Take Orbital Forensic Snapshot
Out of Box
Response Workflow
This workflow initiates a Cisco Orbital forensic snapshot for the endpoint identified by the provided observable. Supported observables: ip
, mac_address
, amp_computer_guid
Change Log
Date | Notes |
---|---|
Jun 29, 2020 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Orbital - Query Endpoint
- Threat Response - Generate Access Token
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint with Orbital
Workflow Steps
- Make sure the observable is supported and set the corresponding local variable
- Generate an access token for Orbital
- Execute a forensic snapshot
Configuration
- If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Orbital_For_Access_Token | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | Orbital_Credentials | Created by default |
Orbital_Target | HTTP Endpoint | Protocol: HTTPS Host: orbital.amp.cisco.com Path: /v0 | None | Created by default |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
Orbital_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |