Cisco and Third-Party Integrations and Supported Capabilities
Cisco and third-party integrations provide various capabilities to Cisco XDR, leveraging the information available in the integrated product. The following is a list of the various capabilities:
Note: All third-party integrations require Cisco XDR Advantage or Cisco XDR Premium licensing tier. For more information, see Cisco XDR Licenses.
-
Detection Analytics and Correlation - Logs and security events from the integrated product are ingested into the data warehouse and are correlated and analyzed using artificial intelligence and machine learning to create actionable Cisco XDR incidents.
-
Threat Hunting and Investigation - In response to queries from Cisco XDR during investigations, the integrated product can report sightings, reputations, and other information about the queried observables to include and display in Cisco XDR's investigation results. For example, "file hash a03e[...] was seen on endpoint sdf-01 at 2023-01-23 13:45:32 and initiated a connection to <domain>" or "file hash a03e[...] is rated Malicious".
-
Dashboard Tiles - Products may provide tiles showing metrics of usage, prevention, and other system performance indicators. The tiles are displayed on the Control Center page. By default, the Overview dashboard displays incident details, such as a list of unassigned incidents and the number of incidents reported by sources. You can create additional dashboards and tiles depending on the products integrated within your organization. For more information on adding new tiles, see Configure Dashboards and Tiles and for a list of available tiles, see Dashboard Tiles.
-
Asset Insights and Context - Inventory provides you with a unified view of the devices and/or users in your organization by consolidating inventories from the products you have integrated with Cisco XDR. These integrations can report inventory and system data to Assets to contribute to that holistic view in order to better identify vulnerabilities, prevent threats, and prioritize remediations. See Sources for more information on sources in Assets.
-
Automation and Response
-
Controls and Responses - In response to queries from Cisco XDR during investigations, in rendering Pivot menus, or via Automation, the integrated product can provide links to enact its responses or controls on or about the queried observable(s). For example, "add file hash a03e[...] to blocklist".
-
Security Operations Center (SOC) Automation - The integrated product can be leveraged in Automation using Cisco-provided atomics and/or workflows.
Note: Products with a No in this column may also be used in Automation but these objects would need to be created by the user.
-
The following table provides a list of the Cisco and third-party integrations and the capabilities supported by each integration, along with links to access the product documentation:
|
Integration |
Detection Analytics and Correlation |
Threat Hunting and Investigation |
Dashboard Tiles | Asset Insights and Context |
Automation and Response |
|
|---|---|---|---|---|---|---|
|
Controls and Responses |
Security Operations Center (SOC) Automation | |||||
| Cisco Integrations | ||||||
| Attack Surface Management | No | No | Yes | No | No | No |
| Cisco Defense Orchestrator | No | No | Yes | No | No | Yes |
| Cisco Duo | No | No | No | Yes | No | Yes |
| Cisco Secure Email and Web Manager | No | Yes | Yes | No | No | No |
| Cisco Secure Web Appliance | No | Yes | Yes | No | Yes | No |
| Cisco Threat intelligence API | No | Yes | Yes | No | Yes | No |
| Cisco Vulnerability Management | No | No | No | No | No | Yes |
| Cyber Vision | No | No | No | Yes | No | No |
| Meraki | No | No | No | Yes | No | Yes |
| Orbital | No | Yes | No | Yes | No | Yes |
| Secure Cloud Analytics | Yes | Yes | Yes | No | No | Yes |
| Secure Email Appliance | No | Yes | Yes | No | No | Yes |
| Yes | Yes | Yes | No | No | No | |
| Secure Endpoint | Yes | Yes | Yes | Yes | Yes | Yes |
| Secure Firewall | No | Yes | Yes | No | Yes | Yes |
| Secure Malware Analytics | No | Yes | Yes | No | No | Yes |
| Secure Network Analytics | No | Yes | Yes | No | Yes | Yes |
| Secure Web Appliance | No | Yes | Yes | No | Yes | No |
| Secure Workload | No | No | Yes | No | No | No |
| Umbrella | No | Yes | Yes | Yes | Yes | Yes |
| No | No | No | No | No | Yes | |
|
Third-Party Integrations Note: Legacy third-party integrations that are not listed in this table may still work but they are not officially supported in Cisco XDR. |
||||||
| No | Yes | No | No | No | Yes | |
| No | No | No | No | No | Yes | |
| CrowdStrike | Yes | Yes | No | Yes | Yes | Yes |
| Cybereason | No | Yes | No | Yes | No | Yes |
| Darktrace RESPOND & DETECT | No | Yes | No | No | Yes | Yes |
| No | No | No | No | No | Yes | |
| No | No | No | Yes | No | No | |
| No | No | No | Yes | No | No | |
| No | No | No | No | No | Yes | |
| Microsoft Azure Active Directory - Users | No | No | No | Yes | No | No |
Microsoft Defender for Endpoint  |
Yes | Yes | No | Yes | Yes | Yes |
| Microsoft Defender for Office 365 |
No | Yes | No | No | Yes | Yes |
| No | No | No | Yes | No | No | |
| No | No | No | No | No | Yes | |
| No | Yes | No | Yes | No | Yes | |
| No | Yes | No | No | No | No | |
| No | No | No | No | No | Yes | |
| SentinelOne | No | Yes | No | Yes | Yes | Yes |
| No | No | No | No | No | Yes | |
| No | Yes | No | No | No | No | |
| No | No | No | No | No | Yes | |
| No | Yes | No | Yes | No | Yes | |
| No | Yes | No | No | No | No | |
| No | No | No | Yes | No | No | |
| No | No | No | No | No | Yes | |
| No | No | No | No | No | Yes | |
For more information on Cisco integrations, see Cisco Integrations and for more information on the third-party integrations, see Third-Party Integrations.
Secure Cloud Analytics
The following is a list of integrations you can configure in Cisco Secure Cloud Analytics (now a part of Cisco XDR) to collect telemetry for detection analytics and correlation in Cisco XDR:
For information on how to configure integrations in Secure Cloud Analytics, see Secure Cloud Analytics Documentation.