Link Search Menu Expand Document

Move Computer to Triage Group

Out of Box

Response Workflow

This workflow will move the endpoint identified by the provided observable to a triage device group in Cisco Secure Endpoint. Supported observables: ip, hostname, amp_computer_guid


Change Log

Date Notes
Jun 23, 2020 - Initial release
Sep 10, 2021 - Updated to use the new system atomics

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Secure Endpoint - Get Connector GUID
    • Secure Endpoint - Get Group by Name
    • Secure Endpoint - Move Computer to Group
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Endpoint

Workflow Steps

  1. Make sure the observable is supported and set the corresponding local variable
  2. If the observable wasn’t a computer GUID, try getting a GUID from Secure Endpoint
  3. Attempt to locate the triage group to get its ID
  4. Move the computer to the group

Configuration

  • Set the Triage Group Name local variable to the name of the group you want to move computers to
  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default