Automating Asset Management with Trellix Automated Response

By Raphael Vergara · September 27, 2023
This story was also written by Tyler Horschig.

Objective

Display a use case for Trellix Automated Response around asset management between infrastructure systems. Management systems may include things like Active Directory, Microsoft Configuration Manager, Trellix ePolicy Orchestrator, ITSM Solutions, Vulnerability Scanners, and much more.

Problem Statement

Effective asset management is paramount for any organization to safeguard its digital assets, sensitive information, and maintain operational integrity. However, the management of assets becomes immensely challenging when different teams within an organization handle disparate systems independently. This scenario gives rise to a host of intricate and interconnected cybersecurity issues that can compromise the organization's overall security posture. Let's explore the notable challenges arising from this situation:

• Autonomous teams lead to inconsistent security practices, risking vulnerabilities.
• Disparate systems hinder comprehensive cybersecurity monitoring, delaying threat detection.
• Independent systems raise data breach risks with varying security levels.
• Separate security tools hinder coordinated threat detection and response.
• Decentralized compliance management is complex and risks penalties and reputation damage.
• Multiple systems demand high maintenance costs and resource allocation challenges.
• Disparate systems lack synchronized patch management, leaving vulnerabilities.
• Coordination challenges in cyber incident response due to disconnected systems.

Solution

A comprehensive solution to the challenges posed by managing disparate asset inventories and cybersecurity systems involves the strategic implementation of automation. Automation offers a proactive and streamlined approach to address issues related to cybersecurity, data consistency, and operational efficiency. Here's how automation can effectively tackle these challenges:

• Automated inventory checks, correct discrepancies for accurate asset records.
• Use agents to automatically add missing assets to management systems.
• Automated generation of tickets for manual intervention when assets are missing.
• Streamline asset onboarding, ensuring secure integration into the cybersecurity framework.

By harnessing automation, organizations can bridge the gaps created by disparate systems, enhance their cybersecurity posture, and streamline asset management practices. This approach not only boosts operational efficiency but also empowers teams to proactively address security threats, maintain data consistency, and ensure a more resilient and secure digital environment. Below you will see a simple example of how this could be done between Trellix ePolicy Orchestrator (ePO) and ServiceNow CMDB. Although this example only uses two different systems, the concept could be expanded to multiple systems across an organization.

Can XDR make better, more efficient use of the data you already own?

Data correlation in the form of enrichment, analytics, automation, orchestration, and workflow improvements is a layer within the core elements of XDR. It requires integrations with third-party products and advanced analytics to drive automation and orchestration across threat vectors to create higher-value alerts. Looking at the depth of integrations and data ingestion speed and asking for demonstrations of SOAR capabilities can help you determine how well a vendor can provide SOC efficiency.

Trellix Automated Response Playbook Steps

Gather and Compare Assets

1. Get all assets from Trellix ePO using the findSystem command.
   1. Inputs for the command are left blank to retrieve all assets.
2. Get all assets from ServiceNow CMDB using the retrieveTable command.
   1. Command Inputs:
   1. Table: cmdb_ci
   2. Sysparm Query:
      sys_class_name=cmdb_ci_computer^ORsys_class_name=cmdb_ci_server
      1. This query can be adjusted to add more or less classes or even changed entirely to your own query.
3. Both lists of assets are then passed to a custom JavaScript task that compares both lists and outputs two possible lists of asset data. One list will be of assets missing in the ServiceNow CMDB but found in Trellix ePO. The other list is for the other way around
4. Depending on which lists have data, individual queues will be loaded with the pertinent asset data to be processed by other sub-playbooks. The command used will be addToQueue.
5. Playbook ends

Create ServiceNow Ticket

1. An automated adapter, that triggers every 60 seconds, will use the command getQueueItemsAdapter to pull one asset off its queue at a time for processing.
2. A list of all previously ticketed assets is pulled from a table created for tracking assets that already have tickets. This is to prevent duplicate tickets.
3. A custom JavaScript task is used to take the asset in question and the list of all previously ticketed assets.
4. If the asset in question is found in the list from the table, the playbook ends.
5. If the asset is new, a ServiceNow ticket created in JSON format is output from the script.
6. The ServiceNow ticket JSON is then handed to the createRecord command for creating the ticket for remediation in ServiceNow.
   1. Command Inputs:
      1. Table: incidents
      2. Custom Fields: < The JSON payload >
7. If the ticket creation is successful, an entry is added to our tracker table with the hostname of the asset.
8. If the ticket creation is unsuccessful, the asset is not added to the table so an attempt will be made during the next runt to create the ticket again.
9. Playbook ends

Create ServiceNow CMDB Asset

1. An automated adapter, that triggers every 60 seconds, will use the command getQueueItemsAdapter to pull one asset off its queue at a time for processing.
2. The asset data will be sent to a custom JavaScript task that parses the data using the ePO asset parser (TAuR Complex Type) that is included with the ePO plugin.
3. The parsed data is then used to fill the inputs of a custom JavaScript task. These inputs are designed to be fields required for creating a CMDB asset in ServiceNow. Not all fields are required but we try to fill as many as possible. A ServiceNow CMDB CI in JSON format is output from the script.
4. This JSON is then passed to the createRecord command.
   1. Command Inputs:
      1. Table: cmdb_ci
      2. Custom Fields: < The JSON payload >
5. Playbook ends

