Generate Casebook with Flow Links
Workflow #0005
Response Workflow
This workflow should be triggered from a SecureX pivot menu and supports IP address observables. When triggered, this workflow generates a Threat Response casebook with links to investigate the IP address in Secure Cloud Analytics (SCA).
Requirements
- The following atomic actions must be imported before you can import this workflow:
- CTRGenerateAccessToken (Github_Target_Atomics)
- CTR Create Casebook (Github_Target_Atomics)
- The targets and account keys listed below
- A Secure Cloud Analytics instance
Workflow Steps
- Calculate date 7 days ago
- Format 7 days ago date to SCA format
- Format today’s date to SCA format
- Generate Threat Response access token
- Create casebook with investigation links
Configuration
- Set your SCA instance URL in the
SCA Instance URLlocal variable - If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Target Group: Default TargetGroup
| Target Name | Type | Details | Account Keys | Notes |
|---|---|---|---|---|
| CTR_For_Access_Token | HTTP Endpoint | Protocol: HTTPSHost: visibility.amp.cisco.comPath: /iroh | CTR_Credentials | Created by default |
| Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPSHost: private.intel.amp.cisco.comPath: None | None | Created by default |
Account Keys
| Account Key Name | Type | Details | Notes |
|---|---|---|---|
| CTR_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |