Link Search Menu Expand Document

Move Computer to AMP Triage Group

Response Workflow

This workflow should be triggered from a SecureX pivot menu and supports IP address, hostname, and AMP computer GUID observables. When triggered, this workflow attempts to move the computer provided as the observable to the group configured in the workflow.


Requirements


Workflow Steps

  1. Check that a supported observable was provided as input
  2. If a GUID wasn’t provided, convert the observable provided into the computer’s AMP GUID
  3. Look up the triage group provided and get its GUID
  4. Request the computer be moved to the triage group

Configuration

  • Provide the name of the group you want computers moved to in the Triage Group Name local variable
  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default