Workflows

Automation workflows allow you to investigate security events, automate responses, and eliminate repetitive tasks, using activities, logic, and even other workflows to communicate with other systems and resources. From the Workflows page, you can access your individual workflows and atomic actions, and view the most recently run workflows and your favorite workflows. The All Workflows tab allows you to access, create, and import workflows.

The All Workflows and Atomics tabs display a card or list row for each workflow or atomic action in your environment.

By default, the All Workflows and Atomics tabs are displayed in a tiled Card View. If you have many workflows or atomics, you can change the view to a more compact List View:

All Workflows List View

Custom Tab

You can create and display up to five tabs with user-defined categories on the Workflows page. Click the icon and choose up to five tabs by clicking the pin icon. The default tabs are All Workflows, Atomics, Recents, and Favorites:

Custom Tab in Workflows page

  • Recents are workflows that have run recently.

  • Favorites are workflows that you select. You can use favorites to mark workflows that you want to find more easily. To set a workflow as a favorite, click the gray star in the lower left corner of the workflow card or after the workflow name in the list row.

  • To add a custom tab, first create and save a custom filter.

Custom Filter

You can Search for workflows by entering names or keywords, or filter by Saved Filters, Ready State, or Category.

You can save the custom filter you've created and add it as a custom tab to the Workflows page:

  1. After you configure the filter, click Add to Saved Filters.

  2. Enter a meaningful filter name and click Save.

  3. Click the icon next to All Workflows and click the filter to add a tab for it.

  4. Click any pinned filter to remove its tab.

When you click on a workflow, the Workflow drawer opens on the right, which displays a summary of the workflow to help you quickly understand it at a high level.

The summary includes information such as description, categories, response actions, variables, triggers, and targets.

To view more information about the workflow, click View workflow to open the Workflow Editor.

  • To close the drawer, click the X at the top-right corner or anywhere outside the drawer.

  • With the drawer open, you can click on other workflows to view their summaries, enabling you to look through multiple workflows quickly.

  • To bypass the Workflow drawer and open the Workflow Editor directly, either click the open in window icon next to the name or hold down the command (Mac) or Ctrl (Windows) key when you click on a workflow.

In each workflow or atomic card or list item, you can perform actions from the menu.

Some of the menu options (Delete or Uninstall) depend on whether the workflow was installed from the Exchange. For workflows installed from the Exchange, the Uninstall option is displayed; for all other workflows, the Delete option is displayed.

If you're using the card view, hover the mouse on the workflow card and click the ellipsis () to see the menu options:

Card MenuCard Menu Exchange Workflow

If you're using the list view, hover the mouse on the list item and click the ellipsis () in the Actions column to see the menu options:

  • Used By - See all other workflows that use or have a dependency on this workflow or atomic action.
  • Run - Perform a single execution of the workflow or atomic action.
  • Duplicate - Use this option to make a copy of the workflow so that you can modify it without changing the original workflow. See the Duplicate a Workflow Help topic for more information.
  • Export - Export the workflow as a JSON. You can copy the JSON text or save the output as a file. See the Import and Export a Workflow Help topic for more information.
  • View Runs - Takes you to the Runs & System Monitor page where you can view a history of the workflows runs.
  • Delete - This option is displayed for custom workflows or any other workflows not installed from the Exchange. Use this option to delete the workflow or atomic action from your environment.
  • Uninstall - This option is displayed if the workflow was installed from the Exchange. Use this option to uninstall the workflow and sub-workflows from your environment. See the Delete or Uninstall a Workflow topic for more information.

You can easily identify the workflows that were installed from the Exchange:

  • In the card view, the (Exchange) icon is displayed in the lower right corner of the workflow card.

  • In the list view, Exchange is displayed in the Categories column.

For more information on some of the workflows, visit this Workflows page in GitHub (maintained on a best-effort basis).

A workflow must be in a valid state to be executed manually or triggered by an event. For example:

  • If you change a workflow but do not validate it, the next time the workflow is scheduled to run, it may fail to execute.

  • If you have a workflow configured with an Email rule and you are working on the workflow when an email arrives, the workflow may fail to execute if it is not in a valid state.

  • Before you can successfully run a response workflow from the pivot menu in Cisco XDR, open the workflow in the Workflow Editor to validate the workflow. Once the workflow is validated, you can click on it to run it from the pivot menu. When you select a workflow to execute, you’ll see a small success message at the bottom right of the page. Note that this success message only indicates that the workflow was started successfully; it does not mean that the workflow completed successfully. To view the workflow’s status and result, go to the Runs page.

If you want to import an updated version of a workflow that you already have, any changes you have made are overwritten. To avoid overwriting your changes, you can import a workflow as a copy.

You can mark a workflow as a favorite by clicking the star icon in its card or list row.

To preserve system resources and ensure the integrity and performance of the platform, there are some limits put in place around workflows:

  • Design limits:

    • Maximum number of workflows: 500

    • Maximum number of atomics: 500

    • Maximum number of workflow variables: 100

    • Maximum number of workflow Large String variables: 5

    • Maximum number of workflow actions (all kinds): 200

    • Maximum number of sub-workflow activities per workflow: 30

    • Maximum number of atomic activities per workflow: 30

    • Maximum number of For Each logic activities per workflow: 20

    • Maximum number of Parallel Block logic activities per workflow: 10

    • Maximum number of While Loop logic activities per workflow: 20

    • Maximum depth of nested loop blocks per workflow: 3

    • Maximum number of workflows that you can have published in Exchange: 100

    • If a limit is reached, you receive a banner, toast, or in-page footer notifying you of the specifics.

  • Run time limits:

    • Maximum total loop runs per workflow: 50,000 iterations (includes loop counts from all logic actions in a workflow)

    • Maximum number of iterations a For Each or While Loop can run: 500

    • Maximum workflow run time: 30 minutes

    • If a limit is reached, the workflow fails with the run status of workflow_timeout.

  • API run limits:

    • Start API rate limit is 20 per minute

    • Instances API rate limit is 50 per minute

    • All APIs other than Start/Instances rate limit is 8,000 per hour