Response
The Response page in the incident detail displays the playbook that can be used to assist in identifying, containing, and eradicating the threat, and then restoring systems to recover from the threat. Workflows are available for execution to automate some of the response tasks; notes are available to document your findings throughout the incident response process.
The name of the playbook that is assigned to the incident and the date it was published is displayed above the tasks.
Note: You can manage the playbooks that are assigned to incidents from the Playbooks feature in Administration (Administration > Playbooks). For more information, see Playbooks.
It is recommended that you go through each incident response process in the order presented to make sure you have performed all the recommended tasks.
By default, the tasks with a Not applicable status are hidden in the list of response tasks. To view all the tasks, including the Not applicable tasks, click the Hide Not applicable tasks toggle to off.
View Task Status
The task status is displayed as a color-coded badge next to the task after a workflow is executed or when the status is set by the user. The following is a list of the statuses:
| Status | Color | Description |
|---|---|---|
|
Complete |
Blue |
The workflow has been executed and completed. The status can also be manually set as Complete by the user when adding a note to the task. |
|
Running |
Purple |
The workflow execution has been started by the user and the workflow is currently running. Once completed, the status will change to Complete or an error. |
|
Workflow failed |
Red |
The workflow execution has been started by the user but it failed to complete. |
|
Failed to load Assets, Failed to load Observables, or Failed to load Assets and Observables |
Red |
Tthe asset data, observable data, or asset and observable data could not be retrieved due to HTTP network errors. Hover over the badge and click Try again to attempt to retrieve the assets, observables, or assets and observables again. |
|
Action required |
Yellow |
The workflow is executing but an Automation task (approval or prompt) requires user input before the workflow can continue. |
|
Not applicable |
Grey |
The status has been manually set as Not applicable by the user when adding a note to the task to indicate that the task is not applicable to the current incident response process. Note: By default, the Not applicable tasks are not displayed. You can display the Not applicable tasks by clicking the Hide not applicable tasks toggle to off. |
Add Note and Execute Workflows or View Requests for Tasks
All tasks include the 
(Add Note) icon to document your findings and, if applicable, the Execute or View button to execute workflows or respond to requests that automate part of the response process.
Add Note
The Add Note icon allows you to enter notes about the incident as you go through the triage and remediation process and you can assign a Not applicable or Complete status to the task when you add a note.
-
Click the
(Add Note) icon to open a text editor in the task drawer where you can document your findings. You can click Expand to open the text editor in a popup.
-
Enter a note about the incident using markdown or regular text. Use the formatting toolbar to format the text, if necessary.
Note: If you navigate away from the text editor while editing, the note is automatically saved as a draft for the current browser tab only. The draft content is not available if the same session of Cisco XDR is opened in another browser tab. To restore the note, return to the text editor and continue with your edits or click Undo or Use draft to remove or restore the draft content.
-
Click the Preview to review the note text.
-
Once completed, click the Add note drop-down and choose one of the following:
-
Add note - Adds the note to the task drawer, Actions taken panel, and Worklog page without setting a status.
-
Add note and set as "Complete" - Adds the note to the task drawer, Actions taken panel, and Worklog page, and sets the task status as Complete. The status is displayed next to the task.
-
Add note and set as "Not applicable" - Adds the note to the task drawer, Actions taken panel, and Worklog page, and sets the task status as Not applicable. The status is displayed next to the task.
To remove the task status, click Add note to open a text editor and choose Add note and remove "Complete" status or Add note and remove "Not applicable" status.
-
Execute
The workflows that are used in the response tasks act on the entire object (for example, creates a ServiceNow ticket) or specific observables in the incident (for example, contains file hashes using Endpoint Detection and Response). You execute the workflow based on observables found within the incident. Otherwise, the workflow applies to the entire incident.
-
If the workflow does not require observables from the incident, click the Execute button in the task to initiate the workflow.
-
If the workflow requires observables from the incident, click the Execute button in the task to open a drawer and check the check box next to the observables on which the workflow should be executed. Click Execute in the lower portion of the drawer to run the workflow on the selected observables.
The result of running the workflow is added to the Actions taken panel. A more detailed output of the workflow is added to the Incident Worklog.
Note: The Execute button is disabled if the logged in user has a Security Analyst role assigned to their user account. Security Analysts can enter notes but cannot execute workflows.
View
During the execution of a workflow, the View button is displayed if user input is required for an Automation task (approval or prompt) before the workflow can continue. Click View next to the response task or click the task link in the task drawer to open the Automation task that requires user input. For details, see Tasks. Once you save your changes, the workflow continues to run and the status of the task is changed to Complete on the Response page when the workflow is complete.
View Task Details in Drawer
When you click a task in the list, the Task drawer opens where you can quickly view the notes that were manually added to the task and results of any automated workflows that have been executed for the task. You can also add notes to document your findings.
View Workflow Run
Click View run next to any executed workflow to open the full Workflow Properties and view complete information about the workflow run. See Workflow Properties for more information.
Note: Action data is only available for 30 days. If the workflow execution has exceeded 30 days, the data is archived and will not be displayed in the Workflow Editor environment.
Add Note
Click the Add note button to open a text editor where you can document your findings. See Add Note for more information.
Identification
The identification phase of the incident response process helps determine whether the threat is valid and if the investigation should continue. This phase includes tasks to review the incident to determine that the incident is a true positive and anomalous behavior, analyze the indicators, confirm the incident and assign a status, and document all evidence related to the incident and notify involved parties.
Identification Tasks and Workflows
The Identification phase includes the following tasks and workflows in the Cisco Managed Incident Playbook:
|
Task |
Description |
Automation Workflow |
|---|---|---|
|
Review Incident |
Add a note to record the evidence for assigning a status of Rejected, Open, or Incident Reported. |
— |
|
Analyze Indicators |
Create judgment(s), as necessary, and add a note confirming any Malicious or Suspicious reputations. |
— |
|
Identify Affected Hosts |
Add a note with summary of findings on the investigations of hosts found with malicious indicators. |
— |
|
Confirm Incident |
Determine the incident status as Open, Rejected, Incident Reported, or Stalled. |
XDR - Confirm Incident This automation workflow updates the incident status to "Incident Response" and, if the incident has assignees and a compatible messaging integration is enabled, the workflow creates a chat room for incident triage and collaboration. |
|
Document and Notify |
Create an incident ticket with the appropriate parameters and contextual incident information. |
XDR - Document and Notify This automation workflow creates a ticket in your integrated IT Services Management System (ITSMS) and adds the ticket to this incident. Currently supported ITSMSs include ServiceNow and Zendesk. |
-
Click the Add Note button to open a text editor where you can document your findings. Click Save to add the note to the Actions taken panel.
-
Click the Execute button to run a workflow that automates the task. The result of running the workflow is added to the Actions taken panel and Worklog page.
If the incident has multiple observables, click the Execute button to open the drawer and check the check box next to the observables on which the workflow should be executed, and then click Execute in the drawer to run the workflow.
Once all of the identification tasks have been performed, click Go to Containment to perform the containment phase of the incident response process.
Containment
The containment phase of the incident response process includes tasks to identify the affected hosts and contain indicators of compromise to stop the spread of malicious activity. It also includes tasks to implement additional monitoring to detect any malicious activity related to the incident, and to identify vulnerabilities.
Containment Tasks and Workflows
The Containment phase includes the following tasks and workflows in the Cisco Managed Incident Playbook:
|
Task |
Description |
Automation Workflow |
|---|---|---|
| Contain Incident: Overview | Overview of how to contain Indicators of Compromise to stop the spread of malicious activity. | — |
| Contain Incident: Assets (Devices) | Use asset-based containment to stop the spread of malicious activity. |
XDR - Contain Incident: Assets This automation workflow isolates and quarantines all selected assets on your integrated Endpoint Detection and Response (EDR) solutions. Currently supported EDRs include Cisco Secure Endpoint, CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, TrendMicro, and Cybereason. |
|
Contain Incident: Assets (Users) |
Use user-based containment to stop the spread of malicious activity. |
XDR - Contain Incident: Users This automation workflow consumes one or more usernames or email addresses and attempts to lock out or disable matching users in all supported products. Currently supported integrations include Cisco Duo and Microsoft Entra ID. |
| Contain Incident: IPs | Contain IP indicators of compromise to stop the spread of malicious activity. | — |
| Contain Incident: Domains | Contain domain indicators of compromise to stop the spread of malicious activity. |
XDR - Contain Incident: Domains This automation workflow blocks the selected domain names on your integrated network policy enforcement solutions. Currently supported integrations include Cisco Umbrella. |
| Contain Incident: URLs | Contain URL indicators of compromise to stop the spread of malicious activity. |
XDR - Contain Incident: URLs This automation workflow blocks all selected URL names on your integrated network policy enforcement solutions. Currently supported integrations include Cisco Umbrella. |
|
Contain Incident: File Hashes |
Contain file hash indicators of compromise to stop the spread of malicious activity. |
XDR - Contain Incident: File Hashes This automation workflow blocks all selected file hashes on your integrated Endpoint Detection and Response (EDR) solutions. Currently supported EDRs include Cisco Secure Endpoint, CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, TrendMicro, and Cybereason. |
|
Implement Additional Monitoring |
Implement additional monitoring that reviews host and network containment, and eradication success. |
— |
|
Identify Vulnerabilities |
Scan host(s) for vulnerabilities and add a note on the recommended patches to be applied and service request to have them installed, if submitted. |
XDR - Identify Vulnerabilities This automation workflow consumes one or more hostnames and attempts to fetch vulnerability information from your integrated Endpoint Detection and Response (EDR) solutions. Currently supported EDRs include Cisco Secure Endpoint, CrowdStrike, and SentinelOne. |
-
Click the Add Note button to open a text editor where you can document your findings. Click Save to add the note to the Actions taken panel.
