Take Orbital Forensic Snapshot
Out of Box
Response Workflow
This workflow initiates a Cisco Orbital forensic snapshot for the endpoint identified by the provided observable. Supported observables: ip, mac_address, amp_computer_guid
Change Log
| Date | Notes |
|---|---|
| Jun 29, 2020 | - Initial release |
| Sep 10, 2021 | - Updated to use the new system atomics |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Orbital - Query Endpoint
- Threat Response - Generate Access Token
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint with Orbital
Workflow Steps
- Make sure the observable is supported and set the corresponding local variable
- Generate an access token for Orbital
- Execute a forensic snapshot
Configuration
- If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Target Group: Default TargetGroup
| Target Name | Type | Details | Account Keys | Notes |
|---|---|---|---|---|
| Orbital_For_Access_Token | HTTP Endpoint | Protocol: HTTPSHost: visibility.amp.cisco.comPath: /iroh | Orbital_Credentials | Created by default |
| Orbital_Target | HTTP Endpoint | Protocol: HTTPSHost: orbital.amp.cisco.comPath: /v0 | None | Created by default |
Account Keys
| Account Key Name | Type | Details | Notes |
|---|---|---|---|
| Orbital_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |