Move Computer to Triage Group
Out of Box
Response Workflow
This workflow will move the endpoint identified by the provided observable to a triage device group in Cisco Secure Endpoint. Supported observables: ip
, hostname
, amp_computer_guid
Change Log
Date | Notes |
---|---|
Jun 23, 2020 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Secure Endpoint - Get Connector GUID
- Secure Endpoint - Get Group by Name
- Secure Endpoint - Move Computer to Group
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint
Workflow Steps
- Make sure the observable is supported and set the corresponding local variable
- If the observable wasn’t a computer GUID, try getting a GUID from Secure Endpoint
- Attempt to locate the triage group to get its ID
- Move the computer to the group
Configuration
- Set the
Triage Group Name
local variable to the name of the group you want to move computers to - If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
AMP_Target | HTTP Endpoint | Protocol: HTTPS Host: api.amp.cisco.com Path: /v1 | AMP_Credentials | Created by default |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
AMP_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |