Workflow Intent

When creating a workflow, you can start with a blank workflow or choose the type of workflow to gain some configuration assistance according to its intent and expedite the build process.

Workflow Intent

For an existing workflow that has not been assigned an intent yet, you can open the workflow in the Workflow Editor, and in the workflow properties under the Response Options section, choose Incident Response or Pivot Menu as the intent and their associated fields, or configure the Automation Rules section.

A blank workflow if you want to build from scratch and fully customize it to your particular needs.

In response to incidents, this workflow can be used by playbook tasks and/or triggered to run when an incident matching an automation rule’s criteria is created in Cisco XDR. Information about the incident is passed to the workflow so that it has the context it can use to respond. Use the variable browser to see the objects under Incident Response, including incident summary and run context information for both playbook tasks and automation rules. For more information, see the Response Tasks and Playbook Editor Help topics.

Variable Browser Incident Response to Playbook TaskVariable Browser Incident Response to Automation Rule

  1. Enter a meaningful display name for the workflow, and from the drop-down lists, select one or more actions (supported by the CTIM) and observable types for which this workflow is meant to act upon. If this workflow can be used for all observable types, check All. Otherwise, for generic workflows like create a ServiceNow ticket, check None to indicate that the workflow does not act upon any specific type of observable.

  2. Optionally, select an incident automation rule from the drop-down list, and Automation will add the rule you selected to the Automation Rules of the workflow's properties. Once the workflow is validated, the associated incident automation rule can automatically trigger this workflow to run. For more information, see the Incident Rule Help topic.

  3. Click Continue to open this workflow in the Workflow Editor, and in the workflow properties, you should see under Response Options that the Workflow Intent is set to Incident Response. The Action(s) and Observable Type(s) should also be populated based on your selections. Additionally, the Automation Rule Type is set to Incident Rule.

    Response Options Example

    The Incident Rule type cannot be removed from a workflow with the intent of responding to an incident.

    And the workflow will not be executed automatically unless a validated automation rule is associated with it.

  4. Updating the variables Workflow Result and Workflow Result Code provides feedback to the workflow user with information about the workflow execution. For incident response workflows, Workflow Result is automatically added to the incident's worklog after the run completes, and Workflow Result Code is automatically used to set the status of a playbook task. For more information, see the Workflow Variables - Workflow Result Help topic.

    An example that uses both variables is if the incident response workflow ran successfully, but because of an error, it was only able to partially complete its intent. You can use the Set Variables core activity to both set the Workflow Result Code property to "partially-completed" and add context information using the Workflow Result property.

Enables you to take response actions from an observable throughout Cisco XDR. Pivot menus appear in investigations, incidents, and the Cisco XDR ribbon.

  1. Enter a meaningful display name for the workflow.

  2. Select one or more observable types from the drop-down list that this workflow was built to work with. Only the pivot menu of the observable type(s) you've chosen here will show this workflow available to execute.

  3. Click Continue, and Automation adds your selections to the Response Options section of the workflow properties, along with some sample variables (string input observable_type and observable_value) and actions to the workflow. The observables this workflow can work with can be updated here, as needed.

    Response Options Example

  4. Once it's validated, the workflow is added to the pivot menu of any observable throughout Cisco XDR matching the type(s) you selected.

In order for a workflow to appear in pivot menus, it must have a Workflow Intent of Pivot Menu under Response Options and be in a validated state. For more information, see the Workflow Editor Help topic.

Automation rule workflows are triggered to run when conditions for the rule are met in Cisco XDR. Information is passed to the workflow so that it has the context it can use to respond. For more information, see the Automation Rules Help topic.

  1. Enter a meaningful display name for the workflow.

  2. Select one or more rule types from the drop-down list. While designing the workflow, you don't have to associate it with an automation rule yet, as you can refer to the variables in a generic fashion.

  3. After the workflow is assigned an automation rule type, you'll have access to various rule-related data under the Rule object in the variable browser.

    Browse Variables Rule Object

  4. In order to run the workflow, go to the Workflow Properties and add one or more automation rules. For more information, see the Workflow Editor Help topic.

Note that all automation rules associated with a workflow are exported with the workflow. So after you finish your work using the workflow, don't forget to remove it from any automation rules. Otherwise, all associated automation rules are exported alongside the workflow, which is unwanted behavior. All you need to do is keep the Automation Rule Type assigned.