Cisco XDR has a distributed set of capabilities presented in the form of apps and tools in the Cisco XDR ribbon. The ribbon is located in the lower portion of the page, and persists as you move between the dashboard and other security products in your environment. To aid in your research and investigation, use the ribbon to access the casebook, apps, settings, search observables for enrichment, and view incidents.
To add possibly compromised devices to the casebook in the Cisco XDR ribbon, you can use the Find Observables option in the ribbon, and based on the findings, add to a casebook or choose to investigate further in Threat Response. You can pivot from the ribbon to Threat Response, manually initiate an investigation, and search on the device by hostname, for example.
For more information, see the Ribbon help topic.