NOTE: This is sample code and needs to be tested properly before using in production!
-
Your list of computers in Cisco Secure Endpoint may be polluted with inactive endpoints that are not seen connected over a long period of time. The reasons can be multiple (duplication, laptop update, deleted virtual machine ...) and they consume "seats" in your license
-
Use SecureX Orchestration to periodically :
- Identify endpoint with a last seen value over a given number of days (default 45)
- Remove them from your computer list automatically or with a 2-Tiers approval
- Notify
-
This workflow can be trigger by a schedule to execute every day or X days
- Cisco Secure Endpoint (AMP)
- Cisco Webex
-
- Calculate Past date from delay
-
- Query Cisco Secure Endpoint to get the list of Computer with their hostname, last seen, GUID
-
- For each computer, compare last seen value with Calculated past date
-
- Store in a temporary table Hostname, GUID of endpoint to be removed
-
- Create Approval Request (optional)
-
- Notify in Cisco Webex (optional)
-
- Wait for approval (optional)
-
- If approved, delete Endpoint(s)
- Cisco Secure EP API key. Documentation
- Cisco Teams Bot for SecureX and a Cisco Teams Room (optional). Documentation
- Logon to SecureX via: https://sign-on.security.cisco.com/.
NOTE: If you don't have a SecureX Account, please follow the Quick Start Guide.
-
Go to Menu "Orchestration"
-
Set up or Verify Targets, Account Keys and Variables
-
Go to "Account Keys" and create or verify the following account. If it already exists under a different name, use it in next step.
- Cisco Secure Endpoint - Account Keys
- *Account Key Type set to HTTP Basic Authentication
- Display Name set to AMP_Credentials
- username: Cisco SecureEP API : 3rd Party API Client ID
- Password: Cisco Secure EP API : API Key
- Authentication option: Basic
- Cisco Secure Endpoint - Account Keys
-
Go to "Targets" and create the following accounts. If they already exists under a different display name and you can't rename or duplicate them, you will have to modify Target Criteria in the workflow.
-
Cisco Secure Endpoint - Target
- Target Type set to HTTP Endpoint
- Dislay Name set to AMP_Target
- No Account Key set to false
- Default Account keys set to AMP_Credrentials
- Protocol set to HTTPS
- Host set to api.amp.cisco.com or api.eu.amp.cisco.com
- Port set to 443
- Path set to /v1
-
Cisco Webex
- Target Type set to HTTP Endpoint
- Display Name set to Webex Teams
- No Account Key set to true
- Protocol set to HTTPS
- Host set to webexapis.com
- Port set to 443
-
-
Go to Variables and Create or verify global variables for your Webex Token
- Webex Token
- Data Type set to Secure String
- Display Name set to Webex Bot Token
- Scope set to Global
- Value set to "YOUR WEBEX BOT TOKEN"
- Webex Token
- Import SXO Atomic Actions from Github
- Go to Workflows select "Atomic Actions" and IMPORT Atomoc Actions
This step is a pre-requirement to successful import the workflow in the next step!
- Import the following
- Webex-Teams-Send-Simple-Adaptive-Card from SX-AO Atomics
- Import the Workflow
-
Go to Workflows and IMPORT the following workflow from SX-AO
- Cisco-SecureEP-Remove-Inactive-Endpoints
- Open and edit the imported workflow
-
Adjust following variables to fit with your needs*
-
Webex Room Name set to the Webex room name used for notification. Remember to add you BOT to this room
-
Number of days set to the number of days for endpoint not seen connected
-
Enable and fill the first block Set Variabble Bot Token in the first group admin
- Variable to update set to Global Variable Webex Bot Token (step3)
- Validate the workflow
Ivan Berlinson (Cisco) - ivberlin@cisco.com