Integration Tiles
The tiles listed below are available for you to add to your dashboard on the Dashboards page after you add your integrations in Cisco XDR. For details on how to add integrations, see Integrations.
Tile Name | Description |
---|---|
All Current Active Alerts | Displays current active alerts in Cisco Attack Surface Management. The alerts are created in Attack Surface Management based on rules created by the Attack Surface Management administrator. |
Alerts by Created Date | Displays a list of alerts created for the last X period of time, which is configurable in the tile up to the previous 30 days. |
Accounts with AWS S3 Buckets Lacking Secure Transport | Displays a pie chart for the number of AWS S3 buckets based on the secure transport protocol used. |
Accounts with AWS S3 Buckets Lacking Default Encryption | Displays a pie chart for the number of AWS S3 buckets based on the encryption used for these S3 buckets. |
Tile Name | Description |
---|---|
CDO Device Summary | CDO device status summary. |
CDO Objects and Policies | CDO objects and policies summary. |
CDO VPN | CDO VPN summary. |
CSDAC - Elements | CSDAC elements summary. |
CSDAC - Source Connectors | CSDAC connectors by type and status. |
CSDAC - Destination Adapters | CSDAC adapters by type and status. |
CSDAC - Dynamic Objects | CSDAC dynamic objects and count of mappings. |
Tile Name | Description |
---|---|
Security Blocks by Command-and-Control Category | A set of metrics summarizing security blocks by command-and-control category. |
Security Blocks by Cryptomining Category | A set of metrics summarizing security blocks by the cryptomining category. |
Security Blocks by Malware Category | A set of metrics summarizing security blocks by malware category. |
Security Blocks by Phishing Category | A set of metrics summarizing security blocks by phishing category. |
Cloud Malware Summary | A set of metrics summarizing Cloud Malware for approved applications. |
Firewall Sessions and Blocks | Total firewall sessions and blocks. |
Proxy Sessions and Blocks | Total proxy sessions and blocks. |
Proxy Security Blocks | Total proxy security blocks. |
Request Summary | A set of metrics summarizing Umbrella requests. |
Secure Cloud Analytics is a software as a service (SaaS) solution that monitors your on-premises and cloud-based network deployments. By gathering information about your network traffic, it creates observations about the traffic, which are facts about behavior on the network, and automatically identifies roles for network entities based on their traffic patterns. Observations on their own do not carry meaning beyond the fact of what they represent. Based on the combination of observations, roles, and other threat intelligence, Secure Cloud Analytics generates alerts, which are actionable items that represent possible malicious behavior as identified by the system.
Secure Cloud Analytics also identifies observations of interesting behavior (highlighted observations), which you can review from its portal UI. Though these observations do not signify malicious behavior on their own, they may represent otherwise notable traffic on your network.
The following describes the Secure Cloud Analytics tiles that you can display in Cisco XDR, which represent Secure Cloud Analytics findings.
Tile Name | Description |
---|---|
Alert Overview Chart |
Displays a multilevel pie chart that shows, based on the selected time frame, in the outer ring:
And in the inner ring:
|
Alert Quick View | Displays the current number of open Secure Cloud Analytics alerts and unassigned Secure Cloud Analytics alerts. |
Device Count Chart | Displays the number of unique entities that Secure Cloud Analytics detected transmitting traffic on your network during a given time frame, displayed as a vertical bar chart. |
Observation Count | Displays the total number of observations that Secure Cloud Analytics generated in a given time frame, and the total number of highlighted observations in that time frame. The Observations and Highlighted Observations links take you to the Secure Cloud Analytics portal UI to view more information about these observations. |
Sensor Status | Displays a list of your configured Secure Cloud Analytics sensors, and if they are active or inactive. |
Traffic Over Time Chart | Displays the amount of inbound traffic, inbound encrypted traffic, outbound traffic, and outbound encrypted traffic monitored by Secure Cloud Analytics for the selected time frame as a stacked bar chart. |
Incoming Email Metrics
Tile Name | Description |
---|---|
Incoming Files Handled by AMP | A set of metrics summarizing Secure Endpoint analysis of incoming email. |
