Link Search Menu Expand Document

AMP Host Isolation with Tier 2 Approval

Response Workflow

This workflow should be triggered from a SecureX pivot menu and supports AMP computer GUID observables. When triggered, this workflow will create an approval task requesting to enable host isolation for the computer provided as the observable. If approval is obtained, isolation is enabled. If approval is not obtained, the workflow takes no action.


Requirements


Workflow Steps

  1. Check that a supported observable was provided as input
  2. Get a list of available actions from Threat Response
  3. Create the approval task
  4. (Optional) Send an email notification (also requires an SMTP Target)
  5. Wait for approval
  6. If approved, trigger the host isolation action through Threat Response

Configuration

  • Provide the name of your AMP Threat Response module in the AMP module name local variable
  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
None Created by default

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default