About Cisco Live | Link to Session Presentation | Link to Session Recording
Note
At Cisco Live 2023, we demonstrated how you could author an incident response workflow in the XDR Automate GUI and automatically trigger it with the detection & subsequent creation of an incident in XDR, leveraging Automation Rules. We used a Command & Control attack as an example to present investigation with Cisco Umbrella & remediation with Cisco Secure Endpoint. See 2023's session repository for more details.
We refer to these workflows as being rules-based because they only work for the use-cases that they are authored for and follow a pre-defined, prescriptive sequence of activities.
At Cisco Live 2024, we introduced a framework built with XDR Automate that enables AI-driven response workflows, powered by a Large Language Model and equipped with specialized tools, that can triage a large variety of incident types without pre-defined, prescriptive sequencing of activities.
At Cisco Live 2025, we have expanded the 2024 framework built with XDR Automate to utilize multiple agents. The AI Agent workflow can be utilized by itself to accomplish nearly any task. We demonstrate how a Incident Agent Orchestrator workflow can assign tasks to different agents to further improve our incident response.
This framework will allow you to:
- Benefit from the vast, inherent knowledge AI Large Language Models have of how to respond to security events, readily applied to XDR Incidents
- Bring or create your own XDR Automate 'tool' workflows to teach or empower AI to interface with a product or capability, perform analysis or collaborate with other AI agents & tools
- Control AI's behavior or change functionality using natural language in plain text (seriously, how much simpler could it get?). You can inject a set of customer instructions store in Pinecone or other source of your choosing.
The visualization below represents how the framework comes together:
graph TD
CiscoSecure[Cisco Secure<br/>Umbrella, Secure Endpoint, Secure Cloud Analytics etc.] -->|Events| XDRIncident[XDR Incident]
XDRIncident --> AutoRule[Automation Rule]
AutoRule -->|Triggers| Xdrmultiagent[XDR MultiAgent Orchestrator]
ToolInputs[Tools] -.->|Input| XdrAiAgents[XDR AI Agents]
Xdrmultiagent[XDR MultiAgent Orchestrator] -->|Calls| XdrAiAgents[XDR AI Agents]
subgraph XdrAiAgents[XDR AI Agents]
plannerAgent[Planner Agent]
investigatorAgent[Investigator Agent]
reviewerAgent[Reviewer Agent]
end
subgraph ToolWorkflows[Tool Workflows]
reqApproval[Request Approval]
secEndpointAPI[Secure Endpoint API]
umbInvestigate[Umbrella Investigate]
updateIncident[Update XDR Incident]
sendWebexMsg[Send Webex Notification]
end
ToolWorkflows[Tool Workflows] --> ToolInputs
AzureOpenAI[Azure OpenAI] <--> Xdrmultiagent[XDR MultiAgent Orchestrator]
Pinecone[Pinecone] <--> Xdrmultiagent[XDR MultiAgent Orchestrator]
- XDR MultiAgent Orchestrator: Parent workflow that brings it all together. This workflow accepts XDR Incidents and calls other agents at it's disposal in an attempt to diagnose, investigate and remediate the incident.
- XDR AI Agent: The base intelligent agent work flow. This workflow takes inputs of role, description, task, output format, and tool categories. Uses available tools (workflows) to accomplish task.
- [Subworkflow] Convert Workflows to OpenAI Tools: This workflow automagically converts your XDR Automate workflows into 'tools' that the XDR Incident Agent can use.
- XDR AI Agent: The base intelligent agent work flow. This workflow takes inputs of role, description, task, output format, and tool categories. Uses available tools (workflows) to accomplish task.
- Tool Workflows (we provide the following as examples):
- Tool - Request Change Approval: creates an approval task in XDR for human intervention.
- Tool - Secure Endpoint API: a web service client to interact with the Secure Endpoint API.
- Tool - Umbrella Investigate API: a web service client to interact with the Umbrella Investigate API.
- Tool - Update XDR Incident: creates a worklog entry/note on an XDR incident.
- Tool - Send Webex Notification: sends a message to a Webex space.
- Descriptions: Your workflow, input & output variables must have descriptions. This is how the XDR Incident Agent interprets what each tool does, which directly influences what tool it selects to perform the task it needs to perform.
- Outputs: For consistency, have an output variable (like
o_message_contentin the example tools) per tool workflow, that you populate with the successful execution output (like the response payload for a tool that makes an API request) or with the error message in the event your tool workflow fails. - Categorize: Put all your tool workflows into a category. You will then supply the name of this category as input to the Convert Workflows to OpenAI Tools workflow; this is how it knows how to find your tools.
Please note that workflow content in this repository will not be kept up to date with new code releases/patches. If you're a Cisco Live attendee, you may create an issue on this repository or reach out to us via email for queries and/or feedback.
Oh and, while you're here, you may want to check out some of our other content as well 🚀
Contributors:
- Aman Sardana (amasarda@cisco.com)
- Scott Dozier (scdozier@cisco.com)
- Steve Holl (sholl@cisco.com)
Cisco CX, 2025