On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Isolate Endpoints and Block Hashes from Alarms

Workflow #0032

This workflow gets events from Cisco Secure Network Analytics (SNA) for the past 24 hours based on the event name provided. It then fetches associated flows and compiles information necessary to isolate related hosts and block file hashes in Cisco Secure Endpoint. At the end, a Webex message is sent with a summary.


Change Log

Date Notes
Jun 17, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics
Sep 7, 2022 - Minor updates to naming and descriptions

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Secure Endpoint - Get Connector GUID
    • Secure Endpoint - Isolate Host
    • Secure Network Analytics - Get Flows by IP Addresses
    • Secure Network Analytics - Get Security Events by Name
    • Secure Network Analytics - Get Tenants
    • Secure Network Analytics - Get Tokens
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • A SecureX orchestration remote with connectivity to your Secure Network Analytics instance
  • Cisco Secure Endpoint
  • Cisco Secure Network Analytics (SNA)
  • (Optional) Cisco Webex

Workflow Steps

  1. Fetch global variables
  2. Get Secure Network Analytics tokens and tenant information
  3. Calculate dates and times
  4. Get security events from Secure Network Analytics
  5. Parse events to table
  6. Fetch file list information from Secure Endpoint
  7. For each security event:
    • Extract event attributes
    • Get related flows and parse out file hashes
    • Attempt to locate matching hosts in Secure Endpoint and, if found, isolate them
    • Conver the file hashes to a table and add each one to the file lists in Secure Endpoint
  8. Send a Webex message with a summary


  • Set the Secure Endpoint Application List Name local variable to the name of the application file list to add hashes to
  • Set the Secure Endpoint Simple Detection List Name local variable to the name of the SCD list to add hashes to
  • Set the SNA Event Name local variable to the name of the events you want to take action on
  • Add your Secure Network Analytics API username and password to SNA Username and SNA Password (or, if you have them stored in global variables, use the Fetch Global Variables group at the beginning of the workflow to update the local variables)
  • Set the SNA Tenant Name to the name of the tenant you want to work in
  • See this page for information on configuring the workflow for Webex
  • By default, the workflow is configured to run every 24 hours using the 0032 - SNA - Isolate Endpoints and Block Hashes from Alarms schedule. When you import the workflow, the schedule trigger will be disabled. To enable the schedule:
    • Open the workflow in the workflow editor
    • Scroll down to the Triggers section of the workflow’s properties and click Alarm Event Polling
    • Uncheck the Disable Trigger box and click Save


Note: If your Secure Network Analytics deployment is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use it with orchestration.

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
AMP_Target HTTP Endpoint Protocol: HTTPS
Host: api.amp.cisco.com
Path: /v1
AMP_Credentials Created by default
Secure Network Analytics HTTP Endpoint Protocol: HTTPS
Host: your-sna-management-center.yourdomain
Path: None
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Account Key Name Type Details Notes
AMP_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default