Link Search Menu Expand Document

Take Orbital Forensic Snapshot

Out of Box

Response Workflow

This workflow initiates a Cisco Orbital forensic snapshot for the endpoint identified by the provided observable. Supported observables: ip, mac_address, amp_computer_guid


Change Log

Date Notes
Jun 29, 2020 - Initial release
Sep 10, 2021 - Updated to use the new system atomics

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Orbital - Query Endpoint
    • Threat Response - Generate Access Token
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed below
  • Cisco Secure Endpoint with Orbital

Workflow Steps

  1. Make sure the observable is supported and set the corresponding local variable
  2. Generate an access token for Orbital
  3. Execute a forensic snapshot

Configuration

  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Orbital_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
Orbital_Credentials Created by default
Orbital_Target HTTP Endpoint Protocol: HTTPS
Host: orbital.amp.cisco.com
Path: /v0
None Created by default

Account Keys

Account Key Name Type Details Notes
Orbital_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default