Link Search Menu Expand Document

Take Forensic Snapshot and Isolate

Response Workflow

This workflow should be triggered from a SecureX pivot menu and supports IP address, hostname, and AMP computer GUID observables. When triggered, this workflow will take a forensic snapshot of the computer provided as the observable and then request AMP host isolation be enabled.


Requirements


Workflow Steps

  1. Check that a supported observable was provided as input
  2. If a GUID wasn’t provided, convert the observable provided into the computer’s AMP GUID
  3. Generate an Orbital access token and request a forensic snapshot
  4. Request AMP host isolation be enabled

Configuration

  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default
Orbital_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
Orbital_Credentials Created by default
Orbital_Target HTTP Endpoint Protocol: HTTPS
Host: orbital.amp.cisco.com
Path: /v0
None Created by default

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
Orbital_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default