License: CISCO published

MISP SecureX Orchestration Workflows

Features

  • Import events from MISP into SecureX.
  • Automatically enrich observables and search for potential targets with Cisco Threat Response.
  • Send observables to Private intel database within SecureX and connect this feed to your security solutions.
  • Auto create an incident within the SecureX Incident manager.
  • Post sightings to a webex space (this can be any destination of choice, Email, MS teams, Ticketing system etc.).

Note: Please test this properly before implementing in a production environment. This is a sample workflow!

Required Targets

Required Account Keys

  • CTR_Credentials (default)
  • MISP API Keys
  • Webex Teams Token (optional)

Required Atomic Workflows

  • Threat Response - Generate Access Token (System Atomic - No Import Needed)
  • Threat Response - Deliberate Observable (System Atomic - No Import Needed)
  • Threat Response - Enrich Observable (System Atomic - No Import Needed)
  • Threat Response - Create Sighting (System Atomic - No Import Needed)
  • Threat Response - Create Incident (System Atomic - No Import Needed)
  • Threat Response - Create Relationship (System Atomic - No Import Needed)
  • Webex Teams - Post Message to Room (System Atomic - No Import Needed)

Setup instructions

Configure Global Variables

  1. Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:
  1. In the left pane menu, select Workflows. Click on IMPORT to import the workflow:

  1. Click on Browse and copy paste the content of the misp-event-to-incident-workflow.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.

  1. Make sure you have filled in the MISP HTTP Target and API Credentials in the MISP-GET-EVENTS activity.

  2. Make sure the Webex Teams - Post Message to Room has the correct Access Token and Room ID. It is recommended to use a Webex Bot to create an Access Token. Please find more information regarding Webex Bots in the Webex developer documentation.

Notes

  • Please test this properly before implementing in a production environment. This is a sample workflow!
  • In a future version more reporting actions will be added upon a target sighting.

Author(s)

  • Pieter van Schaik (Cisco)
  • Maarten Lutterman (Cisco)
  • Christopher van der Made (Cisco)