How Tripwire Custom Workflow Automation Can Enhance Your Network Visibility

Tripwire Enterprise is a powerful tool. It provides customers insight into nearly every aspect of their systems and devices. From change management to configuration and compliance, Tripwire can provide “eyes on” across the network.

Gathering that vast amount of data for analysis does not come without challenges. Customers have asked for better integration with their processes and third-party tools. With Tripwire Enterprise Integration Framework (TEIF), Tripwire has been able to provide customers the ability to integrate with their Security Information and Event Management (SIEM) tools and ITIL Change Management Systems (CMS).

Customers have been able to expand the value of their data by sending logs to a SIEM for analysis as well as allowing for the automatic reconciliation of changes and the creation of incidents in a CMS such as ServiceNow and Remedy. Can more be done? How can Tripwire Enterprise help the DevOPS team, SecDevOPS or any other group that asks?

Enter Tripwire Custom Workflow Automation.

What is Tripwire Custom Workflow Automation?

Tripwire Custom Workflow Automation (TWCA) is a solution that allows our customers and consultants the ability to create unique workflows where they can utilize all their existing solutions and Tripwire products without requiring extensive programming experience.

TWCA’s functionality can be expanded with ‘plugins’ which can be created by savvy customers or Tripwire consultants. It’s this functionality that makes the Tripwire Workflow Automation so powerful and flexible. If there is a need for some functionality that isn’t already available, a public interface is provided that anyone can use to add additional workflow steps.

First, it is XML-based, making it easy to read. It is also modular in design, allowing for easy expansion, as well as feature-rich out of the box. Lastly, it provides a Public Module Interface, allowing customers to create their own modules.

The choice of “Custom” in the name is not by accident. Customers can create their own workflows using common programming mechanisms (conditionals, looping, I/O, locating, scripting, and utility).

  <workflow name="PAM">
    <retrievePamNodes configuration="pam" output="pamNodes">
    <for list="${pamNodes}" item="node" condition="exists" continueOnError="false">
    <forEach list="" outVariable="panNode">
      <logMessage severity="info" source="TE">Processing Asset - ${pamNode}</logMessage>
      <checkoutNode configuration="pam" input="${node}" />
      <if condition="exists" value1="${ERROR_MSG}" negate="true">
        <runTECheck configuration="pam" input="${node}" />
        <retrieveContent configuration="pam" input="${node}" />
        <checkinNode configuration="pam" input="${node}" />
      </if>
      <else>
        <logMessage level="error" sourc="TE">
          An error occurred while processing node (${node}): ${ERROR_MSG}
        </logMessage>
      </else>
    </forEach>
  </workflow>

What can TWCA do?

Utilizing TCWA’s ability to run scripts, customers are able to connect to virtually any platform that provides API access. The data retrieved by the API call can then be stored in TE and tracked for change. The very first use case of this process was to analyze data collected from RedHat OpenShift to monitor the configuration of Kubernetes containers for a major financial customer. It worked so well that they engaged Tripwire to then analyze rule objects and categorize them as financial or non-financial, based on an XML feed from their ITSM.

Another customer use case was to verify that any detected change to \etc\password was only performed by their password vault application. This workflow queried the customer’s SIEM for events from the password vault and correlated that data with the change detected in Tripwire Enterprise. Any change that could not be correlated to a record in the SIEM is left unpromoted, resulting in an incident being created in their ITSM when TEIF was run later that evening.

TWCA has also helped customers working with cloud-based DevOps platforms. A workflow was developed to query Azure DevOps for release activity for servers with detected changes. Those changes were then correlated to an artifact in Artifactory; a manifest of the artifact was retrieved and used to promote the detected changes by element name and hash.

It’s not just Tripwire Enterprise that can benefit. It has been used to compare the discovered assets in Tripwire IP360 to Archer and then store the differences in Tripwire Enterprise. With that kind of data, the customer was able to see where there were gaps in their inventory discovery and tracking process. They were even discussing using the TWCA to take the data gleaned in the “1st” phase and fill in the gaps in Archer.

Do you have a workflow that you would like to automate? Tripwire Professional Services is ready to assist.

To learn more about Tripwire Custom Workflow Automation and Tripwire’s other products, click here.

About the Author: TWCA is the brainchild of Kelly Fessler, Architect & Manager, Tripwire Specialty Services and Sean Stallbaum, Sr. Services Solutions Engineer.  Thank you for their input and review, as well as the use case examples provided.