Sources

Note: Only users with an Administrator role can sync, add, and delete sources.

This feature pulls device and user data from the modules you have integrated with Cisco XDR. These data sources can be device managers and security products from Cisco and third-parties.

Choose Assets > Sources in the navigation menu to open the Sources page.

Within each source panel:

  • You can click Sync to start a sync job on-demand.
  • You can see the status of each source, current sync errors, and the performance history - there’s a drop-down to select the time period being shown.
  • Sync Data shows how the number of synchronized objects has changed over time.
  • Performance shows how much time it took to synchronize a specific number of records. Hover over the bar to see the details, including the number of records retrieved and the duration of the sync. A taller bar indicates that more records were synchronized over a smaller amount of time.
  • If it’s a custom source, you can upload to, update, or remove it.
  • Click the (Settings) icon in the upper-right corner of the panel to:
    • adjust when and how often Cisco XDR syncs with this source
    • register or remove a webhook to this source

Don’t see a source you added? You may need to add your region’s IROH proxy IP addresses to your firewall’s access list in order to allow API connections between your sources and Cisco XDR:

  • North America: 35.168.234.165, 35.172.5.95, 34.225.249.84
  • European Union: 34.251.83.242, 52.49.85.99, 52.208.164.206
  • Asia Pacific, Japan, China: 54.248.49.240, 52.198.165.128, 52.196.126.178

Each source contains information about the devices and users in its own inventory. To update the asset information in its unified inventory, Cisco XDR can use these methods, where supported, to sync with sources:

  • Sync

    Pull data on-demand from the source, when you click Sync to manually initiate an update.

    • Full sync

      A process that involves a standard API call to the source and download of its full inventory database. This call is performed during an initial sync and later over longer time intervals to avoid exhausting the API subsystem of the source.

    • Delta sync

      When possible, the API call returns only what has changed since the last full or delta sync.

  • Webhook

    Cisco XDR can listen and learn about changes to devices in a source’s inventory by registering with a webhook to the source. In this setup, Cisco XDR connects with the source using a webhook over REST API call and provides the source with a URL. The sources uses this URL to dynamically inform Cisco XDR of a change to a device. In doing so, the API usage will increase accordingly.

To adjust when and how often Cisco XDR syncs with a source, navigate to Assets > Sources and click the (Open Settings) icon (times are shown in UTC).

The following sources support these methods of updating asset information in Cisco XDR:

Source

REST API Full Sync

REST API Delta Sync

Webhook

Cisco Duo

yes

yes

no

CrowdStrike

yes

no

no

custom

no

no

no

Cybereason

yes

no

no

Cyber Vision

yes

no

no

Ivanti Neurons for MDM

yes

no

no

Jamf Pro

yes

no

yes

Meraki

yes

no

no

Microsoft Defender for Endpoint

yes

no

no

Microsoft Entra ID (formerly Microsoft Azure Active Directory - Users)

yes

no

no

Microsoft Intune

yes

no

no

Orbital

no

no

yes

Palo Alto Networks Cortex XDR

yes

no

no

Secure Client

yes

no

yes

Secure Endpoint (formerly AMP for Endpoints)

yes

no

yes

SentinelOne

yes

no

no

ServiceNow

yes

no

no

Trend Vision One

yes

no

no

Umbrella

yes

yes

no

VMware Workspace ONE UEM (formerly AirWatch)

yes

yes

no

  1. Click Add More Sources to go to the Integrations page in Cisco XDR.

  2. There are three sections:

    • My Integrations
    • Cisco Integrations

    • Third-Party Integrations

  3. You can search for an integration and filter by its capability, such as show me integrations capable of supporting the Assets feature.

  4. Click Get Started or the (Add) icon under each integration module and follow the Integration Guide instructions.

Note: There’s an indeterminate amount of time between adding a source and seeing all its assets and their data fully appear in the devices and users table. We aren’t just reflecting the inventory of the source, so you won’t see them all right away. We actually copy the data and examine all the fields to determine if it’s the same asset as another. When we do see the same asset from multiple sources, we process and merge the data to show a single asset and maintain accuracy.

Integration Module

Important Notes

Cisco Duo

  • In order to access the Duo API, you must have a Duo Advantage or Duo Premier license level, Duo Free or Duo Essentials is not sufficient.

  • In order to add Duo, you must have the role of Owner; an Administrator role is not sufficient to protect the API.

  • In order to see Duo device data, in your auth policy for Trusted Endpoints select Require endpoints to be trusted and Require users to have the app under Device Health application.

  • Duo for device data and Duo for user data will appear as separate sources on the Sources page.

  • If you are using an older version of the Cisco Duo module, Secure Access by Duo, the integration will not send user data to Cisco XDR. You will need to update your Duo integration to use the latest Duo module that includes the Admin API.

CrowdStrike

Cybereason

Cyber Vision

  • Devices from Cyber Vision may have multiple MAC Addresses per device in the inventory table.

  • Operating System (OS) details are rarely shown due to how Cisco XDR pulls data from Cyber Vision.

Ivanti Neurons for MDM

Currently, the Assets feature supports the cloud deployment only; an on-premises deployment has not yet been fully tested.

Jamf Pro

Meraki

  • Before generating a new API key, ensure that API access is enabled:

    • In the Meraki Dashboard, navigate to Organization > Settings.

    • In the Dashboard API access area, if there's an option to Enable access to the Cisco Meraki Dashboard API, check the box and click Save Changes.

  • If you've previously added an APNS certificate in order to manage Apple devices from Meraki:

    • Navigate to Systems Manager > Devices.

    • Click Add devices and choose iOS.

    • In the Apple Configurator area, the network ID is the string of 18 numerical digits within the URL. Copy the network ID into a safe place.

    • Important: Do not close the window without first retrieving the network ID, because the network ID is not retrievable once this window gets closed.

  • Otherwise, if you're not able to manage Apple devices from Meraki:

  • When you enter the network ID in Cisco XDR

    • If you copied it from the Apple Configurator area, prepend the 18-digit network ID with "N_" (for example, N_123456789123456789).

    • If you obtained it by using the Meraki API, prepend the 18-digit network ID with "L_" (for example, L_123456789123456789).

Microsoft Defender for Endpoint

Microsoft Entra ID (formerly Microsoft Azure Active Directory - Users)

  • This source provides user data for the Users page.

  • Some Entra ID user properties (for example, Last Login) require an Entra ID Premium P1/P2 license.

Microsoft Intune

Orbital

  • The device count from an Orbital source on the Devices page may not match what you see in the Endpoints tab of that Orbital console. This behavior is expected: Orbital does not maintain its inventory of endpoints or nodes in the same way as a device manager or a full EDR solution. In contrast, it includes all endpoints that have had an Orbital connector installed at any time, not just the active ones in its inventory.

  • The Asset feature creates a recurring daily job for all endpoints to perform. After the job is run on the endpoint and the resulting device information is sent back to Orbital, Cisco XDR is notified about the existence of that device from Orbital. If no job result for that device is received within 90 days, the Orbital endpoint is purged from the Devices page.

Palo Alto Networks Cortex XDR

Secure Endpoint (formerly AMP for Endpoints)

The API key must be Read/Write to successfully register the webhook. However, some environments require keys to be Read/Only for regulatory reasons. In this case, you would still select and create a Read/Write key initially. Then, after the configuration is successful, replace it with a Read/Only key.

SentinelOne

ServiceNow

You may want to consider creating a separate ServiceNow user for this integration, as opposed to using your own ServiceNow account. Two-factor authentication is not supported, so ensure that the account you use does not have two-factor authentication enabled.

Trend Vision One

Umbrella

  • If you're part of a MSP, MSSP, or multi-org tenant, the Assets feature will not receive any actual data from Umbrella about your devices, even if you've successfully integrated Umbrella with Cisco XDR. This is because the Umbrella MSP, MSSP, and Multi-Org Consoles do not currently support integration with Cisco XDR.

  • You'll need to check the following check boxes in the Umbrella API (v2) area on the Add Integration form for Umbrella for the integration to work with the Assets feature:

    • Devices Enabled

    • Management Enabled

  • The Assets feature can pull data from Umbrella for Windows and Mac devices only; there's currently no support for pulling data from its mobile devices.

VMware Workspace ONE UEM (formerly AirWatch)

  • Currently, the Assets feature supports the cloud deployment only; an on-premises deployment has not yet been fully tested.

  • Requires an admin user account in a role that provides read access to the REST API for Compliance Policy, Devices, and Groups.

  • You may also see the API key referred to as the Tenant Code.

To modify the configuration settings of a source:

  1. Navigate to Administration > Integrations and expand the My Integrations section.
  2. Click the integration name to open its current settings.
  3. Edit the settings as needed, and click Save.
  4. A message is displayed in the upper portion of the Edit Module form indicating that a health check is running. Once it completes, a message indicates whether there were any issues found with the configuration.

To delete a source:

  1. Navigate to Administration > Integrations and expand the My Integrations section.
  2. Click the integration name to open its current settings.
  3. Click Delete, and then confirm by clicking Delete again.
  4. The module is removed and its data is no longer available.

Note: You can only import a custom source for devices. User data cannot be imported using a custom source.

To import a particular group of your devices:

  1. Click Add a Custom Source.

  2. Enter a name and description in the New Custom Source drawer.

  3. Click Apply.

  4. Find the new custom source, and click the (Open Settings) icon.

  5. Choose Upload CSV File.

  6. Click Download Custom Source Template to download our template in a CSV file.

  7. Open the downloaded CSV file, and populate the template with your particular group of devices.

    Caution: Please follow our template carefully, since importing values entered incorrectly in the CSV file may corrupt your device data in Cisco XDR. Currently, the only fix would be to open a support case with Cisco to have us clear all your device data and start another data sync from scratch.

  8. Click Choose File to select a CSV file that has been populated with devices.

  9. Click Upload to add the devices to the custom source.

Note: It takes time to import the data from the sources. You’ll see devices appear as Cisco XDR processes the CSV file you uploaded.

The following table describes the fields in the template and their requirements, where needed.

The CSV headers must match those in our template. Do not modify or delete any headers in the template. However, you can add headers and any column can be empty.

Header

Expected Value

Notes

extId

The unique identifier of this device from the management system which exported the data. For example, if the system of export is Microsoft Intune, the extId is Intune’s “id” field (such as “id: 9a3eaf6a-9642-41e9-911c-46decfe87424”).

name

The device’s hostname from the management system which exported the data.

Do not duplicate hostnames.

osType

windows, macOS, android, iOS, networkGateway, centos, rhel, ubuntu, oracle, emailSecurityAppliance, webSecurityAppliance, unknown

osVersion

Example:

  • 10 Enterprise (64-bit)

  • Windows 10 Enterprise 10.0.19042

  • Windows Server 2016 Standard 10.0.14393

osBuild

Example: 19042.1466

hardwareId

The CPU identifier or serial number of the device. For macOS and iOS, this is the UUID.

macAddresses.0

The system accepts up to 2 macAddresses for each device.

The format should not matter, although aa:bb:cc:dd:ee:ff is preferred.

macAddresses.1

internalIps.0

The system accepts up to 2 internal and external IP addresses for each device.

Both IPv4 and IPv6 addresses are accepted.

internalIps.1

externalIps.0

externalIps.1

serialNumber

imei

users.0

Username (string) for a user from this device. The upload accepts up to 2 users.

users.1

appUsers.0

appUsers.1

emails.0

Email addresses of users who sign in with this device. The upload accepts up to 2 email addresses in addition to the “users” and “appUsers” fields.

Must be in email address format (such as “test-user@securitydemo.net”).

emails.1

browsers.0.browserFamily

If the system is an IdP and tracks the device’s browser information.

Example: Edge Chromium

browsers.0.browserVersion

Example: 98.0.1108.43

browsers.0.flashVersion

Example: uninstalled

browsers.0.javaVersion

Example: uninstalled

browsers.0.lastUsed

Date and time when the browser was last used.

browsers.1.browserFamily

browsers.1.browserVersion

browsers.1.flashVersion

browsers.1.javaVersion

browsers.1.lastUsed

created

Date and time the device first appeared in the management console which exported the data.

lastUpdated

Date the device record was last updated from the source.

Must be in numeric format (milliseconds since Unix Epoch).

isCompromised

A true or false value to indicate if the system has a compromise.

isManaged

A true or false value to indicate if the system is managed by this company.

labels.0

Custom strings that can be used to categorize and filter devices.

You can add more labels to a device by adding more label columns. For example, labels.1, labels.2, and so on.

value

The device value can be set from 1-10, where 1 is the least critical and 10 is the most critical.

The device value will indicate rule assigned if the value is set using a custom source.

To delete a custom source:

  1. Find the custom source that you want to delete on the Sources page.
  2. Click the (Open Settings) icon.
  3. Choose Delete.
  4. To confirm removal, click Yes.