IT operations are still very manual today. Customers are always challenged to maintain system health and improve online security. This workflow demonstrates how Cisco SecureX orchestration can be leveraged to automate vulnerability management.
This workflow periodically checks SecureX incidents for Threat Detected Events from Cisco Secure Endpoint. When an incident is returned, the workflow collects all observations from it and reaches to Kenna Security for vulnerabilities information related to executed malware. If information is returned, the workflow updates the incident in SecureX to document the findings. This workflow is designed to run every 5 minutes on a schedule.
Note: Please test this properly before implementing in a production environment. This is a sample workflow!
In order to leverage Kenna Security malware intelligence for detected vulnerabilities, Kenna Security VI+ License is required.
[] Fetch incidents from SecureX
[] For each incident:
[]> Extract the observations and target
[]> Search for the asset in Kenna by IP and fetch its asset ID
[]> Fetch asset risk score, priority and vulnerabilities by asset ID
[]> Find all malware associated with open vulnerabilities matching criteria: malware exploitable, has active new breaches and popular targets. (Kenna Security VI+ License required)
[]> Compare with malware in the SecureX incident. If match found, update the incident with Kenna information. Add tags and notes to Kenna asset to link with the incident.
-
Target Group: Default TargetGroup
-
Targets: CTR_For_Access_Token, Private_CTIA_Target, Kenna_Target
- Account Keys: CTR_Credentials
- Secure String: Kenna - Token
- Update Kenna URL local varilable with your Kenna Security instance domain name (e.g. ..kennasecurity.com) in order to properly construct pivot links for Kenna pages.
- Kenna-GetAssetID
- Kenna-GetAssetVulnerabilities
- Kenna-ShowMalwareHashes
- Kenna-ShowVulnerabilityDefinition
- Kenna-TagAnAsset
- Kenna-UpdateAssetNotes
- Browse to your SecureX orchestration instance. This will be a different URL depending on the region your account is in:
- US: https://securex-ao.us.security.cisco.com/orch-ui/workflows/
- EU: https://securex-ao.eu.security.cisco.com/orch-ui/workflows/
- APJC: https://securex-ao.apjc.security.cisco.com/orch-ui/workflows/
-
In the left hand menu, select Variables.
-
Click New Variable. Data Type - Secure String. Name Kenna - Token.
-
Provide your Kenna API token.
Note: For more information on Kenna Security APIs, check out API Reference.
- In the left pane menu, select Workflows. Click on IMPORT to import the workflow:
- Click on Browse and copy paste the content of the Kenna-GetAssetID json file file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.
- Repeat step 2 for the rest of Atomic actions: Kenna-GetAssetVulnerabilities, Kenna-ShowMalwareHashes, Kenna-ShowVulnerabilityDefinition, Kenna-TagAnAsset, Kenna-UpdateAssetNotes.
-
In the left pane menu, select Workflows. Click on IMPORT to import the workflow.
-
Click on Browse and copy paste the content of the Kenna-SecureXIncidentsEnrichmentWF file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.
-
Go to My Workflows and open the main workflow Kenna - SecureX Incidents Enrichment. In the properties on the right hand-side, find section Triggers. You will see that the status is - Disabled. Click on the name of the Trigger and change the status to Enabled.
- Please test this properly before implementing in a production environment. This is a sample workflow!
- In order to leverage Kenna Security malware intelligence for detected vulnerabilities, Kenna Security VI+ License is required.
- Oxana Sannikova, Security Technical Solutions Architect (Cisco)