Isolate an Endpoint with tier-2 Approval

Overview

=> Goal: Trigger this workflow when you have suspicion of an endpoint being targetted in an ongoing attack. => Input: amp_computer_guid (Cisco Secure Endpoint identifier for a device)

Workflow Steps:

Create an approval request to isolate the target endpoint.
Send a notification to the SOC Webex Space to investigate the target endpoint further.
Waits for approval...
If approved, isolate an endpoint if given an observable that can identify an endpoint (e.g Cisco Secure Endpoint GUID) and send notification to SOC Webex Space.

Installation

Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:

Click on IMPORT to import the workflow:

Click on Browse and copy paste the content of the isolate_endpoint_with_approval.json file inside of the text window.

Click on IMPORT. Open up the workflow after importing it. You will now need to update 2 values, the Webex Access Token and the Webex Room ID (pro-tip: add the Webex Room ID bot to the space you want to use to get the ID):

Note: Please retrieve your Webex key from: https://developer.webex.com/docs/api/getting-started. Please be aware that the personal token from the getting started page only works for 12 hours. Please follow these steps to request a "bot" token: https://developer.webex.com/docs/integrations.

Now it is time to test, click on RUN in the top right of your window and fill in 2 example values (e.g. observable_type: amp_computer_guid, observable_value: 123456789), and everything should be working now. The workflow will fail as this is not the correct amp_computer_guid`, but you can test the workflow.

This workflow is a so called "Response" workflow, and can be triggered from the SecureX Threat Response pivot menu, when clicking on an amp_computer_guid:

Notes

Please test this properly before implementing in a production environment. This is a sample workflow!

Author(s)

Christopher van der Made (Cisco)

About

Other