Incoming Mail Summary | A set of metrics summarizing mail flow activity. |
Incoming Threat Messages Summary | A set of metrics summarizing threat activity. |
Email Summary | A set of metrics summarizing mail flow activity. |
Top Incoming Mail Connections by Country | A set of metrics summarizing top incoming mail connections by country. |
Top Senders (Domains) by Total Incoming Threat Messages | A set of metrics summarizing top senders (domains) by total incoming threat messages. |
Top Senders (IP Addresses) by Total Incoming Threat Messages | A set of metrics summarizing top senders (IP addresses) by total incoming threat messages. |
Top Incoming Virus Types Detected | A set of metrics summarizing top incoming virus types detected. |
Top URL Spam Messages | A set of metrics summarizing top URL spam messages. |
Outgoing Email Metrics
Tile Name | Description |
---|---|
Outgoing Mail Summary | A set of metrics summarizing outgoing mail flow activity. |
Top Outgoing Sender Domains by Total Outgoing Threat Messages | A set of metrics summarizing top sender domains by total outgoing threat messages. |
Top Sender IP Addresses by Total Outgoing Threat Messages | A set of metrics summarizing top sender IP addresses by total outgoing threat messages. |
Incoming Email Metrics
Tile Name | Description |
---|---|
Incoming Files Handled by AMP | A set of metrics summarizing Secure Endpoint analysis of incoming email. |
Incoming Mail Summary | A set of metrics summarizing mail flow activity. |
Incoming Threat Messages Summary | A set of metrics summarizing threat activity. |
Email Summary | A set of metrics summarizing mail flow activity. |
Top Incoming Mail Connections by Country | A set of metrics summarizing top incoming mail connections by country. |
Top Senders (Domains) by Total Incoming Threat Messages | A set of metrics summarizing top senders (domains) by total incoming threat messages. |
Top Senders (IP Addresses) by Total Incoming Threat Messages | A set of metrics summarizing top senders (IP addresses) by total incoming threat messages. |
Top Incoming Virus Types Detected | A set of metrics summarizing top incoming virus types detected. |
Top URL Spam Messages | A set of metrics summarizing top URL spam messages. |
Outgoing Email Metrics
Tile Name | Description |
---|---|
Outgoing Mail Summary | A set of metrics summarizing outgoing mail flow activity. |
Top Outgoing Sender Domains by Total Outgoing Threat Messages | A set of metrics summarizing top sender domains by total outgoing threat messages. |
Top Sender IP Addresses by Total Outgoing Threat Messages | A set of metrics summarizing top sender IP addresses by total outgoing threat messages. |
Note: The Secure Email Threat Defense (Australia) and Secure Email Threat Defense (India) integrations are available in the Asia Pacific, Japan, China region.
Tile Name | Description |
---|---|
Messages by Direction | Shows your total email traffic by direction. Mail is divided into Outgoing, Mixed, Internal, and Incoming. |
Spam | Shows a snapshot of messages that were determined to be Spam. |
Graymail | Shows a snapshot of messages that were determined to be Graymail. |
Threats |
Shows a snapshot of messages that were determined to be Malicious, Phishing, Scam, or BEC. |
Malicious & Phishing | Shows a snapshot of messages that were determined to be Malicious or Phishing. |
Tile Name | Description |
---|---|
Compromises detected | A set of metrics summarizing compromises detected by Secure Endpoint. |
Computers Summary | A set of metrics summarizing the state of Secure Endpoint computers. |
Summary | A set of metrics summarizing Secure Endpoint detection and response. |
Quarantines | A set of metrics summarizing Secure Endpoint quarantines by time. |
MITRE ATT&CK Tactics detected | A set of metrics summarizing MITRE ATT&CK® tactics detected by Secure Endpoint. |
Threat Hunting | Threat hunting incidents by the threat hunting source. |
Top Endpoint Compromises | Top compromises by severity score. |
Top Dynamic Threats | Top dynamic threats. |
Top Malware Threats | Top threats by compromise detections aggregated by detection name. |
Top Compromise Observables | Top compromise observables. |
Important Information about Tiles
Tiles showing metrics for events show events that have been sent from Secure Firewall Threat Defense devices to Security Services Exchange within the past 7 days.
To ensure that you see the correct set of events, you must correctly configure auto-promotion options in Security Services Exchange. For details, see the online help in Security Services Exchange. To access Security Services Exchange, you can click a summary value in the Event Summary tile.
