On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Remove Tag from Assets

Workflow #0069

Response Workflow

This workflow searches Kenna for assets matching the observable provided and removes a tag from them. A casebook is created for each asset if “Create Casebook” is set to true. Supported observables: ip, hostname, mac_address

This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.


Change Log

Date Notes
Aug 4, 2022 - Initial release
Sep 7, 2022 - Updated to support SecureX Tokens

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Kenna - Remove Tag from Asset
    • Kenna - Search Assets
    • Threat Response - Create Casebook
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Kenna Security

Workflow Steps

  1. Fetch global variables
  2. Build the query string based on the observable provided
  3. Search for matching assets
  4. Convert the asset list to a table
  5. For each asset:
    • Remove the tag from the asset
    • If creating casebooks is enabled, create a casebook


  • Add your Kenna API token to the API Token local variable (or, if you have an API key in a global variable already, set the local variable to the global’s value using the Fetch Global Variables group at the beginning of the workflow)
  • Set the Create Casebook local variable to true or false depending on whether or not you want a casebook created for each untagged asset
  • Set the Kenna Instance URL local variable to the URL of your Kenna instance (for example: customer.kennasecurity.com)
  • Set the Tag to Remove local variable to the tag you want removed from matching assets in Kenna
  • If you want to change the name of this workflow in the pivot menu, change its display name


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Kenna_Target HTTP Endpoint Protocol: HTTPS
Host: api.kennasecurity.com
Path: None
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
CTR_Credentials Created by default

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page