Link Search Menu Expand Document

Generate Casebook with Flow Links

Workflow #0005

Response Workflow

This workflow generates a Cisco SecureX casebook with links to investigate the IP address in Cisco Secure Cloud Analytics (SCA). Supported observable: ip

GitHub


Change Log

Date Notes
Nov 20, 2020 - Initial release
Sep 10, 2021 - Updated to use the new system atomics

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Threat Response - Create Casebook
    • Threat Response - Generate Access Token
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed below
  • Cisco Secure Cloud Analytics (SCA)

Workflow Steps

  1. Calculate date 7 days ago
  2. Format 7 days ago date to Secure Cloud Analytics format
  3. Format today’s date to Secure Cloud Analytics format
  4. Generate Threat Response access token
  5. Create casebook with investigation links

Configuration

  • Set your Secure Cloud Analytics instance URL in the SCA Instance URL local variable
  • If you want to change the name of this workflow in the pivot menu, change its display name

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default