Sources

Sync with Sources

Each source contains information about the devices and users in its own inventory. To update the asset information in its unified inventory, Cisco XDR can use these methods, where supported, to sync with sources:

Sync

Pull data on-demand from the source, when you click Sync to manually initiate an update.
- Full sync
  
  A process that involves a standard API call to the source and download of its full inventory database. This call is performed during an initial sync and later over longer time intervals to avoid exhausting the API subsystem of the source.
- Delta sync
  
  When possible, the API call returns only what has changed since the last full or delta sync.
Webhook

Cisco XDR can listen and learn about changes to devices in a source’s inventory by registering with a webhook to the source. In this setup, Cisco XDR connects with the source using a webhook over REST API call and provides the source with a URL. The sources uses this URL to dynamically inform Cisco XDR of a change to a device. In doing so, the API usage will increase accordingly.

To adjust when and how often Cisco XDR syncs with a source, navigate to Assets > Sources and click the (Open Settings) icon (times are shown in UTC).

The following sources support these methods of updating asset information in Cisco XDR:

Source	REST API Full Sync	REST API Delta Sync	Webhook
Cisco Duo	yes	yes	no
CrowdStrike	yes	no	no
custom	no	no	no
Cybereason	yes	no	no
Cyber Vision	yes	no	no
Ivanti Neurons (formerly MobileIron)	yes	no	no
Jamf Pro	yes	no	yes
Meraki	yes	no	no
Microsoft Azure Active Directory - Users	yes	no	no
Microsoft Defender for Endpoint	yes	no	no
Microsoft Intune	yes	no	no
Orbital	no	no	yes
Palo Alto Networks Cortex XDR	yes	no	no
Secure Client	yes	no	yes
Secure Endpoint (formerly AMP for Endpoints)	yes	no	yes
SentinelOne	yes	no	no
ServiceNow SecOps	yes	no	no
Trend Vision One	yes	no	no
Umbrella	yes	yes	no
VMware Workspace ONE UEM (formerly AirWatch)	yes	yes	no

Add Source

Click Add More Sources to go to the Integrations page in Cisco XDR.
There are three sections:
- My Integrations
- Cisco Integrations
- Third-Party Integrations
You can search for an integration and filter by its capability, such as show me integrations capable of supporting the Assets feature.
Click Get Started or the (Add) icon under each integration module and follow the Integration Guide instructions.
- Review the important requirements and guidelines in the table below.
- For additional guidance, see the Integrations help topic.
- For how to troubleshoot common integration issues, see the TAC Troubleshooting Knowledge Base.

Note: There’s an indeterminate amount of time between adding a source and seeing all its assets and their data fully appear in the devices and users table. We aren’t just reflecting the inventory of the source, so you won’t see them all right away. We actually copy the data and examine all the fields to determine if it’s the same asset as another. When we do see the same asset from multiple sources, we process and merge the data to show a single asset and maintain accuracy.

