Worklog

The Worklog page in the incident details is used to enter notes about the incident and to view the audit log of changes that have been made to the incident.

Worklog Notes

You can filter and sort the data on the page, and add a new note to the incident.

By default, all events are displayed. You can filter the display of events using the Filters menu to the left of the number of matching results.

Perform the following steps to use the Filters menu to narrow the display of events on the Worklog page:

  1. Click the (Filters) icon to open the Filters menu.

  2. Check the check boxes for what you want to be displayed on the page:

    • Automation - Check this check box to display actions taken from automated workflows configured with Automation Rules. This includes tasks executed from the response playbook on the Response page.

    • Incident Changes - Check this check box to display modifications made to the incident, such as updates to the incident title, descriptions, assignments, and status.

    • Notes - Check this check box to display all the notes that were manually added by users. Users can add notes on the Worklog page or within tasks in the response playbook on the Response page.

    • Response Actions - Check this check box to display actions that were taken from the response playbook. This includes notes that were manually added to playbook tasks and results from tasks that were executed from the response playbook on the Response page.

  3. Click Apply to save your filter options.

    The list on the Worklog page will refresh and only display those events that match the filter criteria.

    The total number of match results is updated, along with filter chips indicating the filter selections. To remove a selected filter, click the X in the filter chip and the list will refresh.

When the Automation filter is checked, the actions taken from automated workflows configured with Automation Rules are displayed on the Worklog page, including tasks executed from the response playbook on the Response page.

When the Incident changes filter is checked, all the modifications made to the incident are displayed on the Worklog page. These updates include changes to the incident title, descriptions, assignments, and status.

Audit Log

When the Notes filter is checked, all response action notes and incident notes that were manually added by users are displayed on the Worklog page. These notes include:

  • Response Action Notes - These are notes created by users when they click Add Note for a task in the response playbook on the Response page. In this scenario, the note is also tied to a course of action or task. The relationship between the note and task is what indicates that this is a response action note versus an incident note that has been manually entered by the user on the Worklog page.

  • Incident Notes - These are notes created by a user when the user clicks Add Note on the Worklog page. These notes are unrelated to any response action (no relationship to any task); they are only related to the incident.

Worklog Notes

When the Response actions filter is checked, all actions that were taken from the response playbook are displayed on the Worklog page. These response actions include:

  • Notes - These are notes created by a user when they click Add Note for a task in the response playbook on the Response page. In this scenario, the note is also tied to a course of action or task. The relationship between the note and task is what indicates that this is a response action note versus an incident note that has been manually entered by the user on the Worklog page.

  • Workflow Logs - These are response action log entries created by an Automation workflow that is executed from the Response page. These logs are generated by the system when the user clicks Execute for a workflow in the task.

Audit Log

View Workflow Run

Click View run next to any executed workflow to open the Workflow Run drawer and view a high-level summary of the workflow execution. The drawer includes information such as the workflow title, who it was started by, start and end date and time, status, and inputs.

Workflow Run Drawer

Note: Action data is only available for 30 days. If the workflow execution has exceeded 30 days, the data is archived and will not be displayed in a Workflow Run drawer.

Click View run details to open the full Workflow Properties and view complete information about the workflow run. See Workflow Properties for more information.

To sort the list of data, click the Sort by filter menu and choose Sort by Newest or Sort by Oldest.

Perform the following steps to enter a new note for the incident:

  1. On the Worklog page, click Add Note to open the text editor.

  2. Enter a new note about the incident using markdown or regular text. Use the formatting toolbar to format the text, if necessary.

    3. Note: If you navigate away from the text editor while editing, the content is automatically saved as a draft for the current browser tab only. The draft content is not available if the same session of Cisco XDR is opened in another browser tab. To restore the content, return to the text editor and continue with your edits or click Undo or Use draft to remove or restore the draft content.

  3. Click Preview to review the note text.

  4. Click Save to add the note to the Worklog.