On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Generate Casebook with Top Hosts and Peers

Workflow #0034

Response Workflow

This workflow fetches the top 10 hosts and peers that communicated with the IP address pivoted on from Cisco Secure Network Analytics (SNA). The lists of IPs are then added to a SecureX casebook. Supported observable: ip

This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.


Change Log

Date Notes
Jun 17, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics
Sep 7, 2022 - Updated to support SecureX Tokens

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Secure Network Analytics - Get Tenants
    • Secure Network Analytics - Get Tokens
    • Secure Network Analytics - Get Top Hosts by IP Address
    • Secure Network Analytics - Get Top Peers by IP Address
    • Threat Response - Create Casebook
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • A SecureX orchestration remote with connectivity to your Secure Network Analytics instance
  • Cisco Secure Network Analytics (SNA)

Workflow Steps

  1. Make sure the observable type provided is supported
  2. Fetch global variables
  3. Calculate date 24 hours ago
  4. Get Secure Network Analytics tokens and tenant information
  5. Fetch and parse the top peers
  6. Fetch and parse the top hosts
  7. Make sure at least one of the queries returned data
  8. Create a casebook in SecureX


  • Add your Secure Network Analytics API username and password to SNA Username and SNA Password (or, if you have them stored in global variables, use the Fetch Global Variables group at the beginning of the workflow to update the local variables)
  • Set the SNA Tenant Name to the name of the tenant you want to work in
  • If you want to change the name of this workflow in the pivot menu, change its display name


Note: If your Secure Network Analytics deployment is on-premises and not accessible from the internet, you will need a SecureX orchestration remote to use it with orchestration.

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
CTR_Credentials Created by default
Secure Network Analytics HTTP Endpoint Protocol: HTTPS
Host: your-sna-management-center.yourdomain
Path: None

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page