Importing and Running Workflows

In this exercise we'll import a completed workflow, customize it, and run it. This is a GREAT way to get a fast start with automation. There are a ton of workflows that have been built by Cisco (and the community) to get you started or do really complex, labor-intensive, actions.

Importing a Workflow from Github

  1. Click back to Workflows and choose the Import button.

  1. Choose, Import from Git --> DEVWKS-2240 for Git Repository, sxo-aws-ir for File Name, Updated Keys for Git Version, and finally Import as a New Workflow and click Import.

  1. After importing, it will show up as Copy(1)-AWS Incident Response. Open this newly created workflow.

  1. Name your workflow Pod X - AWS Incident Response replacing the pod number with yours.

Note: Since we're using a shared environment your workflow names must be unique.

  1. Replace the variable for 'observable_value' with the IP address for your pod from the table below.
Pod 1: 172.31.22.192 Pod 7: 172.31.6.65
Pod 2: 172.31.19.34 Pod 8: 172.31.14.208
Pod 3: 172.31.28.79 Pod 9: 172.31.9.54
Pod 4: 172.31.14.249 Pod 10: 172.31.1.181
Pod 5: 172.31.7.47 Pod 11: 172.31.3.219
Pod 6: 172.31.1.44 Pod 12: 172.31.1.71
  1. Replace the value for your pod and click Save.

Accelerating Response Actions

The imported workflow automates all of the actions recommended by the AWS EC2 Incident Response Guide including:

  • Enables Termination Protection on the instance
  • Sets a restricted Security Group limiting access
  • Removes it from any Auto Scaling Groups
  • Removes it from any Elastic Load Balancers
  • Snapshots connected Elastic Block Storage devices
  • Tags the instance with IR details
  1. Run your imported workflow and inspect the Run of this workflow to see the details of the calls that were made and the response actions. It uses a mix of AWS Activities, Core Activities, and Logic Blocks to work through the suggested actions.

  1. Return to your previously created workflow you named Pod X - AWS Workflow by clicking back on Workflows.

  1. Run the workflow again. You'll find that this time our activity inside the Logic Block executes since the other workflow moved our host to the Isolate_SG security group. If you click on Yes and scroll down in the properties pane, you'll find that our condition matched and we then tagged the affected EC2 instance.

Next let's find out how Automate actions are integrated with the rest of the Cisco XDR platform.