Link Search Menu Expand Document

Incident Manager Cleanup

Workflow #0020

This workflow allows you to bulk-delete incidents from your Cisco SecureX incident manager. The incidents to delete are identified by a Lucene/ES query and a time window. A dry run is executed first and an approval task is generated to confirm how many incidents will be deleted. If the approval task is approved, deletion is completed.

NOTE: DELETED INCIDENTS CANNOT BE RECOVERED!

GitHub


Change Log

Date Notes
Apr 8, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics

See the Important Notes page for more information about updating workflows


Requirements

  • The following system atomics are used by this workflow:
    • Threat Response - Generate Access Token
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page

Workflow Steps

  1. Validate inputs and format date/times
  2. Get an access token for Cisco SecureX
  3. Execute a dry run of the deletion query
  4. Check if the request was successful:
    • If it wasn’t, output an error
    • If it was:
      • Check if there was anything to delete (if not, end the workflow)
      • Request approval for deletion
      • If the request is denied or expires, end the workflow
      • Request the incidents actually be deleted

Configuration

  • The Incident deletion approval activity needs to be configured with a task requestor, owner, and assignees (the assignees will be able to approve or deny)

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default