Combining Fusion Workflows and Exposure Management can provide visibility into events such as application installation based on a defined list of applications. In the example below, we create an application group in Exposure Management and use that group as a condition in Fusion Workflow to send an email anytime an application from the list is installed.
Navigate to Exposure Management > Application groups and click “Create an Application Group”
In this scenario, various remote application software is added to the application group called “Remote Access Software.” One important note; only applications currently present in your environment will be available when searching. Figure 1 shows the list of applications added to a group using the search box. Notice the visual difference between TeamViewer, as it is not present in the environment, while the other two applications are present in this environment.
Figure 1
Navigate to Fusion SOAR > Workflows and click “Create workflow” show in Figure 2
Figure 2
Specify your CID(s) you wish to process with the workflow.
At the top, select “Create workflow from scratch” and click next.
Select “Event” and click next.
Set your Trigger category and Subcategory as shown in Figure 3
Figure 3
Create a Condition by clicking the down arrow in the newly created Trigger and selecting Condition
Set the Parameter, Operator and Value to the following items show in Figure 4
Figure 4
Click Next and Next again.
Create an Action by clicking the down arrow under the newly created True box in your workflow and selecting Action.
Type “Send email” in the search field and hit enter. Select the Send email option that appears.
In Figure 5, variables were inserted into the message by clicking “Insert variable.” This message area can be used to create more friendly language while inserting variables within the body. Alternatively, you can add those fields in the “Data to include” section and it will just appear as data.
Figure 5
Figure 6 shows the email sent to the recipient. Notice the format of variables compared to the bottom of the email where the Asset ID and Application Group are simply listed.
Figure 6
Setups similar to this could be used for the following:
- Monitor installation of sensitive software that should only be used on particular machines
- Ensure rogue browsers are not being used throughout a district (for those using the agent on endpoints)
- Log installation date of applications on servers
- Monitor legitimate software being used where it should not be used