On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Host Isolation with Tier 2 Approval

Out of Box

Response Workflow

This workflow requests approval to isolate an endpoint using Cisco Secure Endpoint host isolation. If approved, isolation is enabled using the Cisco Threat Response host isolation response action. Supported observable: amp_computer_guid

GitHub


Change Log

Date Notes
Jun 23, 2020 - Initial release
Sep 10, 2021 - Updated to use the new system atomics
Mar 31, 2023 - Updated to fix a JSONpath query parsing issue. The workflow will also now end successfully if the endpoint being isolated is already in isolation

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Threat Response - Generate Access Token
    • Threat Response - List Response Actions
    • Threat Response - Trigger Response Action
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Endpoint

Workflow Steps

  1. Make sure the observable is supported
  2. Generate an access token for Threat Response
  3. Fetch available response actions
  4. Check that Secure Endpoint actions are available (if not, end the workflow)
  5. Extract the module instance ID for Secure Endpoint
  6. (Optional) Send an email notification (requires an SMTP Endpoint target)
  7. Create the approval request and wait…
  8. If the request is approved, trigger the response action to isolate the endpoint

Configuration

  • Set the Secure Endpoint Module Name local variable to the name of your Secure Endpoint SecureX module
  • Set the Task Approver local variable to the email address of the SecureX user you want to approve requests from the workflow
  • Set the Task Requestor local variable to the email address of the SecureX user you want to own requests from the workflow
  • If you want the workflow to send emails, you need to:
    • Create an SMTP Endpoint target called SMTP Target for the workflow to use
    • Enable the Send Email activity and customize it as needed
  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
None Created by default

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default