Remove Inactive Endpoints
Workflow #0056
This workflow looks for endpoints in Cisco Secure Endpoint that have been inactive for a specified number of days. If inactive endpoints are found, a list is compiled and they are deleted. An optional approval task can be used to request approval prior to deletion.
Note: This workflow will only remove 500 endpoints at a time. If you need to remove more than that, you can run the workflow multiple times or scheduled it to run periodically.
Change Log
Date | Notes |
---|---|
Jan 24, 2022 | - Initial release |
Mar 3, 2022 | - Fixed the condition that checks for the approval result (should have looked for “Approve” instead of “Approved”) |
Sep 7, 2022 | - Minor updates to naming and descriptions |
Requirements
- The following system atomics are used by this workflow:
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
- Cisco Secure Endpoint
- Cisco Webex
Workflow Steps
- Fetch global variables
- Search for the Webex room
- Calculate the date before which endpoints will be removed
- Fetch computers from Secure Endpoint:
- Parse each computer and add it to the list to remove if it’s old
- Update the local variables with the new lists
- Check if there’s a next page to parse
- Check if there are endpoints to remove:
- If not, end the workflow
- If there are:
- Check if approval is required (if so, request it and wait)
- Loop through each computer:
- Attempt to delete the computer and check if the request was successful
Configuration
- Set the
Inactivity Threshold
local variable to the number of days after which a computer is considered inactive (if it isn’t seen) - Set the
Require Approval
local variable to whether or not you want someone to have to approve deletions before they happen - If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow. By default, this workflow is designed to run every 24 hours
- (If Using Approval) Set the
Task Requestor
local variable to the email address of the user who should be listed as the requestor for the approval task - (If Using Approval) Set the
Task Owner
local variable to the email address of the user who should be listed as the owner for the approval task - (If Using Approval) Set the
Task Assignee
local variable to the email address of the user who should be listed as the assignee for the approval task - (If Using Approval) By default, the workflow waits 23 hours for approval. After that, the task expires and the workflow will end. You can change this timeout by editing the
Approval to Remove Endpoints from Cisco Secure Endpoint
andWait for approval
activities - See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
AMP_Target | HTTP Endpoint | Protocol: HTTPS Host: api.amp.cisco.com Path: /v1 | AMP_Credentials | Created by default |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None | Not necessary if Webex activities are removed |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
AMP_Credentials | HTTP Basic Authentication | Username: Client ID Password: Client Secret | Created by default |