Host Isolation with Tier 2 Approval
Out of Box
Response Workflow
This workflow requests approval to isolate an endpoint using Cisco Secure Endpoint host isolation. If approved, isolation is enabled using the Cisco Threat Response host isolation response action. Supported observable: amp_computer_guid
Change Log
Date | Notes |
---|---|
Jun 23, 2020 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Mar 31, 2023 | - Updated to fix a JSONpath query parsing issue. The workflow will also now end successfully if the endpoint being isolated is already in isolation |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Generate Access Token
- Threat Response - List Response Actions
- Threat Response - Trigger Response Action
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint
Workflow Steps
- Make sure the observable is supported
- Generate an access token for Threat Response
- Fetch available response actions
- Check that Secure Endpoint actions are available (if not, end the workflow)
- Extract the module instance ID for Secure Endpoint
- (Optional) Send an email notification (requires an SMTP Endpoint target)
- Create the approval request and wait…
- If the request is approved, trigger the response action to isolate the endpoint
Configuration
- Set the
Secure Endpoint Module Name
local variable to the name of your Secure Endpoint SecureX module - Set the
Task Approver
local variable to the email address of the SecureX user you want to approve requests from the workflow - Set the
Task Requestor
local variable to the email address of the SecureX user you want to own requests from the workflow - If you want the workflow to send emails, you need to:
- Create an SMTP Endpoint target called
SMTP Target
for the workflow to use - Enable the
Send Email
activity and customize it as needed
- Create an SMTP Endpoint target called
- If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
CTR_For_Access_Token | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | CTR_Credentials | Created by default |
CTR_API | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | None | Created by default |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |