On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Alerts to SecureX Incidents

Workflow #0059

This workflow is triggered by a webhook for an alert from Cisco Secure Cloud Insights. When a webhook is received, the alert data is parsed and a new SecureX incident is created.

This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.


Change Log

Date Notes
Feb 10, 2022 - Initial release
Sep 7, 2022 - Updated to support SecureX Tokens

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Threat Response - Create Incident
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Cloud Insights

Workflow Steps

  1. Extract the data from the alert JSON
  2. Check if extraction was successful
    • If not, end the workflow
  3. Format the event data
  4. Create a new incident


  • When you import this workflow, a webhook, event, and trigger will be created. You’ll need to go to the webhooks section of SecureX orchestration to get your webhook’s URL. Then, you need to configure Secure Cloud Insights to send alerts to this URL.


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
CTR_Credentials Created by default

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page