Assignment Rules

The Assignment Rules tab on the Playbooks page shows the assignment rules that have been created for your organization to be used to assign playbooks to incidents. You use this page to manage the automation rules to associate playbooks to new incidents.

Assignment Rules

Note: If no assignment rules are created, the default playbook is assigned to all incidents upon creation. The default playbook is shown at the bottom of the rules list.

From the Assignment Rules page, you can perform the following tasks:

You can create new rules to be used to assign playbooks to incidents based on specific custom conditions of your choosing. When an incident is created and it matches the conditions in the rule, the playbook that is specified in the rule is assigned to the incident and is also displayed on the Response page for the incident (see Incident Response).

Perform the following steps to create a new playbook assignment rule:

  1. Choose Administration > Playbooks in the left navigation menu.

  2. On the Playbooks page, click the Assignment Rules tab.

    3. Assignment Rules

  3. Click Create Rule to open the New Playbook Assignment Rule drawer.

    4. Note: If you navigate away from the New Playbook Assignment Rule drawer while editing, the content is automatically saved as a draft for the current browser tab only. The draft content is not available if the same session of Cisco XDR is opened in another browser tab. To restore the content, return to the New Playbook Assignment Rule drawer and continue with your edits or click Undo or Use draft to remove or restore the draft content.

  4. Enter a Title and Description for the assignment rule (required).
  5. In the Conditions panel, click Add Condition and specify the conditions that will trigger the rule:
    • Property - Click the drop-down list and choose the property in the incident to match or enter the property in the Search field to find a specific property.
    • Comparison - Click the drop-down list and choose the operator.
    • Value - Click the drop-down list and choose the value that must be matched or enter the value, depending on the data type. If you enter a value, click Create new item to save it.

    To delete a condition, click the (Ellipsis) icon next to it and choose Delete.

  6. If you add multiple conditions, specify one of the following to indicate which condition must be met to trigger the rule:
    • ALL of these conditions must be met - Click this option if every condition must be met before the rule is triggered (AND logic).
    • ANY of these conditions can be met - Click this option if any one of the conditions, when met, will trigger the rule (inclusive OR logic)
  7. In the Playbook panel, click the drop-down list and choose the playbook to be associated with the rule. Upon incident creation, this is the playbook that will be assigned to the incident and displayed on the Response page for the incident if the conditions of the rule are met.
  8. Click Save.

    9. A newly created rule is turned On by default. To disable the rule, click the toggle to Off.

You can edit an assignment rule to change the title and description, add or remove conditions, or change the playbook assigned to it.

Perform the following steps to edit a playbook assignment rule:

  1. Choose Administration > Playbooks in the left navigation menu.

  2. Click the Assignment Rule tab.

  3. Click the playbook name to open the Playbook drawer.

  4. Click Edit and modify any of the information on the form.

    5. Note: If you navigate away from the form while editing, the content is automatically saved as a draft for the current browser tab only. The draft content is not available if the same session of Cisco XDR is opened in another browser tab. To restore the content, return to the form and continue with your edits or click Undo or Use draft to remove or restore the draft content.

  5. Click Save.

Assignment rules must be enabled before they can be evaluated for playbook assignment when an incident is created.

Perform the following steps to enable or disable an assignment rule:

  1. Choose Administration > Playbooks in the left navigation menu.

  2. Click the Assignment Rule tab.

  3. Scroll to the assignment rule and click the On/Off toggle to enable (On) or disable (Off) the rule.

The assignment rules can be reordered to trigger in a specific sequence when incidents may not meet the conditions of a particular rule.

The order in which the rules are displayed is the order in which evaluation is performed upon incident creation. The first rule that is evaluated as true upon incident creation, will assign the designated playbook to the incident and no further rule evaluation is performed.

It is recommended to add more specific rules to the top. and more generic catch-all type rules to the bottom.

Perform the following steps to reorder assignment rules:

  1. Choose Administration > Playbooks in the left navigation menu.

  2. Click the Assignment Rule tab.

  3. Click the (Grabber) icon on the rule and move it to the desired position.

If an assignment rule is no longer needed, you can delete it. Perform the following steps to delete a playbook assignment rule:

  1. Choose Administration > Playbooks in the left navigation menu.

  2. Click the Assignment Rule tab.

  3. Click the playbook name to open the Playbook drawer.
  4. Click Edit and then click Delete.
  5. On the Delete Rule confirmation dialog box, click Delete.

    6. The rule is removed from the list.