Isolate Endpoints from Alerts
Workflow #0014
This workflow fetches alerts from Cisco Secure Cloud Analytics (SCA) for the past 24 hours based on the alert name and status provided. Observations are extracted from the alerts and devices are searched for in Cisco Secure Endpoint. If an endpoint is found, host isolation is enabled. Finally, a Webex message is sent with a summary.
Change Log
Date | Notes |
---|---|
Feb 25, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Aug 31, 2022 | - Minor updates to naming and descriptions |
Feb 23, 2023 | - Update to Secure Cloud Analytics API Key variable description (Issue #235) |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Secure Cloud Analytics - Get Alerts
- Secure Cloud Analytics - Get Device Details by ID
- Secure Cloud Analytics - Get Observation Details by ID
- Secure Endpoint - Get Connector GUID
- Secure Endpoint - Isolate Host
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Cloud Analytics (SCA)
- Cisco Secure Endpoint
- (Optional) Cisco Webex
Workflow Steps
- Fetch global variables
- Calculate dates
- Fetch alerts from Secure Cloud Analytics
- Extract observations from the alerts
- For each observation:
- Fetch the observation’s details and devices
- Check if the device was already processed:
- If it was, skip it
- If it wasn’t:
- Get the device’s details
- Attempt to locate it in Secure Endpoint and, if it’s found, isolate it
- Send a Webex message with a summary
Configuration
- Set the
Secure Cloud Analytics Alert Name
local variable to the name of the alert type you want to respond to - Set the
Secure Cloud Analytics Alert Status
local variable to the alert status you want to response to - See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
AMP_Target | HTTP Endpoint | Protocol: HTTPS Host: api.amp.cisco.com Path: /v1 | AMP_Credentials | Created by default |
Secure Cloud Analytics | HTTP Endpoint | Protocol: HTTPS Host: your-tenant.obsrvbl.com Path: api | None | |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None | Not necessary if Webex activities are removed |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
AMP_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |