Secure Email Integrations Corner

XDR workflows and other integrations

Secure Email allows customers and partners to integrate their applications and to create integrations.

On this page, you can see some of the integrations that we have built and are ready to leverage.

Security Mailbox Monitor

This integration will allow you to report a message to a security mailbox, analyze the attached message with Splunk Attack Analyzer, and in case a threat is found, open an incident in Cisco XDR for further Security Analysts to investigate.


Required components:

  • Cisco Phishing Submission add-in
  • Cisco Email Threat Defense
  • MS Graph API
  • Splunk Attack Analyzer
  • Cisco XDR

Here you can get the JSON file and import it as a workflow into the Cisco XDR automation

{
"workflow": {
"uniquename": "definition_workflow_02EOCBFQ4CGB22ZxVb9r2Ol8zSRUgLIBN6W",
"name": "Security Mailbox Monitor",
"title": "Security Mailbox Monitor",
"type": "generic.workflow",
"base_type": "workflow",
"variables": [
{
"schema_id": "datatype.integer",
"properties": {
"value": 0,
"scope": "local",
"name": "Global_score",
"type": "datatype.integer",
"is_required": false,
"display_on_wizard": false,
"is_invisible": false
},
"unique_name": "variable_workflow_02F75GW1FZ7FA1B0ZcBdAbPGlV1xMohCHef",
"object_type": "variable_workflow"
}
],
"properties": {
"atomic": {
"is_atomic": false
},
"automation_rules": {
"type": [
"email.rule_event"
]
},
"delete_workflow_instance": false,
"description": "Monitor Security Mailbox submissions from users, upload to SAA, and generate a XDR Incident",
"display_name": "Security Mailbox Monitor",
"runtime_user": {
"target_default": true
},
"target": {
"no_target": true
}
},
"object_type": "definition_workflow",
"actions": [
{
"unique_name": "definition_activity_02EOCEW5ZWKDC45vGly2MkeaGMbtoHVo6Sp",
"name": "Upload File",
"title": "Upload File to SAA",
"type": "email.upload_file",
"base_type": "activity",
"properties": {
"action_timeout": 180,
"continue_on_failure": false,
"display_name": "Upload File to SAA",
"http_request": {
"allow_auto_redirect": true,
"allow_headers_redirect": false,
"body_data": {
"body_type": "form-data",
"form_data": [
{
"key": "filename",
"key_type": "text",
"value": "$rule.email rule_event.output.attachments[0].file_name$"
},
{
"key": "filedata",
"key_type": "file",
"path": "$rule.email rule_event.output.attachments[0].file_path$"
}
]
},
"continue_on_error_status_code": false,
"custom_headers": [
{
"name": "X-API-Key",
"value": "9bf9989e7b4ef8c0f56855e545c21f123de75269a507276a"
}
],
"method": "POST",
"relative_url": "/v1/jobs/files"
},
"runtime_user": {
"target_default": true
},
"skip_execution": false,
"target": {
"override_workflow_target": true,
"target_id": "definition_target_02EOCFT9CR51I1fFPHjMfXyHGPkzM1vNZ43"
},
"target_type": "web-service.endpoint"
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOCHJXCX0954K8vsXax8i7ZKBqQZiBTNm",
"name": "Execute Python Script",
"title": "Get SAA JobID",
"type": "python3.script",
"base_type": "activity",
"properties": {
"action_timeout": 180,
"continue_on_failure": false,
"description": "Get information about the jobID after uploading the EML file for analysis.\n",
"display_name": "Get SAA JobID",
"script": "import json\n\n# The given dictionary\ndata = $activity.definition_activity_02EOCEW5ZWKDC45vGly2MkeaGMbtoHVo6Sp.output.response_body$\n\n# Extract the response body as a string\nresponse_body = data["response_body"]\n\n# Parse the JSON string in the response body\nparsed_response = json.loads(response_body)\n\n# Extract and print the JobID\njob_id = parsed_response["JobID"]\nprint(job_id)",
"skip_execution": false
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOCJ4U9R4KP4dVvFMuB2pwU1wvMQMbEhp",
"name": "Sleep",
"title": "Wait for SAA to finish Analysis",
"type": "core.sleep",
"base_type": "activity",
"properties": {
"continue_on_failure": false,
"description": "Wait for SAA to finish Analysis",
"display_name": "Wait for SAA to finish Analysis",
"skip_execution": false,
"sleep_interval": 90
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOCJOISW7V05TrfjuEkI0q7dgqeQTdzHp",
"name": "HTTP Request",
"title": "Get results from SAA analysis",
