Take Forensic Snapshot and Isolate

Out of Box

Response Workflow

This workflow initiates a Cisco Orbital forensic snapshot for the endpoint identified by the provided observable and then attempts to enable host isolation using Cisco Secure Endpoint. Supported observables: ip, mac_address, amp_computer_guid

GitHub

Change Log

Date	Notes
Jun 29, 2020	- Initial release
Sep 10, 2021	- Updated to use the new system atomics

See the Important Notes page for more information about updating workflows

Requirements

The following system atomics are used by this workflow:
- Orbital - Query Endpoint
- Secure Endpoint - Get Connector GUID
- Secure Endpoint - Isolate Host
- Threat Response - Generate Access Token
The following atomic actions must be imported before you can import this workflow:
- None
The targets and account keys listed at the bottom of the page
Cisco Secure Endpoint with Orbital

Workflow Steps

Make sure the observable is supported and set the corresponding local variable
If the observable wasn’t a computer GUID, try getting a GUID from Secure Endpoint
Generate an access token for Orbital
Execute a forensic snapshot
If a GUID was found, request host isolation

Configuration

If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name	Type	Details	Account Keys	Notes
AMP_Target	HTTP Endpoint	Protocol: `HTTPS` Host: `api.amp.cisco.com` Path: `/v1`	AMP_Credentials	Created by default
Orbital_For_Access_Token	HTTP Endpoint	Protocol: `HTTPS` Host: `visibility.amp.cisco.com` Path: `/iroh`	Orbital_Credentials	Created by default
Orbital_Target	HTTP Endpoint	Protocol: `HTTPS` Host: `orbital.amp.cisco.com` Path: `/v0`	None	Created by default

Account Keys

Account Key Name	Type	Details	Notes
AMP_Credentials	HTTP Basic Authentication	Username: Client ID Password: Client Secret	Created by default
Orbital_Credentials	HTTP Basic Authentication	Username: Client ID Password: Client Secret	Created by default