On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Top Windows IR Indicators to ServiceNow

Workflow #0055

Response Workflow

This workflow runs multiple Oribtal queries on the endpoint provided to look for top incident response indicators of compromise. The results are then posted to a ServiceNow incident. Supported observables: ip, mac_address, amp_computer_guid, hostname


Change Log

Date Notes
Jan 20, 2022 - Initial release
Sep 7, 2022 - Minor updates to naming and descriptions

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Orbital - Query Endpoint
    • Threat Response - Generate Access Token
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Endpoint with Orbital
  • ServiceNow

Workflow Steps

  1. Check if the observable type provided is supported
  2. Detect the region
  3. Get logged in user name
  4. Get list of local accounts
  5. Get user’s “Documents” folder contents
  6. Get user’s “Downloads” folder contents
  7. Get user’s “Desktop” folder contents
  8. Get recent USB activity
  9. Get recent Office documents
  10. Get list of installed programs
  11. Get list of Chrome browser extensions
  12. Get named pipes
  13. Get list of processes
  14. Get list of outbound network connections
  15. Get list of listening network connections
  16. Get local DNS cache
  17. Get list of open shares
  18. Get list of autoexecute binaries
  19. Get recent PowerShell activity
  20. Get host uptime
  21. Log results in a ServiceNow incident


  • Update the ServiceNow User ID local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • Update the ServiceNow - Create Incident activity at the end of the workflow with any changes to the ticket properties you want


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Orbital_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
Orbital_Credentials Created by default
Orbital_Target HTTP Endpoint Protocol: HTTPS
Host: orbital.amp.cisco.com
Path: /v0
None Created by default
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL

Account Keys

Account Key Name Type Details Notes
Orbital_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password