Get Observables from Tweets
Workflow #0077
This workflow searches recent Tweets for the specified hashtags and/or usernames and uses SecureX Threat Response to investigate each observable found. A malicious judgement is created for each observable and, if any sightings are found, an optional SecureX casebook and incident can be created. Finally, a Webex message will be sent with a summary of findings.
Change Log
Date | Notes |
---|---|
Feb 23, 2023 | - Initial release |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Create Casebook
- Threat Response - Create Incident
- Threat Response - Create Judgement
- Threat Response - Create Relationship
- Threat Response - Enrich Observable
- Threat Response - Inspect for Observables
- Webex - Search for Room
- Webex - Post Message to Room
- The following atomic actions must be imported before you can import this workflow:
- Twitter - Get Recent Tweets by Hashtag or Username
- The targets and account keys listed at the bottom of the page
- (Optional) Cisco Webex
Workflow Steps
This workflow is designed to run on a schedule to periodically check for new matching Tweets.
- Fetch global variables and detect environment
- Search for the Webex room
- For each hashtag and username:
- Get recent Tweets
- For each Tweet returned:
- Inspect for observables
- For each observable:
- Create a malicious judgement
- Check for sightings
- If sightings are found, create an incident and casebook
- Create a casebook and incident for the sighting
- Post a message to Webex
Configuration
- If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
- See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
CTR_API | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | CTR_Credentials | Created by default |
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | None | Created by default |
Twitter API v2 | HTTP Endpoint | Protocol: HTTPS Host: api.twitter.com Path: /v2 | None | |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None | Not necessary if Webex activities are removed |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | SecureX Token | See this page |