Query on the Extract AMP Actions activity with your module’s name
  • If your Umbrella module isn’t named Umbrella in SecureX, you need to update the JSONPath Query on the Extract Umbrella Actions activity with your module’s name

Targets

Target Group: Default TargetGroup

By default, the Default TargetGroup may not include SMTP Endpoint targets. If this is the case, you will need to update the target group and add SMTP Endpoint to the target types included. More information about target groups can be found here.

Target Name Type Details Account Keys Notes
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
None Created by default
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Email Endpoint SMTP Endpoint Configured for your SMTP server Email Credentials account key  
Orbital_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
Orbital_Credentials Created by default
Orbital_Target HTTP Endpoint Protocol: HTTPS
Host: orbital.amp.cisco.com
Path: /v0
None Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL
Slack HTTP Endpoint Protocol: HTTPS
Host: slack.com
Path: /api
None Not necessary if Slack activities are removed
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex Teams activities are removed

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
Email Credentials Email Credentials Username: Mailbox Username
Password: Mailbox Password
 
Orbital_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password