This workflow will serve as an example of a SecOps workflow that includes automated remediation via Cisco Umbrella (block C2 domain), Cisco ThousandEyes (policy enforcement verification) Cisco Duo (disable user), Cisco SecureX (create casebook) and Cisco Webex (send notification). One could easily add/replace other solutions as well.

Note: Please test this properly before implementing in a production environment. This is a sample workflow!

• SecureX Threat Response API
• ThousandEyes API v6
• Umbrella Management API
• Duo Admin API
• Webex Teams

1. Browse to your SecureX orchestration instance. This wille be a different URL depending on the region your account is in:

• US: https://securex-ao.us.security.cisco.com/orch-ui/workflows/
• EU: https://securex-ao.eu.security.cisco.com/orch-ui/workflows/
• APJC: https://securex-ao.apjc.security.cisco.com/orch-ui/workflows/

1. In the left pane menu, select Workflows. Click on IMPORT to import the workflow:

2. Click on Browse and copy paste the content of the sxo_secops_workflow.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.

1. In the left pane menu, select Workflows. Click on IMPORT to import the workflow.

2. Click on Browse and copy paste the content of the sxo_secops_workflow.json file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.

3. Next you will need to update targets / account keys and setting a trigger to run the workflow.

• Please test this properly before implementing in a production environment. This is a sample workflow!

• Christopher van der Made (Cisco)