topic Re: Query SMA for Mails in Quarantine with SecureX Orchestration in Cisco XDR

Query SMA for Mails in Quarantine with SecureX Orchestration

Markus Sandmeier — Wed, 19 May 2021 13:32:23 GMT

Hi all

How cloud I query the SMA API for mails in quarantine with SecureX orchestration? Do I have to use Threat Response API?

Could anyone assist?

Sample Request

GET /sma/api/v2.0/quarantine/messages?endDate=2018-11-21T23:59:00.000Z& limit=25&offset=0&orderBy=date&orderDir=desc&quarantineType=spam&startDate=2018-07-01T00:00:00.000Z

What kind of endpoint do I need in SecureX orchestration?

Thanks

Re: Query SMA for Mails in Quarantine with SecureX Orchestration

chrivand — Wed, 19 May 2021 15:16:38 GMT

Hi Markus, I would recommend to use a HTTP Request action and drag that into your canvas. You also have to create a HTTP target with the domain of your SMA tenant. You can then select that target in the HTTP Request action and use this as relative URL: /sma/api/v2.0/quarantine/messages?endDate=2018-11-21T23:59:00.000Z& limit=25&offset=0&orderBy=date&orderDir=desc&quarantineType=spam&startDate=2018-07-01T00:00:00.000Z. You will probably have to add some headers and make sure your authorization is working. Please let me know if this helps!

Re: Query SMA for Mails in Quarantine with SecureX Orchestration

Markus Sandmeier — Thu, 20 May 2021 21:23:11 GMT

Could you make a config example of this HTTP target? How can I configure devices which are connected over SSE as a HTTP target?

Re: Query SMA for Mails in Quarantine with SecureX Orchestration

Markus Sandmeier — Thu, 20 May 2021 21:49:39 GMT

Ah could it be that I only need to use the SecureX Internal Target?

Re: Query SMA for Mails in Quarantine with SecureX Orchestration

chrivand — Tue, 25 May 2021 06:42:28 GMT

Hi Markus, are you using CES? then you don't have to do this via SSE since CES has a public domain. Here would be an incomplete example:

{
  "workflow": {
    "unique_name": "definition_workflow_01OP5RKP52Y1N5lflSPbL09EQJTnrv561Ua",
    "name": "SMA HTTP request example",
    "title": "SMA HTTP request example",
    "type": "generic.workflow",
    "base_type": "workflow",
    "variables": null,
    "properties": {
      "atomic": {
        "is_atomic": false
      },
      "delete_workflow_instance": false,
      "display_name": "SMA HTTP request example",
      "runtime_user": {
        "override_target_runtime_user": false,
        "specify_on_workflow_start": false,
        "target_default": true
      },
      "target": {
        "execute_on_target_group": false,
        "execute_on_workflow_target": false,
        "no_target": true,
        "specify_on_workflow_start": false
      }
    },
    "object_type": "definition_workflow",
    "actions": [
      {
        "unique_name": "definition_activity_01OP5RNIW40KY5sNWRyjrGrWuw01tVRI34J",
        "name": "HTTP Request",
        "title": "SMA HTTP Request",
        "type": "web-service.http_request",
        "base_type": "activity",
        "properties": {
          "action_timeout": 180,
          "allow_auto_redirect": true,
          "continue_on_error_status_code": false,
          "continue_on_failure": false,
          "description": "add SMA target and auth headers",
          "display_name": "SMA HTTP Request",
          "method": "GET",
          "relative_url": "/sma/api/v2.0/quarantine/messages?endDate=2018-11-21T23:59:00.000Z& limit=25&offset=0&orderBy=date&orderDir=desc&quarantineType=spam&startDate=2018-07-01T00:00:00.000Z",
          "runtime_user": {
            "override_target_runtime_user": false,
            "target_default": true
          },
          "skip_execution": false,
          "target": {
            "override_workflow_target": false,
            "override_workflow_target_group_criteria": false,
            "use_workflow_target": true,
            "use_workflow_target_group": false
          }
        },
        "object_type": "definition_activity"
      }
    ],
    "categories": [
      "category_1BMfMXSnJMyt5Ihqi7rWJr5N8cf"
    ]
  }
}

Re: Query SMA for Mails in Quarantine with SecureX Orchestration

Markus Sandmeier — Tue, 25 May 2021 07:16:46 GMT

Hi Chris

Now the customer is using on-prem ESA managed with SMA. That's why I don't get it how to do that....

Re: Query SMA for Mails in Quarantine with SecureX Orchestration

chrivand — Tue, 25 May 2021 19:45:47 GMT

hi Markus, if it is on-prem you will either need to poke an inbound hole in the FW (not recommended) or wait until the SecureX orchestration remote connector is released (should be very soon). When it is released you can create internal targets and reach them the same way as I described above 🙂

Re: Query SMA for Mails in Quarantine with SecureX Orchestration

Markus Sandmeier — Thu, 27 May 2021 12:24:05 GMT

Thanks Chris!

Re: Query SMA for Mails in Quarantine with SecureX Orchestration

chrivand — Thu, 27 May 2021 17:29:34 GMT

The remote has been released: https://ciscosecurity.github.io/sxo-05-security-workflows/remote

Re: Query SMA for Mails in Quarantine with SecureX Orchestration

Markus Sandmeier — Tue, 01 Jun 2021 07:13:41 GMT

Awesome, thanks!