Cisco Secure Endpoint - Add Hashes to Simple Custom Detections
This incident response workflow allows you to add hashes involved in an incident to a simple custom detection list in Cisco Secure Endpoint through a playbook or using an automation rule. When using this workflow in a playbook, the user selects which hashes to add. When using this workflow with an incident automation rule, all hashes in the incident will be added.
Description
This incident response workflow allows you to add hashes involved in an incident to a simple custom detection list in Cisco Secure Endpoint through a playbook or using an automation rule. When using this workflow in a playbook, the user selects which hashes to add. When using this workflow with an incident automation rule, all hashes in the incident will be added.
Target: Secure Endpoint v1
Steps:
- Create a table for observables
- Detect the start type and extract the supported observables
- Check if any supported observables were found (if not, end the workflow)
- Get the file list's GUID (if this fails, end the workflow)
- For each hash:
- Attempt to add the hash to the file list
- Check if the hash was added to the list successfully:
- If not, update the workflow results and continue to the next hash
- Update the workflow results
This workflow requires the following targets to be available before it can be run.
Integration targets
- Secure Endpoint