On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Get Health Alerts (SSE)

Workflow #0072

This workflow retrieves health monitor alerts from a Cisco Secure Firewall Management Center and, if alerts are returned, documents them in ServiceNow and sends a Webex message.

There are two different ways to integrate Secure Firewall with orchestration. For more information about these two methods and which to use, please see this page.
This workflow expects the new "SecureX Token" account key. For more information about this, please see this page.


Change Log

Date Notes
Sep 7, 2022 - Initial release

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Secure Firewall - SSE - Get Device Details
    • Secure Firewall - SSE - Get Health Alerts
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • Cisco Secure Firewall (software version 7.2 or newer)
  • Cisco Webex
  • ServiceNow

Workflow Steps

  1. Fetch global variables
  2. Set the workflow run URL based on region
  3. Search for the Webex room provided
  4. Validate required variables are provided
  5. Build the search filter
  6. Fetch matching health alerts
  7. Check if any alerts were found:
    • If not, end the workflow
    • If there were alerts:
      • Parse the alerts to markdown and HTML
      • Create ServiceNow ticket
  8. Post the workflow result to Webex


  • Set the Minutes to Search local variable to how many minutes into the past you want to search for alerts. If running the workflow on a schedule, this should be the same as the scheduled interval
  • Set Status Code Red and/or Status Code Yellow to true. At least one of these must be enabled
  • Set the Domain UUID to the UUID of the FMC domain you want the workflow to make changes to. If you’re using the default domain, you can leave the default value
  • Set the Device ID to the ID of the device to send the command to in SSE. This can be obtained from the device’s summary page in SSE, the Devices page in the Administration section of SecureX, or by using the “SecureX - SSE Proxy - List Devices” atomic
  • Update the ServiceNow User ID local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • By default, this workflow is configured to run on demand. You can create a schedule if you want it to run at a set interval
  • See this page for information on configuring the workflow for Webex


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password