On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Move Computer to Triage Group

Out of Box

Response Workflow

This workflow will move the endpoint identified by the provided observable to a triage device group in Cisco Secure Endpoint. Supported observables: ip, hostname, amp_computer_guid


Change Log

Date Notes
Jun 23, 2020 - Initial release
Sep 10, 2021 - Updated to use the new system atomics

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Secure Endpoint - Get Connector GUID
    • Secure Endpoint - Get Group by Name
    • Secure Endpoint - Move Computer to Group
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Endpoint

Workflow Steps

  1. Make sure the observable is supported and set the corresponding local variable
  2. If the observable wasn’t a computer GUID, try getting a GUID from Secure Endpoint
  3. Attempt to locate the triage group to get its ID
  4. Move the computer to the group


  • Set the Triage Group Name local variable to the name of the group you want to move computers to
  • If you want to change the name of this workflow in the pivot menu, change its display name


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default