Link Search Menu Expand Document

Ransomware Alerts to SecureX and ServiceNow

Workflow #0044

This workflow was developed and is supported by Cohesity

This workflow pushes Cohesity Helios ransomware alerts to SecureX Threat Response incidents with matching sightings and ServiceNow incidents.


Change Log

Date Notes
Sep 24, 2021 - Initial release

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • None
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Cohesity Helios
  • ServiceNow

Workflow Steps

  1. Execute a Python script to fetch alerts from Cohesity and create corresponding incidents in SecureX
  2. Convert the list of alerts to a table
  3. For each alert:
    • Create a ServiceNow incident


  • Set the Helios API Key local variable to your Cohesity Helios API key
  • Set the SecureX API Client ID and SecureX API Secret local variables to your API client’s ID and secret (more information)
  • Set the Number of Hours local variable to the number of hours ago you want to start fetching alerts from
  • Set the ServiceNow User ID local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • If you want the workflow to run automatically, enable the Cohesity Ransomware Alerts trigger in the workflow’s property to enable it to run on a schedule


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>
Path: /api
ServiceNow_Credentials Be sure to use your instance URL

Account Keys

Account Key Name Type Details Notes
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password