-
Click the Execute button to run a workflow that automates the task. The result of running the workflow is added to the Actions taken panel and Worklog page.
If the incident has multiple observables, click the Execute button to open the drawer and check the check box next to the observables on which the workflow should be executed, and then click Execute in the drawer to run the workflow.
Once all of the containment tasks have been performed, click Go to Eradication to perform the eradication phase of the incident response process.
Eradication
The eradication phase of the incident response process includes tasks to mitigate or remediate vulnerabilities, remove malicious content, validate eradication and restore hosts, and implement monitoring the recovery from the threat.
Eradication Tasks and Workflows
The Eradication phase includes the following tasks and workflows in the Cisco Managed Incident Playbook:
|
Task |
Description |
Automation Workflow |
|---|---|---|
| Mitigate or Remediate Vulnerabilities | Add a note about the affecting vulnerabilites and how mitigations or remediation will be done | — |
| Remove Malicious Content | Add a note about the action achieved to ensure the removal of the malware. | — |
| Re-image Systems | Re-image systems, as needed. |
— |
-
Click the Add Note button to open a text editor where you can document your findings. Click Save to add the note to the Actions taken panel.
-
Click the Execute button to run a workflow that automates the task. The result of running the workflow is added to the Actions taken panel and Worklog page.
Once all of the eradication tasks have been performed, click Go to Recovery to perform the recovery phase of the incident response process.
Recovery
The recovery phase of the incident response process includes restoring the system to get you up and running.
Recovery Tasks and Workflows
The Recovery phase includes the following tasks and workflows in the Cisco Managed Incident Playbook:
|
Task |
Description |
Automation Workflow |
|---|---|---|
| Validate Eradicated Hosts and Unquarantine Assets | Confirm and acknowledge eradication steps are working as expected and number of infected host(s) is dropping. |
XDR - Unquarantine Assets This workflow consumes one or more hostnames and attempts to unquarantine matching endpoints in all the supported Endpoint Detection and Response (EDR) integrations. Currently supported EDRs include Cisco Secure Endpoint, CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, TrendMicro, and Cybereason. |
| Validate Re-imaged Hosts | Validate that each re-imaged system was completed by verifying new image creation date. | — |
| Implement Recovery Monitoring | Add a note on how you are going to monitor newly recovered systems for additional monitoring for anomalies or newly created incidents. | — |
|
Restore Contained Users |
Confirm and acknowledge eradication steps are working as expected and that users can resume accessing systems. |
XDR - Restore Users This workflow consumes one or more usernames or email addresses and attempts to restore matching users in all supported products. Currently supported integrations include Cisco Duo. |
|
Close and Export Incident |
Incident closure and incident summary data retention in an external system. |
XDR - Close and Export Incident This workflow is designed to be executed when an incident is resolved and ready to be closed. The workflow will export the incident summary to a supported product and then mark the incident as closed. Currently supported integrations include Elastic Cloud and Splunk Cloud. |
-
Click the Add Note button to open a text editor where you can document your findings. Click Save to add the note to the Actions taken panel.
-
Click the Execute button to run a workflow that automates the task. The result of running the workflow is added to the Actions taken panel and Worklog page.
Click Close Incident to change the status of the incident to Closed.
Actions Taken
The Actions taken panel provides a view of all the notes that have been entered for the tasks and the results of any automated workflows that have been executed for the tasks.
View Notes
Click View Notes to open the Worklog page, where you can view all response the notes and audit log for the incident. For more information, see the Incident Worklog help topic.
View Workflow Run
Click View run next to any executed workflow to open the Workflow Run drawer and view a high-level summary of the workflow execution. The drawer includes information such as the workflow title, who it was started by, start and end date and time, status, and inputs.
Note: Action data is only available for 30 days. If the workflow execution has exceeded 30 days, the data is archived and will not be displayed in the Workflow Run drawer.
Click View run details to open the full Workflow Properties and view complete information about the workflow run. See Workflow Properties for more information.
Export Response Actions
Click Export and choose to download the response actions in JSON or CSV format.