Requirements and Guidelines

Integration Module	Important Notes
Cisco Duo	In order to access the Duo API, you must have a Duo Advantage or Duo Premier license level, Duo Free or Duo Essentials is not sufficient. In order to add Duo, you must have the role of Owner; an Administrator role is not sufficient to protect the API. In order to see Duo device data, in your auth policy for Trusted Endpoints select Require endpoints to be trusted and Require users to have the app under Device Health application. Duo for device data and Duo for user data will appear as separate sources on the Sources page. If you are using an older version of the Cisco Duo module, Secure Access by Duo, the integration will not send user data to Cisco XDR. You will need to update your Duo integration to use the latest Duo module that includes the Admin API.
CrowdStrike	—
Cybereason	—
Cyber Vision	Devices from Cyber Vision may have multiple MAC Addresses per device in the inventory table. Operating System (OS) details are rarely shown due to how Cisco XDR pulls data from Cyber Vision.
Ivanti Neurons (formerly MobileIron)	Currently, the Assets feature supports the cloud deployment only; an on-premises deployment has not yet been fully tested.
Jamf Pro	—
Meraki	Before generating a new API key, ensure that API access is enabled: In the Meraki Dashboard, navigate to Organization > Settings. In the Dashboard API access area, if there's an option to Enable access to the Cisco Meraki Dashboard API, check the box and click Save Changes. If you've previously added an APNS certificate in order to manage Apple devices from Meraki: Navigate to Systems Manager > Devices. Click Add devices and choose iOS. In the Apple Configurator area, the network ID is the string of 18 numerical digits within the URL. Copy the network ID into a safe place. Important: Do not close the window without first retrieving the network ID, because the network ID is not retrievable once this window gets closed. Otherwise, if you're not able to manage Apple devices from Meraki: You can obtain the network ID by using the Meraki API. Follow the steps in this Integrating Meraki Systems Manager with Cisco XDR video. When you enter the network ID in Cisco XDR If you copied it from the Apple Configurator area, prepend the 18-digit network ID with "N_" (for example, N_123456789123456789). If you obtained it by using the Meraki API, prepend the 18-digit network ID with "L_" (for example, L_123456789123456789).
Microsoft Azure Active Directory - Users	This source provides user data for the Users page. Some Azure user properties (for example, Last Login) require an Azure AD Premium P1/P2 license.
Microsoft Defender for Endpoint	—
Microsoft Intune	—
Orbital	The device count from an Orbital source on the Devices page may not match what you see in the Endpoints tab of that Orbital console. This behavior is expected: Orbital does not maintain its inventory of endpoints or nodes in the same way as a device manager or a full EDR solution. In contrast, it includes all endpoints that have had an Orbital connector installed at any time, not just the active ones in its inventory. The Asset feature creates a recurring daily job for all endpoints to perform. After the job is run on the endpoint and the resulting device information is sent back to Orbital, Cisco XDR is notified about the existence of that device from Orbital. If no job result for that device is received within 90 days, the Orbital endpoint is purged from the Devices page.
Palo Alto Networks Cortex XDR	—
Secure Endpoint (formerly AMP for Endpoints)	The API key must be Read/Write to successfully register the webhook. However, some environments require keys to be Read/Only for regulatory reasons. In this case, you would still select and create a Read/Write key initially. Then, after the configuration is successful, replace it with a Read/Only key.
SentinelOne	—
ServiceNow SecOps	You can only connect one ServiceNow SecOps account to one Cisco XDR organization. The ServiceNow SecOps integration module configuration is automatically created by ServiceNow. You do not need to activate the integration module in Cisco XDR.
Trend Vision One	—
Umbrella	If you're part of a MSP, MSSP, or multi-org tenant, the Assets feature will not receive any actual data from Umbrella about your devices, even if you've successfully integrated Umbrella with Cisco XDR. This is because the Umbrella MSP, MSSP, and Multi-Org Consoles do not currently support integration with Cisco XDR. You'll need to check the following check boxes in the Umbrella API (v2) area on the Add Integration form for Umbrella for the integration to work with the Assets feature: Devices Enabled Management Enabled The Assets feature can pull data from Umbrella for Windows and Mac devices only; there's currently no support for pulling data from its mobile devices.
VMware Workspace ONE UEM (formerly AirWatch)	Currently, the Assets feature supports the cloud deployment only; an on-premises deployment has not yet been fully tested. Requires an admin user account in a role that provides read access to the REST API for Compliance Policy, Devices, and Groups. You may also see the API key referred to as the Tenant Code.

Update a Source

To modify the configuration settings of a source:

Navigate to Administration > Integrations and expand the My Integrations section.
Click the integration name to open its current settings.
Edit the settings as needed, and click Save.
A message is displayed in the upper portion of the Edit Module form indicating that a health check is running. Once it completes, a message indicates whether there were any issues found with the configuration.

Delete Source

To delete a source:

Navigate to Administration > Integrations and expand the My Integrations section.
Click the integration name to open its current settings.
Click Delete, and then confirm by clicking Delete again.
The module is removed and its data is no longer available.