"type": "web-service.http_request",
"base_type": "activity",
"properties": {
"action_timeout": 180,
"allow_auto_redirect": true,
"allow_headers_redirect": false,
"continue_on_error_status_code": false,
"continue_on_failure": false,
"custom_headers": [
{
"name": "X-API-key",
"value": "9bf9989e7b4ef8c0f56855e545c21f123de75269a507276a"
}
],
"display_name": "Get results from SAA analysis",
"method": "GET",
"relative_url": "/v1/jobs/$activity.definition_activity_02EOCHJXCX0954K8vsXax8i7ZKBqQZiBTNm.output.response_body$",
"runtime_user": {
"target_default": true
},
"skip_execution": false,
"target": {
"override_workflow_target": true,
"target_id": "definition_target_02EOCFT9CR51I1fFPHjMfXyHGPkzM1vNZ43"
}
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOCJRE4P4SE3TWZEep4XiVX78kKByHEDM",
"name": "JSONPath Query",
"title": "Get the score from SAA Analysis",
"type": "corejava.jsonpathquery",
"base_type": "activity",
"properties": {
"action_timeout": 180,
"continue_on_failure": false,
"display_name": "Get the score from SAA Analysis",
"input_json": "$activity.definition_activity_02EOCJOISW7V05TrfjuEkI0q7dgqeQTdzHp.output.response_body$",
"jsonpath_queries": [
{
"jsonpath_query": "$.DisplayScore",
"jsonpath_query_name": "score",
"jsonpath_query_type": "integer"
}
],
"skip_execution": false
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOCTSHYPD103f6RcqwW8h1OMMJtNVtKVN",
"name": "Condition Block",
"title": "Verify The Score and Open XDR Incident",
"type": "logic.if_else",
"base_type": "activity",
"properties": {
"continue_on_failure": false,
"description": "In this step we will verify the score from the SAA analysis and if it is higher than 55, we will open an XDR incident populated with information and details from SAA analysis",
"display_name": "Verify The Score and Open XDR Incident",
"skip_execution": false
},
"object_type": "definition_activity",
"blocks": [
{
"unique_name": "definition_activity_02EOCTSITMZS31xVzGWo0qkYzRxN44pBVCN",
"name": "Condition Branch",
"title": "Is Malicious?",
"type": "logic.condition_block",
"base_type": "activity",
"properties": {
"condition": {
"left_operand": "$activity.definition_activity_02EOCJRE4P4SE3TWZEep4XiVX78kKByHEDM.output.jsonpath_queries.score$",
"operator": "gte",
"right_operand": 55
},
"continue_on_failure": false,
"description": "Considered Malicious if score from SAA is higher than 55",
"display_name": "Is Malicious?",
"skip_execution": false
},
"object_type": "definition_activity",
"actions": [
{
"unique_name": "definition_activity_02EOCCGM7SA4058ayi0tbFtOuqq37nJo7gF",
"name": "Execute Python Script",
"title": "Get Email Subject",
"type": "python3.script",
"base_type": "activity",
"properties": {
"action_timeout": 180,
"continue_on_failure": false,
"display_name": "Get Email Subject",
"script": "import re\nheaders = """\n$rule.email rule_event.output.attachments[0].attachment_headers$\n"""\n# Using regular expression to find "Subject" and extract its value\nmatch = re.search(r'"header_name".
?"Subject".?"header_value":"(.?)"', headers)\n\nif match:\n subjectvalue = match.group(1)\n print(subject_value)\nelse:\n print("Subject not found or pattern mismatch.")",
"skip_execution": false
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOCXI2EN5BX2AAHQMdb8yP1LUatShkwkO",
"name": "Create XDR Investigation for the Email Subject",
"title": "Create XDR Investigation for the Email Subject",
"type": "workflow.atomic_workflow",
"base_type": "subworkflow",
"properties": {
"continue_on_failure": false,
"display_name": "Create XDR Investigation for the Email Subject",
"input": {
"variable_workflow_02E6L8TIKXHX141VLVvGzypDItlDUq9zeFn": "[\n{\n"type":"email_subject",\n"value":"$activity.definition_activity_02EOCCGM7SA4058ayi0tbFtOuqq37nJo7gF.output.response_body$"\n}\n]",
"variable_workflow_02E6M077TQNE37LVfe1icU1e9oBuhSpCGeG": true,
"variable_workflow_02E6M0Z9W4C7X44s2l9tz3pdjygSd4j3SP7": "Search for Email Subject",
"variable_workflow_02E6M1MNKPVK51WxgW3y0y70jOTSKYTvrJF": ""
},
"runtime_user": {
"target_default": true
},
"skip_execution": false,
"target": {
"override_workflow_target": true,
"target_id": "$module_target;Cisco XDR;securex:ao:conure$",
