Incident Manager Cleanup
Workflow #0020
This workflow allows you to bulk-delete incidents from your Cisco SecureX incident manager. The incidents to delete are identified by a Lucene/ES query and a time window. A dry run is executed first and an approval task is generated to confirm how many incidents will be deleted. If the approval task is approved, deletion is completed.
This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.
NOTE: DELETED INCIDENTS CANNOT BE RECOVERED!
Change Log
Date | Notes |
---|---|
Apr 8, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Aug 31, 2022 | - Updated to support SecureX Tokens |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- None
- The following atomic actions must be imported before you can import this workflow:
- None
- The targets and account keys listed at the bottom of the page
Workflow Steps
- Validate inputs and format date/times
- Execute a dry run of the deletion query
- Check if the request was successful:
- If it wasn’t, output an error
- If it was:
- Check if there was anything to delete (if not, end the workflow)
- Request approval for deletion
- If the request is denied or expires, end the workflow
- Request the incidents actually be deleted
Configuration
- The
Incident deletion approval
activity needs to be configured with a task requestor, owner, and assignees (the assignees will be able to approve or deny)
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Private_CTIA_Target | HTTP Endpoint | Protocol: HTTPS Host: private.intel.amp.cisco.com Path: None | CTR_Credentials | Created by default |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
CTR_Credentials | SecureX Token | See this page |