Solved: Re: Query SMA for Mails in Quarantine with SecureX Orchestration

Markus Sandmeier · ‎05-19-2021

Hi all

How cloud I query the SMA API for mails in quarantine with SecureX orchestration? Do I have to use Threat Response API?

Could anyone assist?

Sample Request

GET /sma/api/v2.0/quarantine/messages?endDate=2018-11-21T23:59:00.000Z& limit=25&offset=0&orderBy=date&orderDir=desc&quarantineType=spam&startDate=2018-07-01T00:00:00.000Z

What kind of endpoint do I need in SecureX orchestration?

Thanks

chrivand · ‎05-25-2021

hi Markus, if it is on-prem you will either need to poke an inbound hole in the FW (not recommended) or wait until the SecureX orchestration remote connector is released (should be very soon). When it is released you can create internal targets and reach them the same way as I described above

View solution in original post

chrivand · ‎05-27-2021

The remote has been released: https://ciscosecurity.github.io/sxo-05-security-workflows/remote

View solution in original post

chrivand · ‎05-19-2021

Hi Markus, I would recommend to use a HTTP Request action and drag that into your canvas. You also have to create a HTTP target with the domain of your SMA tenant. You can then select that target in the HTTP Request action and use this as relative URL: /sma/api/v2.0/quarantine/messages?endDate=2018-11-21T23:59:00.000Z& limit=25&offset=0&orderBy=date&orderDir=desc&quarantineType=spam&startDate=2018-07-01T00:00:00.000Z. You will probably have to add some headers and make sure your authorization is working. Please let me know if this helps!

Markus Sandmeier · ‎05-20-2021

Could you make a config example of this HTTP target? How can I configure devices which are connected over SSE as a HTTP target?

Markus Sandmeier · ‎05-20-2021

Ah could it be that I only need to use the SecureX Internal Target?

chrivand · ‎05-24-2021

Hi Markus, are you using CES? then you don't have to do this via SSE since CES has a public domain. Here would be an incomplete example:

{
  "workflow": {
    "unique_name": "definition_workflow_01OP5RKP52Y1N5lflSPbL09EQJTnrv561Ua",
    "name": "SMA HTTP request example",
    "title": "SMA HTTP request example",
    "type": "generic.workflow",
    "base_type": "workflow",
    "variables": null,
    "properties": {
      "atomic": {
        "is_atomic": false
      },
      "delete_workflow_instance": false,
      "display_name": "SMA HTTP request example",
      "runtime_user": {
        "override_target_runtime_user": false,
        "specify_on_workflow_start": false,
        "target_default": true
      },
      "target": {
        "execute_on_target_group": false,
        "execute_on_workflow_target": false,
        "no_target": true,
        "specify_on_workflow_start": false
      }
    },
    "object_type": "definition_workflow",
    "actions": [
      {
        "unique_name": "definition_activity_01OP5RNIW40KY5sNWRyjrGrWuw01tVRI34J",
        "name": "HTTP Request",
        "title": "SMA HTTP Request",
        "type": "web-service.http_request",
        "base_type": "activity",
        "properties": {
          "action_timeout": 180,
          "allow_auto_redirect": true,
          "continue_on_error_status_code": false,
          "continue_on_failure": false,
          "description": "add SMA target and auth headers",
          "display_name": "SMA HTTP Request",
          "method": "GET",
          "relative_url": "/sma/api/v2.0/quarantine/messages?endDate=2018-11-21T23:59:00.000Z& limit=25&offset=0&orderBy=date&orderDir=desc&quarantineType=spam&startDate=2018-07-01T00:00:00.000Z",
          "runtime_user": {
            "override_target_runtime_user": false,
            "target_default": true
          },
          "skip_execution": false,
          "target": {
            "override_workflow_target": false,
            "override_workflow_target_group_criteria": false,
            "use_workflow_target": true,
            "use_workflow_target_group": false
          }
        },
        "object_type": "definition_activity"
      }
    ],
    "categories": [
      "category_1BMfMXSnJMyt5Ihqi7rWJr5N8cf"
    ]
  }
}

Markus Sandmeier · ‎05-25-2021

Hi Chris

Now the customer is using on-prem ESA managed with SMA. That's why I don't get it how to do that....

chrivand · ‎05-25-2021

hi Markus, if it is on-prem you will either need to poke an inbound hole in the FW (not recommended) or wait until the SecureX orchestration remote connector is released (should be very soon). When it is released you can create internal targets and reach them the same way as I described above

Markus Sandmeier · ‎05-27-2021

Thanks Chris!

chrivand · ‎05-27-2021

The remote has been released: https://ciscosecurity.github.io/sxo-05-security-workflows/remote

Markus Sandmeier · ‎06-01-2021

Awesome, thanks!