On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Block Observable

Workflow #0015B

Response Workflow

This workflow blocks an observable on Cisco Secure Firewall by creating a judgement for it in SecureX Threat Response. Once a judgement is created, the observable will appear on a feed which Secure Firewall polls for observable information. Supported observables: domain, ip, ipv6, sha256, url

This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.
This workflow is similar to workflow 0065 but works differently. Workflow 0065 adds observables to groups by making API calls directly to Secure Firewall, typically through an orchestration remote. This workflow adds observables to feeds in SecureX which Secure Firewall then consumes.


Change Log

Date Notes
Apr 19, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics
Aug 31, 2022 - Updated to support SecureX Tokens

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Threat Response - Create Relationship
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Firewall

Important Notes

  • You must create the required indicators and feeds in SecureX Threat Response by running workflow 015A prior to using this workflow.

Workflow Steps

  1. Convert the observable type to the types we use when creating indicators
  2. Check if the observable type is supported. If it isn’t, end the workflow and return an error
  3. Generate a Threat Response access token
  4. Search for the indicator for this observable type
  5. Check if we found the indicator. If not, end the workflow and return an error
  6. Extract the indicator’s ID
  7. Create a judgement in Threat Response for the observable
  8. Relate the judgement to the indicator


  • If you want to change the name of this workflow in the pivot menu, change its display name


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
CTR_Credentials Created by default

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page