MX Security Events to Incidents
Workflow #0061
This workflow fetches security events for the last hour from Meraki for a specific organization. If there are any Malware Downloaded or IDS Priority 1 events, a sighting and incident are created in Threat Response and a Webex message is sent.
Contributed by: Christopher van der Made
This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.
Change Log
Date | Notes |
---|---|
Apr 25, 2022 | - Initial release |
Sep 7, 2022 | - Updated to support SecureX Tokens |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Create Incident
- Threat Response - Create Relationship
- Threat Response - Create Sighting
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Meraki MX Firewall
- (Optional) Cisco Webex
Workflow Steps
- Fetch global variables
- Calculate the time 1 hour ago
- Make sure the Webex room exists
- Fetch security events from Meraki
- Check if the events were retrieved successfully:
- If not, end the workflow
- If they were:
- Loop through each event checking if it’s an event type we care about
- If it is, strip the ports from the IPs, create the Threat Response objects, and send a Webex message
Configuration
- Set the
Meraki Organization ID
local variable to the ID of the organization you want to fetch security events for - Provide the workflow your Meraki API key by either:
- Storing your token in a global variable and using the
Fetch Global Variables
group at the beginning of the workflow to update theMeraki API Key
local variable; or - Disable the
Fetch Global Variables
group and add your token directly to theMeraki API Key
local variable
- Storing your token in a global variable and using the
- See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Cisco Meraki | HTTP Endpoint | Protocol: HTTPS Host: api.meraki.com Path: /api | None | |
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | None | Created by default |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None | Not necessary if Webex activities are removed |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | SecureX Token | See this page |