Response

View Task Status

The task status is displayed as a color-coded badge next to the task after a workflow is executed or when the status is set by the user. The following is a list of the statuses:

Status	Color	Description
Complete	Blue	The workflow has been executed and completed. The status can also be manually set as Complete by the user when adding a note to the task.
Running	Purple	The workflow execution has been started by the user and the workflow is currently running. Once completed, the status will change to Complete or an error.
Workflow failed	Red	The workflow execution has been started by the user but it failed to complete.
Failed to load Assets, Failed to load Observables, or Failed to load Assets and Observables	Red	The asset data, observable data, or asset and observable data could not be retrieved due to HTTP network errors. Hover over the badge and click Try again to attempt to retrieve the assets, observables, or assets and observables again.
Action required	Yellow	The workflow is executing but an Automation task (approval or prompt) requires user input before the workflow can continue.
Not applicable	Grey	The workflow requires certain observable types from the incident but no observables for that type exist in the incident or the status has been manually set as Not applicable by the user when adding a note to the task to indicate that the task is not applicable to the current incident response process. Note: By default, tasks that are marked with the Not applicable status are hidden from display. You can display the Not applicable tasks by clicking the Hide not applicable tasks toggle to off.

Add Note and Execute Workflows or View Requests for Tasks

All tasks include the (Add Note) icon to document your findings and, if applicable, the Execute or View button to execute workflows or respond to requests that automate part of the response process.

Add Note

The Add Note icon allows you to enter notes about the incident as you go through the triage and remediation process and you can assign a Not applicable or Complete status to the task when you add a note.

Click the (Add Note) icon to open a text editor in the task drawer where you can document your findings.

You can click Expand to open the text editor in a popup.
Enter a note about the incident using markdown or regular text. Use the formatting toolbar to format the text, if necessary.

Note: If you navigate away from the text editor while editing, the note is automatically saved as a draft for the current browser tab only. The draft content is not available if the same session of Cisco XDR is opened in another browser tab. To restore the note, return to the text editor and continue with your edits or click Undo or Use draft to remove or restore the draft content.
Click the Preview tab to review the note text.
Once completed, click the Add note drop-down and choose one of the following:
- Add note - Adds the note to the task drawer, Actions taken panel, and Worklog page without setting a status.
- Add note and set as "Complete" - Adds the note to the task drawer, Actions taken panel, and Worklog page, and sets the task status as Complete. The status is displayed next to the task.
- Add note and set as "Not applicable" - Adds the note to the task drawer, Actions taken panel, and Worklog page, and sets the task status as Not applicable. The status is displayed next to the task.
To remove the task status, click Add note to open a text editor and choose Add note and remove "Complete" status or Add note and remove "Not applicable" status.

View Task Details in Drawer

When you click a task in the list, the Task drawer opens where you can quickly view the notes that were manually added to the task and results of any automated workflows that have been executed for the task. You can also add notes to document your findings.

View Workflow Run

Click View run next to any executed workflow to open the full Workflow Properties and view complete information about the workflow run. See Workflow Properties for more information.

Note: Action data is only available for 30 days. If the workflow execution has exceeded 30 days, the data is archived and will not be displayed in the Workflow Editor environment.

Add Note

Click the Add note button to open a text editor where you can document your findings. See Add Note for more information.

Identification

The identification phase of the incident response process helps determine whether the threat is valid and if the investigation should continue. This phase includes tasks to review the incident to determine that the incident is a true positive and anomalous behavior, analyze the indicators, confirm the incident and assign a status, and document all evidence related to the incident and notify involved parties.

Identification Tasks and Workflows

The Identification phase includes the following tasks and workflows in the Cisco Managed Incident Playbook:

Task	Description	Automation Workflow
Review Incident	Add a note to record the evidence for assigning a status of Rejected, Open, or Incident Reported.	—
Analyze Indicators	Create judgment(s), as necessary, and add a note confirming any Malicious or Suspicious reputations.	—
Identify Affected Hosts	Add a note with summary of findings on the investigations of hosts found with malicious indicators.	—
Confirm Incident	Determine the incident status as Open, Rejected, Incident Reported, or Stalled.	XDR - Confirm Incident This automation workflow updates an incident's status to Incident Reported, creates a chat room using a supported messaging integration, and then adds the incident's assignees to that room. If a room already exists, a new room is not created and the incident's assignees are re-added as needed. Currently supported integrations include Webex and Slack.
Document and Notify	Create an incident ticket with the appropriate parameters and contextual incident information.	XDR - Document and Notify This automation workflow creates a ticket in your integrated IT Services Management System (ITSMS) and adds the ticket to this incident. Currently supported integrations include ServiceNow and Zendesk.

Click the Add Note button to open a text editor where you can document your findings. Click Save to add the note to the Actions taken panel.
Click the Execute button to run a workflow that automates the task. The result of running the workflow is added to the Actions taken panel and Worklog page.

If the incident has multiple observables, click the Execute button to open the drawer and check the check box next to the observables on which the workflow should be executed, and then click Execute in the drawer to run the workflow.

Once all of the identification tasks have been performed, click Go to Containment to perform the containment phase of the incident response process.

Containment

The containment phase of the incident response process includes tasks to identify the affected hosts and contain indicators of compromise to stop the spread of malicious activity. It also includes tasks to implement additional monitoring to detect any malicious activity related to the incident, and to identify vulnerabilities.

Containment Tasks and Workflows

The Containment phase includes the following tasks and workflows in the Cisco Managed Incident Playbook:

Task	Description	Automation Workflow
Contain Incident: Overview	Overview of how to contain Indicators of Compromise to stop the spread of malicious activity.	—
Contain Incident: Assets (Devices)	Use asset-based containment to stop the spread of malicious activity.	XDR - Contain Incident: Assets This automation workflow consumes one or more hostnames and attempts to isolate matching endpoints in all supported products. Currently supported integrations include Cisco Secure Endpoint, CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Trend Vision One, Cybereason, Palo Alto Cortex, and Darktrace DETECT & RESPOND.
Contain Incident: Assets (Users)	Use user-based containment to stop the spread of malicious activity.	XDR - Contain Incident: Users This automation workflow consumes one or more usernames or email addresses and attempts to lock out or disable matching users in all supported products. Currently supported integrations include Cisco Duo and Microsoft Entra ID.
Contain Incident: IP Addresses	Contain IP address indicators of compromise to stop the spread of malicious activity.	XDR - Contain Incident: IP Addresses This automation workflow consumes one or more IP addresses and attempts to block them in all supported products. Currently supported integrations include Cisco Secure Access (IPv4), Cisco Umbrella (IPv4 only) and Cisco XDR (intelligence feeds).
Contain Incident: Domains	Contain domain indicators of compromise to stop the spread of malicious activity.	XDR - Contain Incident: Domains This automation workflow consumes one or more domains and attempts to block them in all supported products. Currently supported integrations include Cisco Secure Access and Cisco Umbrella.
Contain Incident: URLs	Contain URL indicators of compromise to stop the spread of malicious activity.	XDR - Contain Incident: URLs This automation workflow consumes one or more URLs and attempts to block them in all supported products. Currently supported integrations include Cisco Secure Access, Cisco Umbrella, and Cisco XDR (intelligence feeds).
Contain Incident: File Hashes	Contain file hash indicators of compromise to stop the spread of malicious activity.	XDR - Contain Incident: File Hashes This automation workflow consumes one or more SHA-256 file hashes and attempts to block them in all supported products. Currently supported integrations include Cisco Secure Endpoint, CrowdStrike, Microsoft Defender for Endpoint, Trend Vision One, and Palo Alto Cortex.
Contain Incident: Quarantine Email Messages	Contain email messages to stop the spread of malicious activity.	XDR - Contain Incident: Quarantine Email Messages This workflow consumes one or more email message IDs and attempts to quarantine matching messages in all supported products. Currently supported integrations include Cisco Secure Email Threat Defense (via XDR response API) and Microsoft Defender for Office 365.
Implement Additional Monitoring	Implement additional monitoring that reviews host and network containment, and eradication success.	—
Identify Vulnerabilities	Scan host(s) for vulnerabilities and add a note on the recommended patches to be applied and service request to have them installed, if submitted.	XDR - Identify Vulnerabilities This automation workflow consumes one or more hostnames and attempts to fetch vulnerability information from your integrated Endpoint Detection and Response (EDR) solutions. Currently supported integrations include Cisco Secure Endpoint, CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint.

