Configure Email Notification Automated Workflow with XDR

Available Languages

Download Options

  • PDF     (1.7 MB)
    View with Adobe Reader on a variety of devices
Updated:June 23, 2025
Document ID:223142

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to create an automated workflow to send an email notification for a new incident. 

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    This document is not restricted to specific software and hardware versions.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    This guide details the steps necessary to configure and activate a workflow to automatically send an email notification when an incident occurs. The steps are detailed as follows.

    Install the Workflow from Cisco XDR Exchange

    Step 1. Install the Endpoint Isolation Workflow

    1. Log in to Cisco XDR and navigate to Automate > Exchange.
    2. Search for the workflow named Cisco XDR - Send Email Notification for New Incident and click Install.Send Email Notification Workflow from ExchangeSend Email Notification Workflow from Exchange
    3. Check the necessary information to configure the workflow correctly.Send Email Notification Workflow OverviewSend Email Notification Workflow Overview
    4. Fill the Account Keyswith the email credentials to set the sender. The Displayed name is Notification Email Credentials and Click Next.Account Keys for WorkflowAccount Keys for Workflow
    5. Configure the target information with:
      • Account Keys: Notification Email Credentials
      • Email
        • SMTP server: smtp.gmail.com
        • SMTP Port: 587

    Target Configuration for WorkflowTarget Configuration for Workflow

    1. Click Next.
    2. Update the variable for:
      • Recipients
      • Sender

    Assign Variables for WorkflowAssign Variables for Workflow

    8. Click Next.

    9. Navigate to Automate > Workflows to check the Validated status.Workflow Validated StatusWorkflow Validated Status

    Create an Automation Rule

    Step 2. Configure an Automation Rule

    1. Navigate to the Automation > Triggers section.
    2. Create a new rule. Click Add automation rule and assign a nameAdd Automation Rule from TriggersAdd Automation Rule from Triggers
    3. Select Incident Rule type and define the trigger conditions. You can proceed without the need to add a rule condition, which ensures that any incident activates this rule. Customize the conditions if necessary.

    Automation Rule Type and ConditionsAutomation Rule Type and Conditions

    4. Apply the Automation Rule to the Cisco XDR - Send Email Notification for New Incident workflow you installed earlier. Set the Recipients and Sender variables.Apply the Automation Rule to the Workflow and Assign VariablesApply the Automation Rule to the Workflow and Assign Variables

    5. Save the rule.

    Validate Workflow Functionality

    Step 3. Verify Workflow Execution

    1. Generate or wait for an incident that meets the conditions of the rule. New Incident in Cisco XDR DetectedNew Incident in Cisco XDR Detected
    2. Click Incident and then View Incident Detail.

    View Incident Details ButtonView Incident Details Button

    3. Once the incident is created, check the Worklog tab within the incident to confirm that the workflow executed successfully.Incident Worklog Tab InformationIncident Worklog Tab Information

    Step 4. Confirm Email Notification

    1. Log in to the email account.
    2. Locate the Inbox mailbox.
    3. Check the email received.
    4. Verify the Incident title, Source and Short Description.

    New Incident Notification EmailNew Incident Notification Email

    note-icon

    Note: The initial incident name is generated based on the first detection; however, it can change if additional detections occur or new information enriches the incident.

    Revision History

    Revision Publish Date Comments
    1.0
    24-Jun-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Uriel Zamora Hernandez
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products