"target_type": "web-service.endpoint"
},
"workflow_id": "definition_workflow_02E6L77SRA2I83cArClmRrkQwKxyJUnOO9e",
"workflow_name": "XDR - Investigate - Create Investigation"
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOD0VAR9FZX61m0hiH4rTG42lHFUbFAVB",
"name": "Create XDR Incident",
"title": "Create XDR Incident",
"type": "workflow.atomic_workflow",
"base_type": "subworkflow",
"properties": {
"continue_on_failure": false,
"display_name": "Create XDR Incident",
"input": {
"variable_workflow_02E7JHIDNJXJT0VUBJH4btWAqAdSxSRkXNI": "[]",
"variable_workflow_02E7JHIDNKXQN6eL9VIoqsA5rwPZIVgrnqq": "Get the full details here: https://app.global2.twinwave.io/job/$activity.definition_activity_02EOCHJXCX0954K8vsXax8i7ZKBqQZiBTNm.output.response_body$",
"variable_workflow_02E7JHIDNL5R43fY9a5yZIFcvkTjpWV8zAL": "Splunk Attack Analyzer",
"variable_workflow_02E7JHIDNLE346y67G53BxqvyTMA36Hwjpp": "[]",
"variable_workflow_02E7JHIDNLUM62wxMzKgGFwjdisMxJkhuC0": "User Reported Phishing Email - Threat Detected",
"variable_workflow_02E7JHIDNM5CT5MntnIK98bXFbvnO7TVEi0": "New Email Threat found on SAA",
"variable_workflow_02E7JHIDNME926pbbypiRbBUqbgKNw5dfXg": "https://app.global2.twinwave.io/job/$activity.definition_activity_02EOCHJXCX0954K8vsXax8i7ZKBqQZiBTNm.output.response_body$",
"variable_workflow_02E7JJUJ8LC6Q7ez1Z5HUGCXPK6HgjnWzLN": "High",
"variable_workflow_02E7JJXHYEVJ854sNRZSvvgrQFx8DtI9GeU": "New",
"variable_workflow_02E7JK0V94UQ33WyPauuXnObBs6mv4acgdX": "amber",
"variable_workflow_02EBMU39H8DCW2Lin5KTjWNUuXDuywy8UBe": "[]"
},
"runtime_user": {
"target_default": true
},
"skip_execution": false,
"target": {
"override_workflow_target": true,
"target_id": "$module_target;Cisco XDR;securex:ao:iroh_api$",
"target_type": "web-service.endpoint"
},
"workflow_id": "definition_workflow_02E7JHID4LM1X7XL7fEe2ZJLJMH3aM86MbU",
"workflow_name": "XDR - Incident - Create Incident"
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOD287QA8GZ5caoqwLnMwjZCuhVBAH8dD",
"name": "Add obervables to XDR Incident",
"title": "Add obervables to XDR Incident",
"type": "workflow.atomic_workflow",
"base_type": "subworkflow",
"properties": {
"continue_on_failure": false,
"display_name": "Add obervables to XDR Incident",
"input": {
"variable_workflow_02E6KQHENZS7S0v5hrY5eLPxQrRoEe4Gwzi": "$activity.definition_activity_02EOD0VAR9FZX61m0hiH4rTG42lHFUbFAVB.output.variable_workflow_02E7JVUE9NXI45BaJxoQZ0DrVh5oCALZChg$",
"variable_workflow_02E6KSP8E2VTQ2M5EjBWXwBk136D9mv6gC2": "$activity.definition_activity_02EOCXI2EN5BX2AAHQMdb8yP1LUatShkwkO.output.variable_workflow_02E6LFUN3FSYE1kmZVNUyZzN326s64w0QO4$",
"variable_workflow_02E6OD7EDU6TQ3uIAsfHLPn1kVLoEwKlU0N": "investigation"
},
"runtime_user": {
"target_default": true
},
"skip_execution": false,
"target": {
"override_workflow_target": true,
"target_id": "$module_target;Cisco XDR;securex:ao:conure$",
"target_type": "web-service.endpoint"
},
"workflow_id": "definition_workflow_02E6KP4WL9DTX5uxh14ryljH9zdQwAn4CrM",
"workflow_name": "XDR - Incident - Link Object"
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02F75G3F3XWB03Cf9uca0d9Jx3y4ws9Uvk2",
"name": "Set Variables",
"title": "Calculate Global Score",
"type": "core.set_multiple_variables",
"base_type": "activity",
"properties": {
"continue_on_failure": false,
"display_name": "Calculate Global Score",
"skip_execution": false,
"variables_to_update": [
{
"variable_to_update": "$workflow.definition_workflow_02EOCBFQ4CGB22ZxVb9r2Ol8zSRUgLIBN6W.local.variable_workflow_02F75GW1FZ7FA1B0ZcBdAbPGlV1xMohCHef$",
"variable_value_new": "$workflow.definition_workflow_02EOCBFQ4CGB22ZxVb9r2Ol8zSRUgLIBN6W.local.variable_workflow_02F75GW1FZ7FA1B0ZcBdAbPGlV1xMohCHef$+($activity.definition_activity_02EOCJRE4P4SE3TWZEep4XiVX78kKByHEDM.output.jsonpath_queries.score$_10)"
}
]
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOD398OW1403TLolKvj7cI6xSulIKfpJQ",
"name": "HTTP Request",
"title": "Update XDR Incident Score",
"type": "web-service.http_request",
"base_type": "activity",
"properties": {
"action_timeout": 180,
"allow_auto_redirect": true,
"allow_headers_redirect": false,
"body": "{\n"scores": {\n "asset": 10,\n "ttp": $activity.definition_activity_02EOCJRE4P4SE3TWZEep4XiVX78kKByHEDM.output.jsonpath_queries.score$,\n "global":$workflow.definition_workflow_02EOCBFQ4CGB22ZxVb9r2Ol8zSRUgLIBN6W.local.variable_workflow_02F75GW1FZ7FA1B0ZcBdAbPGlV1xMohCHef$ \n }\n}",
"content_type": "application/json",
"continue_on_error_status_code": false,
"continue_on_failure": false,
"description": "Update the incident score to reflect the SAA score",
"display_name": "Update XDR Incident Score",
"method": "PATCH",
"relative_url": "/private-intel/incident/$activity.definition_activity_02EOD0VAR9FZX61m0hiH4rTG42lHFUbFAVB.output.variable_workflow_02E7JVUE9NXI45BaJxoQZ0DrVh5oCALZChg$",
"runtime_user": {
"target_default": true
},
"skip_execution": false,
"target": {
"override_workflow_target": true,
"target_id": "$module_target;Cisco XDR;securex:ao:iroh_api$"
}
},
"object_type": "definition_activity"
}
]
},
{
"unique_name": "definition_activity_02EOCTSJAG9PK5TWo6VXiIIeONT5lIbbLoU",
"name": "Condition Branch",
"title": "Condition Branch",
"type": "logic.condition_block",
"base_type": "activity",
"properties": {
"condition": {
"left_operand": "$activity.definition_activity_02EOCJRE4P4SE3TWZEep4XiVX78kKByHEDM.output.jsonpath_queries.score$",
"operator": "lt",
"right_operand": 55
},
"continue_on_failure": true,
"display_name": "Condition Branch",
"skip_execution": true
},
"object_type": "definition_activity"
}
]
}
],
"categories": [
"category_024TS3XB5CE1D6sGxxGUpb1U03KChYjobUb"
]
},
"rules": {
"ruleevent_02EOCDD3NCYJN4HkoWUx8EFa6AggnSTu6PU": {
"name": "Security Mailbox Monitor",
"title": "Security Mailbox Monitor",
"type": "email.rule_event",
"rule_type": "rule_event",
"base_type": "rule",
"object_type": "ruleevent",
"version": "1.0.0",
"properties": {
"action": "read",
"description": "",
"disabled": false,
"display_name": "Security Mailbox Monitor",
"download_attachments": true,
"folder": "INBOX",
"rule_type": "rule_event",
"target_id": "definition_target_02EOCAFDR7Y8T4m4amUuizAc24tGbsZ5wsA",
"title": "Security Mailbox Monitor",
"workflows_config": [
{
"disabled": false,
"ref_id": "definition_workflow_02EOCBFQ4CGB22ZxVb9r2Ol8zSRUgLIBN6W",
"status": {
"state": "started-polling",
"prev_state": "started-polling",
"error_msg": ""
}
}
]
},
"disabled": false,
"unique_name": "ruleevent_02EOCDD3NCYJN4HkoWUx8EFa6AggnSTu6PU"
}
},
"targets": {
"definition_target_02EOCAFDR7Y8T4m4amUuizAc24tGbsZ5wsA": {
"unique_name": "definition_target_02EOCAFDR7Y8T4m4amUuizAc24tGbsZ5wsA",
"name": "Domain A Security Mailbox",
"title": "Domain A Security Mailbox",
"type": "email.azure_graph_endpoint",
"base_type": "target",
"object_type": "definition_target",
"properties": {
"default_runtime_user_id": "definition_runtime_user_02EO7EV6VHW9C2gJQk32QpQSlsPV5Uywo21",
"description": "Domain A Security Mailbox",
"display_name": "Domain A Security Mailbox",
"host": "https://graph.microsoft.com/v1.0"
}
},
"definition_target_02EOCFT9CR51I1fFPHjMfXyHGPkzM1vNZ43": {
"unique_name": "definition_target_02EOCFT9CR51I1fFPHjMfXyHGPkzM1vNZ43",
"name": "Splunk Attack Analyzer",
"title": "Splunk Attack Analyzer",
"type": "web-service.endpoint",
"base_type": "target",
"object_type": "definition_target",
"properties": {
"description": "Splunk Attack Analyzer",
"disable_certificate_validation": true,
"display_name": "Splunk Attack Analyzer",
"host": "api.global2.twinwave.io",
"ignore_proxy": true,
"no_runtime_user": true,
"protocol": "https"
}
}
},
"runtime_users": {
"definition_runtime_user_02EO7EV6VHW9C2gJQk32QpQSlsPV5Uywo21": {
"unique_name": "definition_runtime_user_02EO7EV6VHW9C2gJQk32QpQSlsPV5Uywo21",
"name": "Microsoft Domain A",
"title": "Microsoft Domain A",
"type": "runtime_user.oauth2_azure_graph_credentials",
"base_type": "runtime_user",
"object_type": "definition_runtime_user",
"properties": {
"client_id": "30e0997a-09ea-4f07-9c6b-66a31c550bd5",
"display_name": "Microsoft Domain A",
"grant_type": "authorization_code",
"scope": "openid offline_access mail.readwrite mail.send user.read",
"tenant_id": "af386ae5-06d4-4a22-8d7d-fe8b020e3d08"
}
}
},
"atomic_workflows": [
"definition_workflow_02E6L77SRA2I83cArClmRrkQwKxyJUnOO9e",
"definition_workflow_02E7JHID4LM1X7XL7fEe2ZJLJMH3aM86MbU",
"definition_workflow_02E6KP4WL9DTX5uxh14ryljH9zdQwAn4CrM"
