Cisco XDR Token

The Cisco XDR Token account key facilitates authentication between Cisco XDR and Automation.

The Cisco XDR Token simplifies using APIs. Instead of generating an API client in Cisco XDR and then entering the client ID and secret in Automation, you can use the Cisco XDR Token account key. When you create this type of account key, an API client is automatically generated for you and can be associated with Cisco XDR Platform HTTP Endpoint targets.

How to Determine Which Method Your Tenant Uses

Depending on when your Automation tenant was provisioned, you may be using either Cisco XDR Token or HTTP authentication. Perform the following steps to determine which authentication method your tenant uses:

  1. Choose Automate > Targets in the navigation menu.

  2. In the list of targets, click the Platform APIs target.

  3. Check the configuration in the Account Keys section:

    • If No Account Keys is set to True, then you are using legacy HTTP authentication.
    • If No Account Keys is set to False, then you are using Cisco XDR Token authentication.

Using Cisco XDR Token Authentication

When you use the Cisco XDR Token account key, you can access Platform APIs with a single step. After the Cisco XDR Token is created, you use that account key to communicate with Cisco XDR, and a token is automatically generated. You do not need to generate the token yourself, pass it between activities, or refresh an expired token.

To use Cisco XDR Token in a workflow:

  1. Create a new workflow or open an existing workflow to go to the Workflow Editor.
  2. Add any Threat Response activity with the appropriate target (Platform APIs, Private Intelligence APIs, Public Intelligence APIs).
  3. In the activity properties, choose the Cisco XDR Token account key. The token is automatically generated and passed to the API when the workflow runs.

Migrating to the Cisco XDR Token Account Key

We recommend updating workflows on older tenants to use the Cisco XDR Token account key. Perform the following steps to migrate your workflows to the Cisco XDR Token account key:

  1. If you do not already have a Cisco XDR Token account key, click Account Keys from the navigation menu.

  2. Click New Account Key and configure the following details:

    • Account Key Type - Cisco XDR Token
    • Display Name - User-configured (recommendation: Cisco_XDR_Token)

  3. Click Submit, then click Authorize in the Confirm Authorize dialog box.

    When the Cisco XDR Token is created successfully, the Authorized By and Authorization Date fields will be automatically populated.

  4. Navigate to the Targets page and edit the Cisco XDR targets to use the Cisco XDR Token account key:

    • Platform APIs
    • Private Intelligence APIs
    • Public Intelligence APIs

  5. Locate any existing workflows that use Cisco XDR APIs and do the following:

    • For each Threat Response-related activity, delete the variable text from the Access Token input variable. This is typically the output variable from the Threat Response - Generate Access Token activity or a local variable that holds the token.

    • Delete any Threat Response - Generate Access Token activities and any other activities related to token generation.

      For example, some workflows periodically check if the token is still valid. If the token is invalid, another activity will regenerate it. All of that logic can be removed because the Cisco XDR Token is regenerated as needed.

Using the Cisco XDR Token and HTTP Basic Authentication Concurrently

You can use both account key types in your workflows concurrently. This configuration requires two sets of account keys and targets with unique names.

For example:

  • If your tenant was provisioned using HTTP Basic Authentication account keys, you can also create objects that use the Cisco XDR Token. Name your account key something like Cisco_XDR_Token and name the targets to match (for example: CTR_Target_Token)
  • If your tenant was provisioned using the Cisco XDR Token, you can also create objects that use HTTP Basic Authentication. Name your account key something like CTR_Credentials_Legacy and name the targets to match (for example: CTR_Target_Legacy)

For information on how to configure the individual targets, see the Default Targets Help topic.

Using the Cisco XDR Token with Automation Remote

You can use the Cisco XDR Token account key with the Automation Remote virtual appliance. Perform the following steps if your remote virtual appliances are not configured to use the Cisco XDR Token:

  1. Create a new Cisco XDR Token account key.

  2. If necessary, configure a new Automation Remote virtual appliance. For full instructions, see the Remote Setup and Deployment Help topic.

  3. On the Targets page, select an existing target that uses the Automation Remote or create a new target. For instructions on how to configure a target to use Automation Remote, see the Targets Help topic.

    Automation Remote is supported with HTTP Endpoint, Terminal Endpoint, and Unix/Linux Endpoint target types.

  4. If you are creating a new target, type a unique Display Name and provide a Description.

  5. In the Account Keys area, ensure that No Account Keys is set to False.

  6. Click the Default Account Keys drop-down list and choose the Cisco XDR Token account key.

  7. In the Remote area, click the Remote Keys drop-down list and choose the appropriate Automation Remote virtual appliance.

  8. Click Submit.