Playbook JavaScript Files

Compare Assets

var input = {
    cmdb_assets: "",
    epo_assets: [],
    debug: false
};
var output = {
    cmdb_missing_assets: [],
    epo_missing_assets: [],
    log: "",
    success: true,
    error: ""
};

function logger(message) {
    output.log = output.log + `${message}\n`;
}

function main() {
    try {
        console.log = logger;
        let cmdb_assets = JSON.parse(input.cmdb_assets).result;
        console.log("Starting asset comparison.....");
        const cmdb_asset_names = [];
        const epo_asset_names = [];

        for (const asset of cmdb_assets) {
            if (asset.name) {
                const cmdb_name = asset.name.toLowerCase();
                cmdb_asset_names.push(cmdb_name);
            }
        }
        
        for (const item of input.epo_assets) {
            let asset = JSON.parse(item);
            if (asset.ComputerName) {
                const epo_name = asset.ComputerName.toLowerCase();
                epo_asset_names.push(epo_name);
            }
        }

        let cmdb_missing_assets = epo_asset_names.filter(item =>!cmdb_asset_names.includes(item));
        let epo_missing_assets = cmdb_asset_names.filter(item => !epo_asset_names.includes(item));
        
        for (const asset of cmdb_assets) {
            if (asset.name && epo_missing_assets.includes(asset.name.toLowerCase())) {
                if (input.debug){console.log(`Asset ${asset.name} missing from Trelix ePO management.`);}
                output.epo_missing_assets.push(JSON.stringify(asset));
            }
        }

        for (const item of input.epo_assets) {
            let asset = JSON.parse(item);
            if (asset.ComputerName && cmdb_missing_assets.includes(asset.ComputerName.toLowerCase())) {
                if (input.debug){console.log(`Asset ${asset.ComputerName} missing from CMDB in ServiceNow.`);}
                output.cmdb_missing_assets.push(JSON.stringify(asset));
            }
        }

        if (output.cmdb_missing_assets.length === 0) {
            console.log("No new assets were found missing from ServiceNow CMDB.");
            delete output.cmdb_missing_assets;
        } else {
            console.log(`${output.cmdb_missing_assets.length} new assets were found missing from ServiceNow CMDB.`);
        }
        if (output.epo_missing_assets.length === 0) {
            console.log("No new assets were found missing from Trellix ePO.");
            delete output.epo_missing_assets;
        } else {
            console.log(`${output.epo_missing_assets.length} new assets were found missing from Trellix ePO.`);
        }
        console.log("Finished asset comparison successfully!");
    }
    catch (e) {
        output.success = false;
        output.error = e.stack;
        console.log("Failed to compare assets. See error output.");   
    }
}

Format ServiceNow CMDB Asset

var input = {
    ip_address: "",
    serial_number: "",
    fqdn: "",
    dns_domain: "",
    name: "",
    short_description: "",
    os: "",
    os_version: "",
    ram: "",
    cpu_name: "",
    cpu_speed: "",
    disk_space: "",
    cpu_type: ""
};
var output = {
    ticket: "",
    success: true,
    error: "",
    log: "",
};

function logger(message) {
    output.log = output.log + `${message}\n`;
}

function main() {
    try {
        let ticket = {};

        for (const key in input) {
            const value = input[key];
            if (value !== "") {
                ticket[key] = value;
            }
         }
        output.ticket = JSON.stringify(ticket);
     } catch (e) {
        output.success = false;
        output.error = e.stack;
        console.log("Failed to create ServiceNow CMDB asset. See error output.");
     }
}
 

Format ServiceNow Ticket

var input = {
    missing_asset: [],
    previously_ticketed_assets: []
};
var output = {
    success: true,
    error: "",
    log: "",
    servicenow_ticket: "",
    asset_name: ""
};

function logger(message) {
    output.log = output.log + `${message}\n`;
}

function main() {
    try {
        console.log = logger;
        console.log("Formatting ServiceNow ticket data...");
        let asset = JSON.parse(input.missing_asset[0]);
        
        if (!input.previously_ticketed_assets.includes(asset.name.toLowerCase())) {
            let ticket = {
                "short_description": "Asset missing from Trellix ePO management",
                "description": "An asset was found to be missing from the Trellix ePO inventory. Please verify if the asset should be added to ePO and 
 install the agent if necessary.",
                "cmdb_ci": asset.sys_id
             };

             output.servicenow_ticket = JSON.stringify(ticket);
             output.asset_name = asset.name.toLowerCase();
             console.log(`Successfully formatted the ServiceNow ticket for asset ${asset.name}`);
        } else {
            console.log(`Asset ${asset.name} has previously been ticketed. No new ticket will be created.`);
            output.success = false;
        }
    } catch (e) {
        output.success = false;
        output.error = e.stack;
        console.log("Failed to compare assets. See error output.");
    }
}
    
	
    

You are now ready to utilize the integration in your deployment of Trellix Security Orchestrator. This has shown how you can integrate with Trellix ePolicy Orchestrator and ServiceNow but the code can be modified to work with other solutions in your environment.

Would you like to discuss Trellix Security Orchestration use cases or get help implementing Trellix Security Orchestration in automating manual processes? If you answered yes to either of these questions, please reach out to your Trellix sales representative to schedule a time to discuss options on how Trellix Professional Services can help!