{ "workflow": { "unique_name": "definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch", "name": "Secure Endpoint - Isolate Host with Tier 2 Approval", "title": "Secure Endpoint - Isolate Host with Tier 2 Approval", "type": "generic.workflow", "base_type": "workflow", "variables": [ { "schema_id": "datatype.secure_string", "properties": { "value": "*****", "scope": "local", "name": "Webex Access Token", "type": "datatype.secure_string", "is_required": false, "is_invisible": false }, "unique_name": "variable_workflow_022WO42QI25K72AgsPj4G9N3sOz6P5r8c1y", "object_type": "variable_workflow" }, { "schema_id": "datatype.string", "properties": { "value": "", "scope": "input", "name": "observable_type", "type": "datatype.string", "is_required": false, "is_invisible": false }, "unique_name": "variable_workflow_022WO32C6UKQ17WEXxb1A42OxUxH0psxih0", "object_type": "variable_workflow" }, { "schema_id": "datatype.string", "properties": { "value": "", "scope": "input", "name": "observable_value", "type": "datatype.string", "is_required": false, "is_invisible": false }, "unique_name": "variable_workflow_022WO2X9AI3464lSBodjXGL1gTncTUoXUAr", "object_type": "variable_workflow" }, { "schema_id": "datatype.string", "properties": { "value": "FOO-BAR", "scope": "local", "name": "Webex Room ID", "type": "datatype.string", "is_required": false, "is_invisible": false }, "unique_name": "variable_workflow_022WO4QKRXLJQ3Th6dDo5DTSkjnc1FumH1b", "object_type": "variable_workflow" } ], "properties": { "atomic": { "is_atomic": false }, "delete_workflow_instance": false, "description": "=> Goal: Trigger this workflow when you have suspicion of an endpoint being targetted in an ongoing attack. \n=> Input: amp_computer_guid\n=> Steps:\n1. Create an approval request to isolate the target endpoint.\n2. Send a notification to the SOC space to investigate the target endpoint further.\n3. Waits for approval...\n4 .If approved, isolate an endpoint if given an observable that can identify an endpoint (e.g Cisco Secure Endpoint GUID).", "display_name": "PROD: Demo Response Workflow [CHRIVAND]", "runtime_user": { "target_default": true }, "target": { "no_target": true } }, "object_type": "definition_workflow", "actions": [ { "unique_name": "definition_activity_022WQ6VD9B7PT4zJl5UcMxKbCYWwYfhWxcn", "name": "Condition Block", "title": "Observable Type Compatible?", "type": "logic.if_else", "base_type": "activity", "properties": { "continue_on_failure": false, "display_name": "Observable Type Compatible?", "skip_execution": false }, "object_type": "definition_activity", "blocks": [ { "unique_name": "definition_activity_022WQ6VDJB8732sDJOF1BftLLBwDuRLJ3B4", "name": "Condition Branch", "title": "NO ENDPOINT IDENTIFIER", "type": "logic.condition_block", "base_type": "activity", "properties": { "condition": { "left_operand": "$workflow.definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch.input.variable_workflow_022WO32C6UKQ17WEXxb1A42OxUxH0psxih0$", "operator": "ne", "right_operand": "amp_computer_guid" }, "continue_on_failure": false, "display_name": "NO ENDPOINT IDENTIFIER", "skip_execution": false }, "object_type": "definition_activity", "actions": [ { "unique_name": "definition_activity_022WQ7HPP7UP57NJaSGOpv0EMXSWKmdhVA0", "name": "Completed", "title": "Failed, wrong observable type...", "type": "logic.completed", "base_type": "activity", "properties": { "completion_type": "failed-completed", "continue_on_failure": false, "display_name": "Failed, wrong observable type...", "result_message": "Wrong observable type as input: $workflow.definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch.input.variable_workflow_022WO32C6UKQ17WEXxb1A42OxUxH0psxih0$ [amp_computer_guid exepected]", "skip_execution": false }, "object_type": "definition_activity" } ] } ] }, { "unique_name": "definition_activity_022WPJ10PJODX5IlpMlU87i4TKxZHnonQm4", "name": "Create Approval Request", "title": "Approval request: Potential Incident Detected ⚠️", "type": "task.approval_request", "base_type": "activity", "properties": { "approval_choices": [ "Approve", "Reject" ], "assignees": [ "chrivand@cisco.com" ], "continue_on_failure": false, "display_name": "Approval request: Potential Incident Detected ⚠️", "due_date": { "is_relative_time": true, "relative_time": { "duration": 15, "time_units": "days" }, "set_due_date": true }, "expiration_date": { "is_relative_time": true, "relative_time": { "duration": 15, "time_units": "days" } }, "expiration_status": "Expired", "minimum_approvals": 1, "priority": "high", "skip_execution": false, "subject_line": "⚠️ Potential Incident Detected ⚠️", "task_message": "Do you approve to isolate the following target: $workflow.definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch.input.variable_workflow_022WO2X9AI3464lSBodjXGL1gTncTUoXUAr$ \n\nPlease investigate before approving!", "task_owner": "hanjabbo@cisco.com", "task_requestor": "chrivand@cisco.com" }, "object_type": "definition_activity" }, { "unique_name": "definition_activity_022WO38GE8J5C6yi8ND7s8A9YfHli8kiI1o", "name": "Webex - Post Message to Room", "title": "Webex - Post Message to Room", "type": "workflow.atomic_workflow", "base_type": "subworkflow", "properties": { "continue_on_failure": false, "display_name": "Webex - Post Message to Room", "input": { "variable_workflow_01PP78DJH1TI76BYfsu9g0Tqj2S6cUxjtu5": "$workflow.definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch.local.variable_workflow_022WO4QKRXLJQ3Th6dDo5DTSkjnc1FumH1b$", "variable_workflow_01PP78DJH1XNQ7gNQ5iZdperRHqrppzARXC": "$workflow.definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch.local.variable_workflow_022WO42QI25K72AgsPj4G9N3sOz6P5r8c1y$", "variable_workflow_01PP78DJH1YWL3allalGQbg1VkgKwh9GvCi": "# ⚠️ Potential Incident Detected ⚠️\n---\n## An [approval request](https://securex-ao.us.security.cisco.com/orch-ui/tasks/$activity.definition_activity_022WPJ10PJODX5IlpMlU87i4TKxZHnonQm4.output.task_id$) has been created to isolate the following target: `$workflow.definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch.input.variable_workflow_022WO2X9AI3464lSBodjXGL1gTncTUoXUAr$`\n---\n## Please investigate [NOW](https://visibility.amp.cisco.com/investigate?q=$workflow.definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch.input.variable_workflow_022WO32C6UKQ17WEXxb1A42OxUxH0psxih0$%3A$workflow.definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch.input.variable_workflow_022WO2X9AI3464lSBodjXGL1gTncTUoXUAr$) and approve host isolation as needed...", "variable_workflow_01PP78DJH22BB3Ej3I8tJ4OCQur0unYGjj9": "", "variable_workflow_01SVERQNMKN8N6vqX2djMtAfshphGydGsH8": "" }, "runtime_user": { "target_default": true }, "skip_execution": false, "target": { "override_workflow_target": true, "target_id": "definition_target_01FWYLOO0J2XM7SH55NFSKhqCgLoFpGLcPt", "target_type": "web-service.endpoint" }, "workflow_id": "definition_workflow_01PP78DJMXS415nTjonujf03ROkr6t2PNyw", "workflow_name": "Webex - Post Message to Room" }, "object_type": "definition_activity" }, { "unique_name": "definition_activity_022WPKN7DYW911QZE751VH93xManuf8JLfx", "name": "Wait For Event", "title": "Wait For Approval...", "type": "task.wait_for_event", "base_type": "activity", "properties": { "continue_on_failure": false, "display_name": "Wait For Approval...", "event_info": { "add_event": true, "event_definition": { "conditions": { "left_operand": "$output.task_id$", "operator": "eq", "right_operand": "$activity.definition_activity_022WPJ10PJODX5IlpMlU87i4TKxZHnonQm4.output.task_id$" } } }, "event_timeout": 1000, "event_type": "approval_task.event", "skip_execution": false }, "object_type": "definition_activity" }, { "unique_name": "definition_activity_022WPOJRUUUCP4epCFzmX9oBRGAUUI7xJa2", "name": "Condition Block", "title": "Isolation Approved?", "type": "logic.if_else", "base_type": "activity", "properties": { "continue_on_failure": false, "display_name": "Isolation Approved?", "skip_execution": false }, "object_type": "definition_activity", "blocks": [ { "unique_name": "definition_activity_022WPOJS4GHGG6tg7p9Cu67Mfy9Xq5hfKtK", "name": "Condition Branch", "title": "Approved!", "type": "logic.condition_block", "base_type": "activity", "properties": { "condition": { "left_operand": "$activity.definition_activity_022WPKN7DYW911QZE751VH93xManuf8JLfx.output.approval_choices[0]$", "operator": "eq", "right_operand": "Approve" }, "continue_on_failure": false, "display_name": "Approved!", "skip_execution": false }, "object_type": "definition_activity", "actions": [ { "unique_name": "definition_activity_022WO9KAT0PZH2IoJTpLgSfstgFqyhUhp0J", "name": "Secure Endpoint - Isolate Host", "title": "Secure Endpoint - Isolate Host", "type": "workflow.atomic_workflow", "base_type": "subworkflow", "properties": { "continue_on_failure": false, "display_name": "Secure Endpoint - Isolate Host", "input": { "variable_workflow_01PP77UWF61XC6J78V5wbJCUMq6FbLtlWMn": "$workflow.definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch.input.variable_workflow_022WO2X9AI3464lSBodjXGL1gTncTUoXUAr$" }, "runtime_user": { "target_default": true }, "skip_execution": false, "target": { "override_workflow_target": true, "target_id": "$module_target;Secure Endpoint;securex:ao:secure_endpoint$", "target_type": "web-service.endpoint" }, "workflow_id": "definition_workflow_01PP77UWMZGOK7EpAqljGObzskFeYlPRah5", "workflow_name": "Secure Endpoint - Isolate Host" }, "object_type": "definition_activity" }, { "unique_name": "definition_activity_022WQ9B35S27Q4jEZfQfk3ziPdKulFaTqBG", "name": "Webex - Post Message to Room", "title": "Webex - Post Message to Room", "type": "workflow.atomic_workflow", "base_type": "subworkflow", "properties": { "continue_on_failure": false, "display_name": "Webex - Post Message to Room", "input": { "variable_workflow_01PP78DJH1TI76BYfsu9g0Tqj2S6cUxjtu5": "$workflow.definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch.local.variable_workflow_022WO4QKRXLJQ3Th6dDo5DTSkjnc1FumH1b$", "variable_workflow_01PP78DJH1XNQ7gNQ5iZdperRHqrppzARXC": "$workflow.definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch.local.variable_workflow_022WO42QI25K72AgsPj4G9N3sOz6P5r8c1y$", "variable_workflow_01PP78DJH1YWL3allalGQbg1VkgKwh9GvCi": "## Request approved, target isolated: `$workflow.definition_workflow_022WO2AGYT7VQ6zrEjTlyUIrMiQVtX4RAch.input.variable_workflow_022WO2X9AI3464lSBodjXGL1gTncTUoXUAr$`", "variable_workflow_01PP78DJH22BB3Ej3I8tJ4OCQur0unYGjj9": "", "variable_workflow_01SVERQNMKN8N6vqX2djMtAfshphGydGsH8": "" }, "runtime_user": { "target_default": true }, "skip_execution": false, "target": { "override_workflow_target": true, "target_id": "definition_target_01FWYLOO0J2XM7SH55NFSKhqCgLoFpGLcPt", "target_type": "web-service.endpoint" }, "workflow_id": "definition_workflow_01PP78DJMXS415nTjonujf03ROkr6t2PNyw", "workflow_name": "Webex - Post Message to Room" }, "object_type": "definition_activity" } ] } ] } ], "categories": [ "category_01FM7CGPZZCMY0KcvgiGjVH5UaB4y4aDJ7m" ] }, "categories": { "category_01FM7CGPZZCMY0KcvgiGjVH5UaB4y4aDJ7m": { "unique_name": "category_01FM7CGPZZCMY0KcvgiGjVH5UaB4y4aDJ7m", "name": "response", "title": "response", "type": "basic.category", "base_type": "category", "category_type": "custom", "object_type": "category" } }, "targets": { "definition_target_01FWYLOO0J2XM7SH55NFSKhqCgLoFpGLcPt": { "unique_name": "definition_target_01FWYLOO0J2XM7SH55NFSKhqCgLoFpGLcPt", "name": "Webex Teams", "title": "Webex Teams", "type": "web-service.endpoint", "base_type": "target", "object_type": "definition_target", "properties": { "disable_certificate_validation": false, "display_name": "Webex Teams", "host": "webexapis.com", "ignore_proxy": false, "no_runtime_user": true, "port": 443, "protocol": "https" } } }, "atomic_workflows": [ "definition_workflow_01PP78DJMXS415nTjonujf03ROkr6t2PNyw", "definition_workflow_01PP77UWMZGOK7EpAqljGObzskFeYlPRah5" ], "dependent_workflows": [ "definition_workflow_01PP78DJMXS415nTjonujf03ROkr6t2PNyw", "definition_workflow_01PP77UWMZGOK7EpAqljGObzskFeYlPRah5" ], "module_targets": [ { "module_type": "Secure Endpoint", "external_id": "securex:ao:secure_endpoint" } ] }