Link Search Menu Expand Document

Isolate Endpoints from Alerts

Workflow #0014

This workflow fetches alerts from Secure Cloud Analytics for the past 24 hours based on the alert name and status provided. Observations are extracted from the alerts and devices are searched for in Secure Endpoint (formerly AMP for Endpoints). If an endpoint is found, host isolation is enabled. Finally, a Webex Teams message is sent with a summary.

GitHub


Requirements

Note: You may have an old version of the Webex Teams - Post Message to Room atomic. To ensure the best experience with this workflow, be sure to import the latest version of this atomic from the GitHub_Target_Atomics repository!


Workflow Steps

  1. (Optional) Fetch any necessary global variables
  2. Calculate dates
  3. Fetch alerts from Secure Cloud Analytics
  4. Extract observations from the alerts
  5. For each observation:
    • Fetch the observation’s details and devices
    • Check if the device was already processed:
      • If it was, skip it
      • If it wasn’t:
        • Get the device’s details
        • Attempt to locate it in Secure Endpoint and, if it’s found, isolate it
  6. Send a Webex Teams message with a summary

Configuration

  • Set the Secure Cloud Analytics Alert Name local variable to the name of the alert type you want to respond to
  • Set the Secure Cloud Analytics Alert Status local variable to the alert status you want to response to
  • See this page for information on configuring the workflow for Webex Teams

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default
Secure Cloud Analytics HTTP Endpoint Protocol: HTTPS
Host: your-tenant.obsrvbl.com
Path: api
None  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex Teams activities are removed

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default