On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Repeat Incident Alerting

Workflow #0070

This workflow sends alerts via Webex if a specific quantity of similar incidents are generated in SecureX within a specified period of time. Alerting can be done for all incidents (by leaving “Aggregation Field” blank) or can be done by aggregating incidents by a certain field (specified in “Aggregation Field”).

This workflow has been updated to use the new "SecureX Token" account key. For more information about this, please see this page. If you want to use legacy authentication, you can import an older version of the workflow.


Change Log

Date Notes
Aug 16, 2022 - Initial release
Sep 7, 2022 - Updated to support SecureX Tokens

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Threat Response - Search Incidents
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
    • None
  • The targets and account keys listed at the bottom of the page
  • (Optional) Cisco Webex

Workflow Steps

  1. Fetch global variables and detect region
  2. Calculate/format the date to search from
  3. Search incidents
  4. Aggregate the results and generate a list of alerts to send
  5. For each alert generated, send a Webex message


  • This workflow is designed to run on a schedule. You need to create a schedule and then add it as a trigger within the workflow
  • Set the Aggregation Field local variable to the field to aggregate the number of incidents by. If you leave this blank, all incidents will count towards the threshold. If you provide a field here, such as “title,” an alert will only generate if there are Alert Threshold incidents with the same Aggregation Field in Time Period
  • Set the Alert Threshold local variable to the number of incidents that must occur within the Time Period before an alert is generated
  • Set the Time Period local variable to the number of minutes within which to aggregate results. As in, if there are Alert Threshold incidents within this time period an alert will be generated
  • See this page for information on configuring the workflow for Webex


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
CTR_Credentials Created by default
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page