Add Custom Source

Note: You can only import a custom source for devices. User data cannot be imported using a custom source.

To import a particular group of your devices:

Click Add a Custom Source.
Enter a name and description in the New Custom Source drawer.
Click Apply.
Find the new custom source, and click the (Open Settings) icon.
Choose Upload CSV File.
Click Download Custom Source Template to download our template in a CSV file.
Open the downloaded CSV file, and populate the template with your particular group of devices.

Caution: Please follow our template carefully, since importing values entered incorrectly in the CSV file may corrupt your device data in Cisco XDR. Currently, the only fix would be to open a support case with Cisco to have us clear all your device data and start another data sync from scratch.
Click Choose File to select a CSV file that has been populated with devices.
Click Upload to add the devices to the custom source.

Note: It takes time to import the data from the sources. You’ll see devices appear as Cisco XDR processes the CSV file you uploaded.

Requirements and Guidelines

The following table describes the fields in the template and their requirements, where needed.

The CSV headers must match those in our template. Do not modify or delete any headers in the template. However, you can add headers and any column can be empty.

Header	Expected Value	Notes
extId	The unique identifier of this device from the management system which exported the data. For example, if the system of export is Microsoft Intune, the extId is Intune’s “id” field (such as “id: 9a3eaf6a-9642-41e9-911c-46decfe87424”).	—
name	The device’s hostname from the management system which exported the data.	Do not duplicate hostnames.
osType	windows, macOS, android, iOS, networkGateway, centos, rhel, ubuntu, oracle, emailSecurityAppliance, webSecurityAppliance, unknown	—
osVersion	Example: 10 Enterprise (64-bit) Windows 10 Enterprise 10.0.19042 Windows Server 2016 Standard 10.0.14393	—
osBuild	Example: 19042.1466	—
hardwareId	The CPU identifier or serial number of the device. For macOS and iOS, this is the UUID.	—
macAddresses.0	The system accepts up to 2 macAddresses for each device.	The format should not matter, although aa:bb:cc:dd:ee:ff is preferred.
macAddresses.1	—	—
internalIps.0	The system accepts up to 2 internal and external IP addresses for each device.	Both IPv4 and IPv6 addresses are accepted.
internalIps.1	—	—
externalIps.0	—	—
externalIps.1	—	—
serialNumber	—	—
imei	—	—
users.0	Username (string) for a user from this device. The upload accepts up to 2 users.	—
users.1	—	—
appUsers.0	—	—
appUsers.1	—	—
emails.0	Email addresses of users who sign in with this device. The upload accepts up to 2 email addresses in addition to the “users” and “appUsers” fields.	Must be in email address format (such as “test-user@securitydemo.net”).
emails.1	—	—
browsers.0.browserFamily	If the system is an IdP and tracks the device’s browser information.	Example: Edge Chromium
browsers.0.browserVersion	—	Example: 98.0.1108.43
browsers.0.flashVersion	—	Example: uninstalled
browsers.0.javaVersion	—	Example: uninstalled
browsers.0.lastUsed	Date and time when the browser was last used.	—
browsers.1.browserFamily	—	—
browsers.1.browserVersion	—	—
browsers.1.flashVersion	—	—
browsers.1.javaVersion	—	—
browsers.1.lastUsed	—	—
created	Date and time the device first appeared in the management console which exported the data.	—
lastUpdated	Date the device record was last updated from the source.	Must be in numeric format (milliseconds since Unix Epoch).
isCompromised	A true or false value to indicate if the system has a compromise.	—
isManaged	A true or false value to indicate if the system is managed by this company.	—
labels.0	Custom strings that can be used to categorize and filter devices.	You can add more labels to a device by adding more label columns. For example, labels.1, labels.2, and so on.
value	The device value can be set from 1-10, where 1 is the least critical and 10 is the most critical.	The device value will indicate rule assigned if the value is set using a custom source.

Delete Custom Source

To delete a custom source:

Find the custom source that you want to delete on the Sources page.
Click the (Open Settings) icon.
Choose Delete.
To confirm removal, click Yes.