Generate Casebook with Flow Links
Workflow #0005
Response Workflow
This workflow generates a Cisco SecureX casebook with links to investigate the IP address in Cisco Secure Cloud Analytics (SCA). Supported observable: ip
Change Log
| Date | Notes |
|---|---|
| Nov 20, 2020 | - Initial release |
| Sep 10, 2021 | - Updated to use the new system atomics |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Threat Response - Create Casebook
- Threat Response - Generate Access Token
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Cloud Analytics (SCA)
Workflow Steps
- Calculate date 7 days ago
- Format 7 days ago date to Secure Cloud Analytics format
- Format today’s date to Secure Cloud Analytics format
- Generate Threat Response access token
- Create casebook with investigation links
Configuration
- Set your Secure Cloud Analytics instance URL in the
SCA Instance URLlocal variable - If you want to change the name of this workflow in the pivot menu, change its display name
Targets
Target Group: Default TargetGroup
| Target Name | Type | Details | Account Keys | Notes |
|---|---|---|---|---|
| CTR_For_Access_Token | HTTP Endpoint | Protocol: HTTPSHost: visibility.amp.cisco.comPath: /iroh | CTR_Credentials | Created by default |
| Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPSHost: private.intel.amp.cisco.comPath: None | None | Created by default |
Account Keys
| Account Key Name | Type | Details | Notes |
|---|---|---|---|
| CTR_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |