Built-in workflows

Workflows built into XDR by default; no installation or configuration required.

Contact sales
About built-in workflows

Workflows typically achieve an end-to-end use case. For example, fetching information from an incident, identifying endpoints to isolate, and requesting isolation for each endpoint. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome by taking one or more smaller steps. The workflows listed here are built into Cisco XDR and do not require installation or, in most cases, configuration. More information about workflows can be found in the Cisco XDR product documentation.

XDR - Automation Rule - Update Incident Properties
Cisco Managed
This workflow allows you to update an incident's properties.
Learn more
XDR - Close and Export Incident
Cisco Managed
This workflow is designed to be executed when an incident is resolved and ready to be closed.
Learn more
XDR - Confirm Incident
Cisco Managed
This workflow updates an incident's status to Incident Reported, creates a chat room using a supported messaging integration, and then adds the incident's assignees to that room.
Learn more
XDR - Contain Incident: Assets
Cisco Managed
This workflow consumes one or more hostnames and attempts to isolate matching endpoints in all supported products.
Learn more
XDR - Contain Incident: Domains
Cisco Managed
This workflow consumes one or more domains and attempts to block them in all supported products.
Learn more
XDR - Contain Incident: File Hashes
Cisco Managed
This workflow consumes one or more SHA-256 file hashes and attempts to block them in all supported products.
Learn more
XDR - Contain Incident: IP Addresses
Cisco Managed
This workflow consumes one or more IP addresses and attempts to block them in all supported products.
Learn more
XDR - Contain Incident: Quarantine Email Messages
Cisco Managed
This workflow consumes one or more email message IDs and attempts to quarantine matching messages in all supported products.
Learn more
XDR - Contain Incident: URLs
Cisco Managed
This workflow consumes one or more URLs and attempts to block them in all supported products.
Learn more
XDR - Contain Incident: Users
Cisco Managed
This workflow consumes one or more usernames or email addresses and attempts to lock out or disable matching users in all supported products.
Learn more
XDR - Delete Email Messages
Cisco Managed
This workflow consumes one or more email message IDs and attempts to delete matching messages in all supported products.
Learn more
XDR - Document and Notify
Cisco Managed
This workflow parses an XDR incident and creates a matching/linked ticket in a supported ticketing integration.
Learn more
XDR - Identify Vulnerabilities
Cisco Managed
This workflow consumes one or more hostnames and attempts to fetch vulnerability information from all supported products.
Learn more
XDR - Release Email Messages from Quarantine
Cisco Managed
This workflow consumes one or more email message IDs and attempts to release matching messages from quarantine in all supported products.
Learn more
XDR - Restore Systems
Cisco Managed
This workflow consumes one or more hostnames and attempts to un-isolate matching endpoints in all supported products.
Learn more
XDR - Restore Users
Cisco Managed
This workflow consumes one or more usernames or email addresses and attempts to restore matching users in all supported products.
Learn more
XDR - Validate or Create Intelligence Feed
Cisco Managed
This workflow validates the configuration of Cisco XDR intelligence feeds and their associated indicators.
Learn more