Link Search Menu Expand Document

MX Security Events to Incidents

Workflow #0061

This workflow fetches security events for the last hour from Meraki for a specific organization. If there are any Malware Downloaded or IDS Priority 1 events, a sighting and incident are created in Threat Response and a Webex message is sent.

Contributed by: Christopher van der Made

GitHub


Change Log

Date Notes
Apr 25, 2022 - Initial release

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Threat Response - Create Incident
    • Threat Response - Create Relationship
    • Threat Response - Create Sighting
    • Threat Response - Generate Access Token
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Meraki MX Firewall
  • (Optional) Cisco Webex

Workflow Steps

  1. Fetch global variables
  2. Calculate the time 1 hour ago
  3. Make sure the Webex room exists
  4. Fetch security events from Meraki
  5. Check if the events were retrieved successfully:
  6. If not, end the workflow
  7. If they were:
    • Loop through each event checking if it’s an event type we care about
    • If it is, strip the ports from the IPs, create the Threat Response objects, and send a Webex message

Configuration

  • Set the Meraki Organization ID local variable to the ID of the organization you want to fetch security events for
  • Provide the workflow your Meraki API key by either:
    • Storing your token in a global variable and using the Fetch Global Variables group at the beginning of the workflow to update the Meraki API Key local variable; or
    • Disable the Fetch Global Variables group and add your token directly to the Meraki API Key local variable
  • See this page for information on configuring the workflow for Webex

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Cisco Meraki HTTP Endpoint Protocol: HTTPS
Host: api.meraki.com
Path: /api
None  
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default