Click the Add Note button to open a text editor where you can document your findings. Click Save to add the note to the Actions taken panel.
Click the Execute button to run a workflow that automates the task. The result of running the workflow is added to the Actions taken panel and Worklog page.

If the incident has multiple observables, click the Execute button to open the drawer and check the check box next to the observables on which the workflow should be executed, and then click Execute in the drawer to run the workflow.

Once all of the containment tasks have been performed, click Go to Eradication to perform the eradication phase of the incident response process.

Eradication

The eradication phase of the incident response process includes tasks to mitigate or remediate vulnerabilities, remove malicious content, validate eradication and restore hosts, and implement monitoring the recovery from the threat.

Eradication Tasks and Workflows

The Eradication phase includes the following tasks and workflows in the Cisco Managed Incident Playbook:

Task	Description	Automation Workflow
Mitigate or Remediate Vulnerabilities	Add a note about the affecting vulnerabilites and how mitigations or remediation will be done	—
Remove Malicious Content	Add a note about the action achieved to ensure the removal of the malware.	—
Delete Email Messages	Deletes email messages from user mailboxes.	XDR - Delete Email Messages This workflow consumes one or more email message IDs and attempts to delete matching messages in all supported products. Currently supported integrations include Microsoft Defender for Office 365.
Re-image Systems	Re-image systems, as needed.	—

Click the Add Note button to open a text editor where you can document your findings. Click Save to add the note to the Actions taken panel.
Click the Execute button to run a workflow that automates the task. The result of running the workflow is added to the Actions taken panel and Worklog page.

Once all of the eradication tasks have been performed, click Go to Recovery to perform the recovery phase of the incident response process.

Recovery

The recovery phase of the incident response process includes restoring the system to get you up and running.

Recovery Tasks and Workflows

The Recovery phase includes the following tasks and workflows in the Cisco Managed Incident Playbook:

Task	Description	Automation Workflow
Validate Eradicated Hosts and Unquarantine Assets	Confirm and acknowledge eradication steps are working as expected and number of infected host(s) is dropping.	XDR - Unquarantine Assets This workflow consumes one or more hostnames and attempts to unquarantine matching endpoints in all the supported Endpoint Detection and Response (EDR) integrations. Currently supported EDRs include Cisco Secure Endpoint, CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, TrendMicro, and Cybereason.
Validate Re-imaged Hosts	Validate that each re-imaged system was completed by verifying new image creation date.	—
Implement Recovery Monitoring	Add a note on how you are going to monitor newly recovered systems for additional monitoring for anomalies or newly created incidents.	—
Restore Contained Users	Confirm and acknowledge eradication steps are working as expected and that users can resume accessing systems.	XDR - Restore Users This workflow consumes one or more usernames or email addresses and attempts to restore matching users in all supported products. Currently supported integrations include Cisco Duo.
Release Email Messages from Quarantine	Move email messages back to user inboxes after verifying the messages are not malicious.	XDR - Release Email Messages from Quarantine This workflow consumes one or more email message IDs and attempts to release matching messages from quarantine in all supported products. Currently supported integrations include Microsoft Defender for Office 365.
Close and Export Incident	Incident closure and incident summary data retention in an external system.	XDR - Close and Export Incident This workflow is designed to be executed when an incident is resolved and ready to be closed. The workflow will export the incident summary to a supported product and then mark the incident as closed. Currently supported integrations include Elastic Cloud and Splunk Cloud.

Click the Add Note button to open a text editor where you can document your findings. Click Save to add the note to the Actions taken panel.
Click the Execute button to run a workflow that automates the task. The result of running the workflow is added to the Actions taken panel and Worklog page.

Click Close Incident to change the status of the incident to Closed.

Actions Taken

The Actions taken panel provides a view of all the notes that have been entered for the tasks and the results of any automated workflows that have been executed for the tasks.