On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Remove Inactive Endpoints

Workflow #0056

This workflow looks for endpoints in Cisco Secure Endpoint that have been inactive for a specified number of days. If inactive endpoints are found, a list is compiled and they are deleted. An optional approval task can be used to request approval prior to deletion.

Note: This workflow will only remove 500 endpoints at a time. If you need to remove more than that, you can run the workflow multiple times or scheduled it to run periodically.

GitHub


Change Log

Date Notes
Jan 24, 2022 - Initial release
Mar 3, 2022 - Fixed the condition that checks for the approval result (should have looked for “Approve” instead of “Approved”)
Sep 7, 2022 - Minor updates to naming and descriptions

Requirements

  • The following system atomics are used by this workflow:
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Endpoint
  • Cisco Webex

Workflow Steps

  1. Fetch global variables
  2. Search for the Webex room
  3. Calculate the date before which endpoints will be removed
  4. Fetch computers from Secure Endpoint:
    • Parse each computer and add it to the list to remove if it’s old
    • Update the local variables with the new lists
    • Check if there’s a next page to parse
  5. Check if there are endpoints to remove:
    • If not, end the workflow
    • If there are:
      • Check if approval is required (if so, request it and wait)
      • Loop through each computer:
        • Attempt to delete the computer and check if the request was successful

Configuration

  • Set the Inactivity Threshold local variable to the number of days after which a computer is considered inactive (if it isn’t seen)
  • Set the Require Approval local variable to whether or not you want someone to have to approve deletions before they happen
  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow. By default, this workflow is designed to run every 24 hours
  • (If Using Approval) Set the Task Requestor local variable to the email address of the user who should be listed as the requestor for the approval task
  • (If Using Approval) Set the Task Owner local variable to the email address of the user who should be listed as the owner for the approval task
  • (If Using Approval) Set the Task Assignee local variable to the email address of the user who should be listed as the assignee for the approval task
  • (If Using Approval) By default, the workflow waits 23 hours for approval. After that, the task expires and the workflow will end. You can change this timeout by editing the Approval to Remove Endpoints from Cisco Secure Endpoint and Wait for approval activities
  • See this page for information on configuring the workflow for Webex

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default