Cisco Orbital - Execute Script for Selected Assets
Details
This workflow works with an incident response playbook to execute an Orbital script on user-selected assets from an XDR incident. This workflow can either execute a custom script or a script from the Orbital catalog.
Description
This workflow works with an incident response playbook to execute an Orbital script on user-selected assets from an XDR incident. This workflow can either execute a custom script or a script from the Orbital catalog. Supported observables: device, hostname, IPv4 address, IPv6 address, Secure Endpoint computer ID, MAC address, Orbital node ID
Targets: Orbital - v0, Platform APIs
Steps:
- Validate the workflow configuration
- For each selected asset:
- Add the asset to the host list for Orbital
- Build the request payload for Orbital
- Send the request to Orbital
- Check if the request was successful:
- If it was, attempt to extract the job ID and set the workflow result
- If it wasn't, set the workflow result
Required targets
This workflow requires the following targets to be available before it can be run.
Integration targets
- Cisco XDR
- Orbital
About
Author
Cisco
Version
v1.0
Intent
Incident Response
Integration
Average rating
No ratings yet
Authorship
Cisco Managed
Contact and support information
External links
Related workflows
Cisco Managed
This workflow works with an incident automation rule or playbook task to execute an Orbital query on an XDR incident's assets.
Cisco Managed
This workflow works with an incident response playbook to execute an Orbital query on user-selected assets from an XDR incident.
Cisco Managed
This workflow works with an incident automation rule or playbook task to execute an Orbital script on an XDR incident's assets.
Cisco Managed
This workflow works with an incident response playbook to execute an Orbital script on user-selected assets from an XDR incident.
Community
This incident response workflow consumes one or more users (user or process_username) and attempts to disable the local account on endpoints running windows, mac or linux.
Community
This incident response workflow consumes one or more users (user or process_username) and attempts to force a logout from endpoints running windows, mac or linux.
Community
This incident response workflow consumes one or more users (user or process_username) and attempts to re-enable the local account on endpoints running windows, mac or linux
This workflow is intended for use in a playbook during the recovery stage.
Cisco Managed
This workflow initiates a Cisco Orbital forensic snapshot for the endpoint identified by the provided observable.