On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Phishing Investigation - Statistics

Workflow #0010B

This workflow sends an email summary of Phishing Investigation workflow activity.

Overview GitHub

Change Log

Date Notes
Jan 21, 2021 - Initial release
Feb 4, 2021 - Updated the runtime calculation Python script to fix some possible failures
Aug 31, 2022 - Minor updates to naming and descriptions

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • None
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page

Workflow Steps

This email is designed to be triggered by a schedule.

  1. Calculate and format the dates needed to generate the report
  2. Fetch rows from the global statistics table for this reporting period
  3. Loop through the table records and calculate each row’s workflow run time
  4. Process the data into an email and send the message
  5. Clean up the global statistics table (purge old records)


  • Set the Report Recipients local variable to the email addresses you want the report sent to
  • Set the Report Time Span (Days) local variable to how many days of data you want included in the report. We recommend using a relatively short time span such as 1 day
  • Set the Retention Period (Days) local variable to how many days of data you want kept in the global statistics table. If you don’t want to keep historical data, you can set this to 1 day longer than your Report Time Span (Days). We recommend keeping the table as clean as possible, so try not to keep too much data
  • By default, the workflow is configured to run once a day at midnight UTC. If you want to change this schedule, you can modify the 0010B - Phishing Investigation Statistics schedule
  • To use a different SMTP Endpoint target, update the workflow’s target group condition with the name of the target you want to use (default: Email Endpoint)


Target Group: Default TargetGroup

By default, the Default TargetGroup may not include SMTP Endpoint targets. If this is the case, you will need to update the target group and add SMTP Endpoint to the target types included. More information about target groups can be found here.

Target Name Type Details Account Keys Notes
Phishing Investigation Outgoing SMTP Endpoint Configured for your SMTP server Phishing Investigation Mailbox Credentials  

Account Keys

Account Key Name Type Details Notes
Phishing Investigation Mailbox Credentials Email Credentials Username: Mailbox Username
Password: Mailbox Password