On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Get Observables from Tweets

Workflow #0077

This workflow searches recent Tweets for the specified hashtags and/or usernames and uses SecureX Threat Response to investigate each observable found. A malicious judgement is created for each observable and, if any sightings are found, an optional SecureX casebook and incident can be created. Finally, a Webex message will be sent with a summary of findings.


Change Log

Date Notes
Feb 23, 2023 - Initial release

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Threat Response - Create Casebook
    • Threat Response - Create Incident
    • Threat Response - Create Judgement
    • Threat Response - Create Relationship
    • Threat Response - Enrich Observable
    • Threat Response - Inspect for Observables
    • Webex - Search for Room
    • Webex - Post Message to Room
  • The following atomic actions must be imported before you can import this workflow:
    • Twitter - Get Recent Tweets by Hashtag or Username
  • The targets and account keys listed at the bottom of the page
  • (Optional) Cisco Webex

Workflow Steps

This workflow is designed to run on a schedule to periodically check for new matching Tweets.

  1. Fetch global variables and detect environment
  2. Search for the Webex room
  3. For each hashtag and username:
    • Get recent Tweets
    • For each Tweet returned:
      • Inspect for observables
      • For each observable:
        • Create a malicious judgement
        • Check for sightings
        • If sightings are found, create an incident and casebook
        • Create a casebook and incident for the sighting
        • Post a message to Webex


  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
  • See this page for information on configuring the workflow for Webex


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
CTR_API HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
CTR_Credentials Created by default
Private_CTIA_Target HTTP Endpoint Protocol: HTTPS
Host: private.intel.amp.cisco.com
Path: None
None Created by default
Twitter API v2 HTTP Endpoint Protocol: HTTPS
Host: api.twitter.com
Path: /v2
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Account Key Name Type Details Notes
CTR_Credentials SecureX Token   See this page