Generate Casebook with Flow Links
Workflow #0005
Response Workflow
This workflow generates a Cisco SecureX casebook with links to investigate the IP address in Cisco Secure Cloud Analytics (SCA). Supported observable: ip
Change Log
Date | Notes |
---|---|
Nov 20, 2020 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Create Casebook
- Threat Response - Generate Access Token
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Cloud Analytics (SCA)
Workflow Steps
- Calculate date 7 days ago
- Format 7 days ago date to Secure Cloud Analytics format
- Format today’s date to Secure Cloud Analytics format
- Generate Threat Response access token
- Create casebook with investigation links
Configuration
- Set your Secure Cloud Analytics instance URL in the
SCA Instance URL
local variable - If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
CTR_For_Access_Token | HTTP Endpoint | Protocol: HTTPS Host: visibility.amp.cisco.com Path: /iroh | CTR_Credentials | Created by default |
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | None | Created by default |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |