Link Search Menu Expand Document

Incident Manager Cleanup

Workflow #0020

This workflow allows you to bulk-delete incidents from your Cisco SecureX incident manager. The incidents to delete are identified by a Lucene/ES query and a time window. A dry run is executed first and an approval task is generated to confirm how many incidents will be deleted. If the approval task is approved, deletion is completed.



Change Log

Date Notes
Apr 8, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Threat Response - Generate Access Token
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page

Workflow Steps

  1. Validate inputs and format date/times
  2. Get an access token for Cisco SecureX
  3. Execute a dry run of the deletion query
  4. Check if the request was successful:
    • If it wasn’t, output an error
    • If it was:
      • Check if there was anything to delete (if not, end the workflow)
      • Request approval for deletion
      • If the request is denied or expires, end the workflow
      • Request the incidents actually be deleted


  • The Incident deletion approval activity needs to be configured with a task requestor, owner, and assignees (the assignees will be able to approve or deny)


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_For_Access_Token HTTP Endpoint Protocol: HTTPS
Path: /iroh
CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Path: None
None Created by default

Account Keys

Account Key Name Type Details Notes
CTR_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default