Take Forensic Snapshot and Isolate
Out of Box
Response Workflow
This workflow initiates a Cisco Orbital forensic snapshot for the endpoint identified by the provided observable and then attempts to enable host isolation using Cisco Secure Endpoint. Supported observables: ip
, mac_address
, amp_computer_guid
Change Log
Date | Notes |
---|---|
Jun 29, 2020 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Orbital - Query Endpoint
- Secure Endpoint - Get Connector GUID
- Secure Endpoint - Isolate Host
- Threat Response - Generate Access Token
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint with Orbital
Workflow Steps
- Make sure the observable is supported and set the corresponding local variable
- If the observable wasn’t a computer GUID, try getting a GUID from Secure Endpoint
- Generate an access token for Orbital
- Execute a forensic snapshot
- If a GUID was found, request host isolation
Configuration
- If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
AMP_Target | HTTP Endpoint | Protocol: HTTPS Host: api.amp.cisco.com Path: /v1 | AMP_Credentials | Created by default |
Orbital_For_Access_Token | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | Orbital_Credentials | Created by default |
Orbital_Target | HTTP Endpoint | Protocol: HTTPS Host: orbital.amp.cisco.com Path: /v0 | None | Created by default |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
AMP_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |
Orbital_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |