CiscoSecureX-TheHive

Short Description:

Cisco SecureX Action Orchestrator Workflows - Casebook - TheHive sync

This Workflow creates a Case in Cisco SecureX Casebook and an associated TheHive Case, where all Observables are synced!

NOTE: Please be aware of, that there are different regions available for SecureX:

• Cisco SecureX US region
• Cisco SecureX EU region
• Cisco SecureX Asian region

The goal is to handover Observables from SecureX to TheHive via the built-in orchestrator (SecureX Orchestration (SXO)) Workflows.

Features:

• faster Incident Respond and handover to the SOC Team
• easy exchange Observables from Cisco Secure platform into TheHive SIRP
• automatic Observable enrichment into TheHive via Casebook Browser PlugIn
  • no more manually Copy & Paste action
  • no more typos by adding Observables by typing
  • automated start of Cortex Anaylzer by just adding the observables
  • completely independent, only a website is needed to extract the observables

Create both Cases and map it via a Global Variable Table inside SXO

AO Workflow: ". . . create Casebook and sync it with TheHive 🐝"

Sync Obseravables from SecureX Casebook to TheHive (manual task via SXO Response Action in Threat Response)

add slide about the sync

SXO Workflow: "Parse Casebooks Observables and add missing to TheHive 🧩"

Integration of Casebook Browser PlugIn to add Observables into TheHive Case (via a Cisco Casebook Case)

add slide about Casebook Integration

SXO Workflow: not needed - scheduled Workflow

Find observable(s) in page via Casebook browser plugin (for Chrome and Firefox)

TheHive gets the observable(s) and start the appropriate Analyzers

Installation

Detailed installation instructions can be found HERE