https://github.com/ditekshen/ansible-asa-forensic-investigation-procedures-first-responders
Ansible Playbook for Cisco ASA Forensic Investigation Procedures for First Responders
https://github.com/ditekshen/ansible-asa-forensic-investigation-procedures-first-responders
ansible ansible-network ansible-playbook arcanedoor asa automation cisco first-responder forensic incident-response investigation procedures
Last synced: 3 months ago
JSON representation
Ansible Playbook for Cisco ASA Forensic Investigation Procedures for First Responders
- Host: GitHub
- URL: https://github.com/ditekshen/ansible-asa-forensic-investigation-procedures-first-responders
- Owner: ditekshen
- Created: 2024-04-26T10:52:54.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2024-04-27T17:43:04.000Z (about 1 year ago)
- Last Synced: 2025-01-10T00:30:25.891Z (5 months ago)
- Topics: ansible, ansible-network, ansible-playbook, arcanedoor, asa, automation, cisco, first-responder, forensic, incident-response, investigation, procedures
- Homepage:
- Size: 26.4 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
## Ansible Playbook for Cisco ASA Forensic Investigation Procedures for First Responders
Automation for the [Cisco ASA Forensic Investigation Procedures for First Responders](https://sec.cloudapps.cisco.com/security/center/resources/forensic_guides/asa_forensic_investigation.html).
- The ```show tech-support detail``` command errors despite returning results. The task for this command is disabled.
- "ASA Core File Generation" and "ROMMON Settings Check" are not implemented since these are disruptive.
- ~~"Step Four – Verify Digitally Signed Image Authenticity" is also not implemented due to lack of HW / SW capabilities to assess against.~~. This is implemented.
- FTDs have different Forensic Investigation Procedures for First Responders depending on series. These may be automated later.
1. [Cisco Firepower Threat Defense Forensic Investigation Procedures for First Responders](https://sec.cloudapps.cisco.com/security/center/resources/forensic_guides/ftd_forensic_investigation.html).
2. [Cisco Firepower 1000 Series Forensic Data Collection Procedures](https://sec.cloudapps.cisco.com/security/center/resources/forensic_guides/firepower1000_forensic_investigation.html).
3. [Cisco Firepower 2100 Series Forensic Investigation Procedures for First Responders](https://sec.cloudapps.cisco.com/security/center/resources/forensic_guides/firepower2100_forensic_investigation.html).
The playbook also automate a forensic memory command ```show memory region | include lina``` that exist in [TALOS's blog](https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/) but not in any of the above procedures. Read the blog for the significance of this command.
Install the Ansible Cisco ASA collection.
```bash
ansible-galaxy collection install cisco.asa
```
Run the playbook.
```bash
ansible-playbook -i inventory.yml investigate.yml
```
All of the outputs are stored locally per ```inventory_host``` on the control node.