Link Search Menu Expand Document

Take Orbital Forensic Snapshot

Response Workflow

This workflow should be triggered from a SecureX pivot menu and supports IP address, hostname, and AMP computer GUID observables. When triggered, this workflow will take a forensic snapshot of the computer provided as the observable.


Requirements


Workflow Steps

  1. Check that a supported observable was provided as input
  2. Generate an Orbital access token and request a forensic snapshot

Configuration

  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Orbital_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
Orbital_Credentials Created by default
Orbital_Target HTTP Endpoint Protocol: HTTPS
Host: orbital.amp.cisco.com
Path: /v0
None Created by default

Account Keys

Account Key Name Type Details Notes
Orbital_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default