Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3399
Views
15
Helpful
0
Comments

AMP for Endpoints: Get started with SecureX Orchestration!

deaguo
Cisco Employee
Cisco Employee

‎01-23-2021 11:27 PM - edited ‎01-23-2021 11:32 PM

What is SecureX?

Cisco SecureX is included with all Secure Endpoint (formerly AMP for Endpoints) subscriptions. SecureX is a cloud-native platform that aggregates capabilities across your security environment. It’s designed to simplify your environment, improve visibility and context, and maximize your team’s efficiency.

If you have not activated SecureX yet, click here for instructions on how to do that.

 

What is SecureX Orchestration?

SecureX Orchestration provides a no-to-low code approach for building automated workflows. These workflows can interact with various types of resources and systems, whether they’re from Cisco or a third-party.

We’ve prebuilt several workflows that you can plug in right away. Regular workflows can be scheduled to run at a time interval of your choosing. Other workflows include response workflows, which you can use to speed up your incident investigations. Response workflows are triggered either from a SecureX Threat Response pivot menu or the Threat Response API.

 

image.png

One way to access workflows is through a Threat Response pivot menu.

 

To learn more, go to the getting started page for SecureX Orchestration. There are several short videos that will get you set up quickly.
 

What kind of prebuilt workflows are available today?

There are 9 regular workflows and 5 response workflows currently available. We’ll highlight two today.

1) Hunt for endpoints vulnerable to a given CVE (requires Advantage tier)

This workflow gives you the one-click ability to search all your endpoints for vulnerabilities using Orbital Advanced Search. It iterates through your whole environment and generates a table of results showing which endpoints are vulnerable and which aren’t. After the Orbital query executes, it opens up a ServiceNow incident detailing which endpoints vulnerabilities. You can modify the prebuilt workflow to search for any CVE that Orbital has a query for.

2) AMP Host Isolation with Tier 2 Approval

This is a response workflow used as part of an incident investigation. Using this workflow, instead of isolating a host directly, we can trigger an email that sends a request to approve host isolation. If the approval is granted, then the endpoint is isolated. With this workflow, we improve our incident response process by ensuring our desired business logic is executed. You may want to modify the workflow to fit your organization’s specific needs.

 

How do I get started importing workflows?

You can import or export workflows three ways:

  • Copy and paste a workflow as JSON-formatted text
  • Download or upload a text file containing a workflow
  • Commit or download a workflow from a GitHub or Bitbucket repository

Note that if you import a workflow without importing the dependencies, it will fail.

When using GitHub without 2FA, you can configure SecureX to access it using your GitHub username and password. Otherwise, you must generate and use a Personal Access Token. This video contains more info about how to manage your repositories.

 

What are the basics I need to know to create my own workflows?

Atomic Actions are essentially functions that you can reuse across your workflows. We have prebuilt Atomic Actions, and you can also create your own.

Targets are resources you want your workflow to communicate with, such as POP/SMTP targets for email handling, or HTTP endpoints for web-based APIs, or terminal endpoints for executing via SSH.

Account Keys are credentials used by targets when communicating with a resource.

Variables can store information within a workflow or also be global so that multiple workflows can use it. Variables can take many forms, including String, Boolean, DateTime, and Secure Strings.

Schedules allow you to run your workflows at certain time intervals you specify, and Calendars allow you to set schedules easily with predefined dates (every Thanksgiving, every Day, Weekly on Friday, etc.)

The Workflow Editor allows you to build your workflows or edit existing ones.

 

image.png

The activity list on the left contains the building blocks you need for your workflows. 

The canvas in the middle allows you to drag and drop and edit your workflow.

The properties tab on the right allows you to modify the details of your workflow component.

 

Last thoughts

Hope you found this helpful! We’ll be adding more prebuilt workflows over time. For more information, check out our additional resources section.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents