On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Investigate Retrospective Alerts

Workflow #0025

This workflow monitors a mailbox for retrospective detection alerts from Cisco Secure Email. When an alert is received via Cisco Secure Endpoint for a file hash, an investigation is conducted to determine if there were any sightings for the hash. If there are sightings, an instant message is sent with details.

This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.


Change Log

Date Notes
Apr 16, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics
Sep 1, 2022 - Updated to support SecureX Tokens
Feb 16, 2023 - Updated workflow JSON to avoid an import failure (Issue #231)

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Threat Response - Enrich Observable
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Email
  • Cisco Secure Endpoint
  • (Optional) Cisco Webex
  • (Optional) A webhook URL for the Microsoft Teams channel to post messages to (see: this page)

Workflow Steps

  1. Fetch global variables (optional)
  2. Extract the information we need from the email
  3. Enrich the file hash to look for sightings
  4. Extract the sightings
  5. Check if there were any, if not end the workflow
  6. Compile the sighting data for the past 30 days
  7. Send instant message notifications


  • Set the Secure Endpoint Module Name local variable to the name of your Secure Endpoint module in SecureX (this is often AMP for Endpoints)
  • You must create an account key with your mailbox’s credentials and then update the 0025 - Retrospective Alert Mailbox target with that account key. While you’re editing the target, be sure to add your email server’s information
  • When the workflow imports, the trigger will show in an errored state because the account key and target needed to be updated. After configuring your account key and target, go into the workflow, click on the trigger in the workflow’s properties, uncheck the Disable Trigger box, and click Save
  • See this page for information on configuring the workflow for Webex


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Microsoft Teams Webhook HTTP Endpoint Protocol: HTTPS
Host: your-tenant.webhook.office.com
Path: /the-rest-of-the-webhook-url
0025 - Retrospective Alert Mailbox IMAP Endpoint Configured for your IMAP server 0025 - Retrospective Alert Mailbox Credentials  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page
0025 - Retrospective Alert Mailbox Email Credentials Username: Mailbox Username
Password: Mailbox Password