Skip to content

CiscoCXSecurity/Add_Object_To_XDR_Feed

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Add Observable to XDR Feeds

The script shared here adds an observable into it's XDR Feed.

XDR Feeds are blocking lists into which XDR can store objects to be blocked ( or allowed ) into company firewalls or into any enforcement solutions.

The principle is to use Cisco XDR to expose these lists thru public URLs, and configure any enforcement point that must block objects in these list to consume these URLs.

Then updating Firewall Security rules become very simple, we just have to add or delete objets into these list in order to have them blocked or not into firewalls.

The script in this repo gives you a ready to use python example that add a new object into one of these feeds.

The feeds we are talking about are the feeds created thanks to the 0015A-SecureFirewall-BlockObservable-Setup Cisco Workflow.

If you have not studied these XDR/SecureX feeds yet, then have a look to this article :

Create Text Public Feeds for firewalls

Having these Feeds created into your XDR tenant is a mandatory pre requisit.

Installation

You must have an up and running python 3.x environment and you must have the crayons and requests modules installed. We assume that you know how to setup that.

Edit the config.txt file

You must first edit the config.txt file and assigned correct values to the following variables

Don't use quotes for the value you assign to the variables. and don't use spaces between = sign and the value.

ctr_client_id and ctr_client_password are the values you got when you created your XDR API client.

Possible values for host depending on your region, are :

Possible values for host_for_token depending on your region, are :

Run the script

You just have to run the script :

python 1-add_observable_to_XDR_feeds.py

You will be asked to enter the observable value. It can be either an IPv4 address, an IPv6 address, an URL, a domain or a SHA256.

Enter the value and type enter. You will see all the process that add the object to the XDR Feed.

The script check the observable type, then map it to the matching indicator depending on the object type. Indicators are linked to the XDR feeds. Then it creates a new judgement for the object and finally create a new relationship that link the observable into judgment to the matching Indicator. Once done the observable appears into the XDR feed.

Open the XDR feed URL and search for the object you just added into it. You must find it.

That's it.

The XDR Workflow

If you search for an XDR Workflow which does this, then have a look to this one :

Add_an_Observable_into_Judgments_and_feeds workflow

About

Add a new object to and XDR Feed

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%