Device Details

The Device Details page shows everything Cisco XDR knows about a device, including device status, context, and which source provided which data. The information may include some or all of the following sections, collected from multiple sources and merged into one place for you in Cisco XDR. Additionally, some sources provide the ability to pivot to their respective consoles to further investigate the device, such as Secure Endpoint, Umbrella, and Duo.

Click the (Pivot Menu) icon next to the device name to take action on the device. You can perform some actions directly in the Pivot menu or pivot to the integrated product to perform additional actions. Users with an Administrator role can manually update the Device Value and Add Labels to the device as well.

Shows you a summary of some details of this device, such as hostname, IP addresses, location, and serial number. It also shows the associated users on this device. Click the (Pivot Menu) icon to take action on the IP and MAC addresses.

Note: Click on a user name to see what other devices this user has been seen on.

Shows you what Security Products are enabled on this device.

If the device is running Windows and has source data from Orbital, this section shows you what Windows Security Products are currently installed on this device and whether they’re disabled (you may need to enable) or out of date (you may need to update).

Shows you information from Secure Endpoint about the device, including AV definitions status, device isolation status, Orbital enablement, and Connector GUID.

Note: Click the Connector GUID to pivot to the Secure Endpoint console and investigate this device further.

Where was this source seen? Shows you what sources Cisco XDR got this information from for this device. Where available, you can click to pivot to the source and investigate this device further from that source’s dashboard, such as:

  • Open Duo Admin Dashboard in New Window
  • Open Cisco Umbrella Dashboard in New Window

Click View full details to open a drawer that contains all the device data provided by that source.

Shows you information from Secure Client about this device, such as the deployment, profile modules, CSC UDID, and more. Click Device Events to pivot to the Device Events page where the search is automatically populated with the device name. For more information, see the Device Events help topic.

Note: The Last Seen field shows the time of the last notification, which happens when the deployment or endpoint is updated, not when the device was last used.

Cisco XDR has a distributed set of capabilities presented in the form of apps and tools in the Cisco XDR ribbon. The ribbon is located in the lower portion of the page, and persists as you move between the dashboard and other security products in your environment. To aid in your research and investigation, use the ribbon to access the casebook, apps, settings, search observables for enrichment, and view incidents.

To add possibly compromised devices to the casebook in the Cisco XDR ribbon, you can use the Find Observables option in the ribbon, and based on the findings, add to a casebook or choose to investigate further in Threat Response. You can pivot from the ribbon to Threat Response, manually initiate an investigation, and search on the device by hostname, for example.

For guidance, see the Ribbon help topic.