],
"dependent_workflows": [
"definition_workflow_02E6L77SRA2I83cArClmRrkQwKxyJUnOO9e",
"definition_workflow_02E7JHID4LM1X7XL7fEe2ZJLJMH3aM86MbU",
"definition_workflow_02E6KP4WL9DTX5uxh14ryljH9zdQwAn4CrM"
],
"module_targets": [
{
"module_type": "Cisco XDR",
"external_id": "securex:ao:conure"
},
{
"module_type": "Cisco XDR",
"external_id": "securex:ao:iroh_api"
}
]
}{
"workflow": {
"unique_name": "definition_workflow_02EOCBFQ4CGB22ZxVb9r2Ol8zSRUgLIBN6W",
"name": "Security Mailbox Monitor",
"title": "Security Mailbox Monitor",
"type": "generic.workflow",
"base_type": "workflow",
"variables": [
{
"schema_id": "datatype.integer",
"properties": {
"value": 0,
"scope": "local",
"name": "Global_score",
"type": "datatype.integer",
"is_required": false,
"display_on_wizard": false,
"is_invisible": false
},
"unique_name": "variable_workflow_02F75GW1FZ7FA1B0ZcBdAbPGlV1xMohCHef",
"object_type": "variable_workflow"
}
],
"properties": {
"atomic": {
"is_atomic": false
},
"automation_rules": {
"type": [
"email.rule_event"
]
},
"delete_workflow_instance": false,
"description": "Monitor Security Mailbox submissions from users, upload to SAA, and generate a XDR Incident",
"display_name": "Security Mailbox Monitor",
"runtime_user": {
"target_default": true
},
"target": {
"no_target": true
}
},
"object_type": "definition_workflow",
"actions": [
{
"unique_name": "definition_activity_02EOCEW5ZWKDC45vGly2MkeaGMbtoHVo6Sp",
"name": "Upload File",
"title": "Upload File to SAA",
"type": "email.upload_file",
"base_type": "activity",
"properties": {
"action_timeout": 180,
"continue_on_failure": false,
"display_name": "Upload File to SAA",
"http_request": {
"allow_auto_redirect": true,
"allow_headers_redirect": false,
"body_data": {
"body_type": "form-data",
"form_data": [
{
"key": "filename",
"key_type": "text",
"value": "$rule.email rule_event.output.attachments[0].file_name$"
},
{
"key": "filedata",
"key_type": "file",
"path": "$rule.email rule_event.output.attachments[0].file_path$"
}
]
},
"continue_on_error_status_code": false,
"custom_headers": [
{
"name": "X-API-Key",
"value": "9bf9989e7b4ef8c0f56855e545c21f123de75269a507276a"
}
],
"method": "POST",
"relative_url": "/v1/jobs/files"
},
"runtime_user": {
"target_default": true
},
"skip_execution": false,
"target": {
"override_workflow_target": true,
"target_id": "definition_target_02EOCFT9CR51I1fFPHjMfXyHGPkzM1vNZ43"
},
"target_type": "web-service.endpoint"
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOCHJXCX0954K8vsXax8i7ZKBqQZiBTNm",
"name": "Execute Python Script",
"title": "Get SAA JobID",
"type": "python3.script",
"base_type": "activity",
"properties": {
"action_timeout": 180,
"continue_on_failure": false,
"description": "Get information about the jobID after uploading the EML file for analysis.\n",
"display_name": "Get SAA JobID",
"script": "import json\n\n# The given dictionary\ndata = $activity.definition_activity_02EOCEW5ZWKDC45vGly2MkeaGMbtoHVo6Sp.output.response_body$\n\n# Extract the response body as a string\nresponse_body = data["response_body"]\n\n# Parse the JSON string in the response body\nparsed_response = json.loads(response_body)\n\n# Extract and print the JobID\njob_id = parsed_response["JobID"]\nprint(job_id)",
"skip_execution": false
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOCJ4U9R4KP4dVvFMuB2pwU1wvMQMbEhp",
"name": "Sleep",
"title": "Wait for SAA to finish Analysis",
"type": "core.sleep",
"base_type": "activity",
"properties": {
"continue_on_failure": false,
"description": "Wait for SAA to finish Analysis",
"display_name": "Wait for SAA to finish Analysis",
"skip_execution": false,
"sleep_interval": 90
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOCJOISW7V05TrfjuEkI0q7dgqeQTdzHp",
"name": "HTTP Request",
"title": "Get results from SAA analysis",
"type": "web-service.http_request",
"base_type": "activity",
"properties": {
"action_timeout": 180,
"allow_auto_redirect": true,
"allow_headers_redirect": false,
"continue_on_error_status_code": false,
"continue_on_failure": false,
"custom_headers": [
{
"name": "X-API-key",
"value": "9bf9989e7b4ef8c0f56855e545c21f123de75269a507276a"
}
],
"display_name": "Get results from SAA analysis",
"method": "GET",
"relative_url": "/v1/jobs/$activity.definition_activity_02EOCHJXCX0954K8vsXax8i7ZKBqQZiBTNm.output.response_body$",
"runtime_user": {
"target_default": true
},
"skip_execution": false,
"target": {
"override_workflow_target": true,
"target_id": "definition_target_02EOCFT9CR51I1fFPHjMfXyHGPkzM1vNZ43"
}
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOCJRE4P4SE3TWZEep4XiVX78kKByHEDM",
"name": "JSONPath Query",
"title": "Get the score from SAA Analysis",
"type": "corejava.jsonpathquery",
"base_type": "activity",
"properties": {
"action_timeout": 180,
"continue_on_failure": false,
"display_name": "Get the score from SAA Analysis",
"input_json": "$activity.definition_activity_02EOCJOISW7V05TrfjuEkI0q7dgqeQTdzHp.output.response_body$",
"jsonpath_queries": [
{
"jsonpath_query": "$.DisplayScore",
"jsonpath_query_name": "score",
"jsonpath_query_type": "integer"
}
],
"skip_execution": false
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOCTSHYPD103f6RcqwW8h1OMMJtNVtKVN",
"name": "Condition Block",
"title": "Verify The Score and Open XDR Incident",
"type": "logic.if_else",
"base_type": "activity",
"properties": {
"continue_on_failure": false,
"description": "In this step we will verify the score from the SAA analysis and if it is higher than 55, we will open an XDR incident populated with information and details from SAA analysis",
"display_name": "Verify The Score and Open XDR Incident",
"skip_execution": false
},
"object_type": "definition_activity",
"blocks": [
{
"unique_name": "definition_activity_02EOCTSITMZS31xVzGWo0qkYzRxN44pBVCN",
"name": "Condition Branch",
"title": "Is Malicious?",
"type": "logic.condition_block",
"base_type": "activity",
"properties": {
"condition": {
"left_operand": "$activity.definition_activity_02EOCJRE4P4SE3TWZEep4XiVX78kKByHEDM.output.jsonpath_queries.score$",
"operator": "gte",
"right_operand": 55
},
"continue_on_failure": false,
"description": "Considered Malicious if score from SAA is higher than 55",
"display_name": "Is Malicious?",
"skip_execution": false
},
"object_type": "definition_activity",
"actions": [
{
"unique_name": "definition_activity_02EOCCGM7SA4058ayi0tbFtOuqq37nJo7gF",
"name": "Execute Python Script",
"title": "Get Email Subject",
"type": "python3.script",
"base_type": "activity",
"properties": {
"action_timeout": 180,
"continue_on_failure": false,
"display_name": "Get Email Subject",
"script": "import re\nheaders = """\n$rule.email rule_event.output.attachments[0].attachment_headers$\n"""\n# Using regular expression to find "Subject" and extract its value\nmatch = re.search(r'"header_name".
?"Subject".?"header_value":"(.?)"', headers)\n\nif match:\n subject_value = match.group(1)\n print(subject_value)\nelse:\n print("Subject not found or pattern mismatch.")",
"skip_execution": false
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOCXI2EN5BX2AAHQMdb8yP1LUatShkwkO",
"name": "Create XDR Investigation for the Email Subject",
"title": "Create XDR Investigation for the Email Subject",
"type": "workflow.atomic_workflow",
"base_type": "subworkflow",
"properties": {
"continue_on_failure": false,
"display_name": "Create XDR Investigation for the Email Subject",
"input": {
"variable_workflow_02E6L8TIKXHX141VLVvGzypDItlDUq9zeFn": "[\n{\n"type":"email_subject",\n"value":"$activity.definition_activity_02EOCCGM7SA4058ayi0tbFtOuqq37nJo7gF.output.response_body$"\n}\n]",
"variable_workflow_02E6M077TQNE37LVfe1icU1e9oBuhSpCGeG": true,
"variable_workflow_02E6M0Z9W4C7X44s2l9tz3pdjygSd4j3SP7": "Search for Email Subject",
"variable_workflow_02E6M1MNKPVK51WxgW3y0y70jOTSKYTvrJF": ""
},
"runtime_user": {
"target_default": true
},
"skip_execution": false,
"target": {
"override_workflow_target": true,
"target_id": "$module_target;Cisco XDR;securex:ao:conure$",
"target_type": "web-service.endpoint"
},
"workflow_id": "definition_workflow_02E6L77SRA2I83cArClmRrkQwKxyJUnOO9e",
"workflow_name": "XDR - Investigate - Create Investigation"
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOD0VAR9FZX61m0hiH4rTG42lHFUbFAVB",
"name": "Create XDR Incident",
"title": "Create XDR Incident",
"type": "workflow.atomic_workflow",
"base_type": "subworkflow",
"properties": {
"continue_on_failure": false,
"display_name": "Create XDR Incident",
"input": {
"variable_workflow_02E7JHIDNJXJT0VUBJH4btWAqAdSxSRkXNI": "[]",
"variable_workflow_02E7JHIDNKXQN6eL9VIoqsA5rwPZIVgrnqq": "Get the full details here: https://app.global2.twinwave.io/job/$activity.definition_activity_02EOCHJXCX0954K8vsXax8i7ZKBqQZiBTNm.output.response_body$",
"variable_workflow_02E7JHIDNL5R43fY9a5yZIFcvkTjpWV8zAL": "Splunk Attack Analyzer",
"variable_workflow_02E7JHIDNLE346y67G53BxqvyTMA36Hwjpp": "[]",
"variable_workflow_02E7JHIDNLUM62wxMzKgGFwjdisMxJkhuC0": "User Reported Phishing Email - Threat Detected",
"variable_workflow_02E7JHIDNM5CT5MntnIK98bXFbvnO7TVEi0": "New Email Threat found on SAA",
"variable_workflow_02E7JHIDNME926pbbypiRbBUqbgKNw5dfXg": "https://app.global2.twinwave.io/job/$activity.definition_activity_02EOCHJXCX0954K8vsXax8i7ZKBqQZiBTNm.output.response_body$",
"variable_workflow_02E7JJUJ8LC6Q7ez1Z5HUGCXPK6HgjnWzLN": "High",
"variable_workflow_02E7JJXHYEVJ854sNRZSvvgrQFx8DtI9GeU": "New",
"variable_workflow_02E7JK0V94UQ33WyPauuXnObBs6mv4acgdX": "amber",
"variable_workflow_02EBMU39H8DCW2Lin5KTjWNUuXDuywy8UBe": "[]"
},
"runtime_user": {
"target_default": true
},
"skip_execution": false,
"target": {
"override_workflow_target": true,
"target_id": "$module_target;Cisco XDR;securex:ao:iroh_api$",
"target_type": "web-service.endpoint"
},
"workflow_id": "definition_workflow_02E7JHID4LM1X7XL7fEe2ZJLJMH3aM86MbU",
"workflow_name": "XDR - Incident - Create Incident"
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOD287QA8GZ5caoqwLnMwjZCuhVBAH8dD",
"name": "Add obervables to XDR Incident",
"title": "Add obervables to XDR Incident",
"type": "workflow.atomic_workflow",
"base_type": "subworkflow",
"properties": {
"continue_on_failure": false,
"display_name": "Add obervables to XDR Incident",
"input": {
"variable_workflow_02E6KQHENZS7S0v5hrY5eLPxQrRoEe4Gwzi": "$activity.definition_activity_02EOD0VAR9FZX61m0hiH4rTG42lHFUbFAVB.output.variable_workflow_02E7JVUE9NXI45BaJxoQZ0DrVh5oCALZChg$",
"variable_workflow_02E6KSP8E2VTQ2M5EjBWXwBk136D9mv6gC2": "$activity.definition_activity_02EOCXI2EN5BX2AAHQMdb8yP1LUatShkwkO.output.variable_workflow_02E6LFUN3FSYE1kmZVNUyZzN326s64w0QO4$",
"variable_workflow_02E6OD7EDU6TQ3uIAsfHLPn1kVLoEwKlU0N": "investigation"
},
"runtime_user": {
"target_default": true
},
"skip_execution": false,
"target": {
"override_workflow_target": true,
"target_id": "$module_target;Cisco XDR;securex:ao:conure$",
"target_type": "web-service.endpoint"
},
"workflow_id": "definition_workflow_02E6KP4WL9DTX5uxh14ryljH9zdQwAn4CrM",
"workflow_name": "XDR - Incident - Link Object"
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02F75G3F3XWB03Cf9uca0d9Jx3y4ws9Uvk2",
"name": "Set Variables",
"title": "Calculate Global Score",
"type": "core.set_multiple_variables",
"base_type": "activity",
"properties": {
"continue_on_failure": false,
"display_name": "Calculate Global Score",
"skip_execution": false,
"variables_to_update": [
{
"variable_to_update": "$workflow.definition_workflow_02EOCBFQ4CGB22ZxVb9r2Ol8zSRUgLIBN6W.local.variable_workflow_02F75GW1FZ7FA1B0ZcBdAbPGlV1xMohCHef$",
"variable_value_new": "$workflow.definition_workflow_02EOCBFQ4CGB22ZxVb9r2Ol8zSRUgLIBN6W.local.variable_workflow_02F75GW1FZ7FA1B0ZcBdAbPGlV1xMohCHef$+($activity.definition_activity_02EOCJRE4P4SE3TWZEep4XiVX78kKByHEDM.output.jsonpath_queries.score$_10)"
}
]
},
"object_type": "definition_activity"
},
{
"unique_name": "definition_activity_02EOD398OW1403TLolKvj7cI6xSulIKfpJQ",
"name": "HTTP Request",
"title": "Update XDR Incident Score",
"type": "web-service.http_request",
"base_type": "activity",
"properties": {
"action_timeout": 180,
"allow_auto_redirect": true,
"allow_headers_redirect": false,
"body": "{\n"scores": {\n "asset": 10,\n "ttp": $activity.definition_activity_02EOCJRE4P4SE3TWZEep4XiVX78kKByHEDM.output.jsonpath_queries.score$,\n "global":$workflow.definition_workflow_02EOCBFQ4CGB22ZxVb9r2Ol8zSRUgLIBN6W.local.variable_workflow_02F75GW1FZ7FA1B0ZcBdAbPGlV1xMohCHef$ \n }\n}",
"content_type": "application/json",
"continue_on_error_status_code": false,
"continue_on_failure": false,
"description": "Update the incident score to reflect the SAA score",
"display_name": "Update XDR Incident Score",
"method": "PATCH",
"relative_url": "/private-intel/incident/$activity.definition_activity_02EOD0VAR9FZX61m0hiH4rTG42lHFUbFAVB.output.variable_workflow_02E7JVUE9NXI45BaJxoQZ0DrVh5oCALZChg$",
"runtime_user": {
"target_default": true
},
"skip_execution": false,
"target": {
"override_workflow_target": true,
"target_id": "$module_target;Cisco XDR;securex:ao:iroh_api$"
}
},
"object_type": "definition_activity"
}
]
},
{
"unique_name": "definition_activity_02EOCTSJAG9PK5TWo6VXiIIeONT5lIbbLoU",
"name": "Condition Branch",
"title": "Condition Branch",
"type": "logic.condition_block",
"base_type": "activity",
"properties": {
"condition": {
"left_operand": "$activity.definition_activity_02EOCJRE4P4SE3TWZEep4XiVX78kKByHEDM.output.jsonpath_queries.score$",
"operator": "lt",
"right_operand": 55
},
"continue_on_failure": true,
"display_name": "Condition Branch",
"skip_execution": true
},
"object_type": "definition_activity"
}
]
}
],
"categories": [
"category_024TS3XB5CE1D6sGxxGUpb1U03KChYjobUb"
]
},
"rules": {
"ruleevent_02EOCDD3NCYJN4HkoWUx8EFa6AggnSTu6PU": {
"name": "Security Mailbox Monitor",
"title": "Security Mailbox Monitor",
"type": "email.rule_event",
"rule_type": "rule_event",
"base_type": "rule",
"object_type": "ruleevent",
"version": "1.0.0",
"properties": {
"action": "read",
"description": "",
"disabled": false,
"display_name": "Security Mailbox Monitor",
"download_attachments": true,
"folder": "INBOX",
"rule_type": "rule_event",
"target_id": "definition_target_02EOCAFDR7Y8T4m4amUuizAc24tGbsZ5wsA",
"title": "Security Mailbox Monitor",
"workflows_config": [
{
"disabled": false,
"ref_id": "definition_workflow_02EOCBFQ4CGB22ZxVb9r2Ol8zSRUgLIBN6W",
"status": {
"state": "started-polling",
"prev_state": "started-polling",
"error_msg": ""
}
}
]
},
"disabled": false,
"unique_name": "ruleevent_02EOCDD3NCYJN4HkoWUx8EFa6AggnSTu6PU"
}
},
"targets": {
"definition_target_02EOCAFDR7Y8T4m4amUuizAc24tGbsZ5wsA": {
"unique_name": "definition_target_02EOCAFDR7Y8T4m4amUuizAc24tGbsZ5wsA",
"name": "Domain A Security Mailbox",
"title": "Domain A Security Mailbox",
"type": "email.azure_graph_endpoint",
"base_type": "target",
"object_type": "definition_target",
"properties": {
"default_runtime_user_id": "definition_runtime_user_02EO7EV6VHW9C2gJQk32QpQSlsPV5Uywo21",
"description": "Domain A Security Mailbox",
"display_name": "Domain A Security Mailbox",
"host": "https://graph.microsoft.com/v1.0"
}
},
"definition_target_02EOCFT9CR51I1fFPHjMfXyHGPkzM1vNZ43": {
"unique_name": "definition_target_02EOCFT9CR51I1fFPHjMfXyHGPkzM1vNZ43",
"name": "Splunk Attack Analyzer",
"title": "Splunk Attack Analyzer",
"type": "web-service.endpoint",
"base_type": "target",
"object_type": "definition_target",
"properties": {
"description": "Splunk Attack Analyzer",
"disable_certificate_validation": true,
"display_name": "Splunk Attack Analyzer",
"host": "api.global2.twinwave.io",
"ignore_proxy": true,
"no_runtime_user": true,
"protocol": "https"
}
}
},
"runtime_users": {
"definition_runtime_user_02EO7EV6VHW9C2gJQk32QpQSlsPV5Uywo21": {
"unique_name": "definition_runtime_user_02EO7EV6VHW9C2gJQk32QpQSlsPV5Uywo21",
"name": "Microsoft Domain A",
"title": "Microsoft Domain A",
"type": "runtime_user.oauth2_azure_graph_credentials",
"base_type": "runtime_user",
"object_type": "definition_runtime_user",
"properties": {
"client_id": "30e0997a-09ea-4f07-9c6b-66a31c550bd5",
"display_name": "Microsoft Domain A",
"grant_type": "authorization_code",
"scope": "openid offline_access mail.readwrite mail.send user.read",
"tenant_id": "af386ae5-06d4-4a22-8d7d-fe8b020e3d08"
}
}
},
"atomic_workflows": [
"definition_workflow_02E6L77SRA2I83cArClmRrkQwKxyJUnOO9e",
"definition_workflow_02E7JHID4LM1X7XL7fEe2ZJLJMH3aM86MbU",
"definition_workflow_02E6KP4WL9DTX5uxh14ryljH9zdQwAn4CrM"
],
"dependent_workflows": [
"definition_workflow_02E6L77SRA2I83cArClmRrkQwKxyJUnOO9e",
"definition_workflow_02E7JHID4LM1X7XL7fEe2ZJLJMH3aM86MbU",
"definition_workflow_02E6KP4WL9DTX5uxh14ryljH9zdQwAn4CrM"
],
"module_targets": [
{
"module_type": "Cisco XDR",
"external_id": "securex:ao:conure"
},
{
"module_type": "Cisco XDR",
"external_id": "securex:ao:iroh_api"
}
]
}