On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Take Orbital Forensic Snapshot

Out of Box

Response Workflow

This workflow initiates a Cisco Orbital forensic snapshot for the endpoint identified by the provided observable. Supported observables: ip, mac_address, amp_computer_guid

GitHub

---

Change Log

Date	Notes
Jun 29, 2020	- Initial release
Sep 10, 2021	- Updated to use the new system atomics

See the Important Notes page for more information about updating workflows

---

Requirements

• The following system atomics are used by this workflow:
  • Orbital - Query Endpoint
  • Threat Response - Generate Access Token
• The following atomic actions must be imported before you can import this workflow:
  • None
• The targets and account keys listed at the bottom of the page
• Cisco Secure Endpoint with Orbital

---

Workflow Steps

1. Make sure the observable is supported and set the corresponding local variable
2. Generate an access token for Orbital
3. Execute a forensic snapshot

---

Configuration

• If you want to change the name of this workflow in the pivot menu, change its display name

---

Targets

Target Group: Default TargetGroup

Target Name	Type	Details	Account Keys	Notes
Orbital_For_Access_Token	HTTP Endpoint	Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh	Orbital_Credentials	Created by default
Orbital_Target	HTTP Endpoint	Protocol: HTTPS Host: orbital.amp.cisco.com Path: /v0	None	Created by default

---

Account Keys

Account Key Name	Type	Details	Notes
Orbital_Credentials	HTTP Basic Authentication	Username: Client ID Password: Client Secret	Created by default