Some tiles are applicable only to systems managed by Secure Firewall Management Center, not to deployments managed by Secure Firewall Device Manager.
Some links from these tiles take you to your Secure Firewall Management Center appliance. As long as your browser can connect to your internal network, you can access your Secure Firewall Management Center from within Cisco XDR. (Cisco XDR does not need to connect to your corporate network.)
To cross-launch Secure Firewall Management Center from the tiles in Cisco XDR, the Secure Firewall Management Center's name must be a Fully Qualified Domain Name (FQDM). To change the name of your Secure Firewall Management Center, go to System > Configuration > Information in the Secure Firewall Management Center web interface and modify the Name field.
Tile Name | Description |
---|---|
Event Summary |
This tile summarizes Secure Firewall Threat Defense events in Security Services Exchange within the timeframe selected, up to 7 days. You can view event details in Security Services Exchange by clicking metrics in this tile. Security Services Exchange will open in a separate browser window. |
Talos IP Reputation |
This tile summarizes the Talos reputation scores of the public IP addresses associated with intrusion and malware events sent from Secure Firewall Threat Defense to Security Services Exchange within the timeframe selected (up to 7 days.) This value is based on the same threat data as the Talos Disposition value in the Incident Promotion Reason tile, but the counts may differ because of the way they are calculated. For example, Talos IP Reputation counts source and destination IP addresses separately, while the Talos Disposition value increments only once per incident, even if both source and destination IP addresses have poor reputation. The Talos IP Reputation threat metric used to promote events from Security Services Exchange to incidents is not used in Secure Firewall Threat Defense devices. It is similar to, but different from, the Security Intelligence data for networks. You can view event details in Security Services Exchange by clicking a metric in this tile. Security Services Exchange will open in a separate browser window. The count of events shown in Security Services Exchange may differ from the count of events shown in the tile. Duplicate events are automatically removed from Security Services Exchange, and your configurations in Security Services Exchange may automatically filter out events. The tile shows the event count before such actions are taken in Security Services Exchange. |
Intrusion Top Attackers |
List of top attackers for intrusion events in your organization that were sent from Secure Firewall Threat Defense devices to Security Services Exchange. This tile shows up to 7 days worth of data, even if a longer timeframe is selected at the top of the dashboard. Look at the timeframe selected on the tile itself. |
Intrusion Top Targets |
List of top targets for intrusion events in your organization that were sent from Secure Firewall Threat Defense devices to Security Services Exchange. This tile shows a maximum of 7 days worth of data, even if a longer timeframe is selected at the top of the dashboard. Look at the timeframe selected on the tile itself. |
Intrusion Top Signatures |
List of top signatures for intrusion events in your organization that were sent from Secure Firewall Threat Defense devices to Security Services Exchange. This tile shows a maximum of 7 days worth of data, even if a longer timeframe is selected at the top of the dashboard. Look at the timeframe selected on the tile itself. |
Device Inventory |
Important: In order to use this tile, Cisco Success Network must be enabled in each Secure Firewall Threat Defense. Enable this feature on the System > Smart Licenses page in Secure Firewall Management Center. If you have questions, search the Secure Firewall Management Center online help for "Cisco Success Network". This tile shows only data from deployments with Secure Firewall Management Center. Devices managed by Secure Firewall Device Manager are not reflected in this tile. This tile shows whether the Secure Firewall Management Center appliances that are registered to Cisco XDR, and their managed devices, are running at least the suggested software version. This minimum version may not be the latest available software version. Instead, it is determined by Cisco based on software quality, stability, and longevity. For best protection, all of your Secure Firewall Management Centers and all managed devices should be running at least the suggested version. For upgrade instructions, see the Cisco Firepower Management Center Upgrade Guide at https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-guides-list.html. Clicking the Suggested version link takes you to the Software Downloads page on Cisco.com for Virtual Appliance downloads. The same download can be used for all virtual and hardware Secure Firewall Management Center appliances. A zero (0) in the Managed devices needing upgrade column indicates that all of this Secure Firewall Management Center's managed devices are up to date. |
Security Update Status |
Important: In order to use this tile, Cisco Success Network must be enabled in each Secure Firewall Management Center. Enable this feature on the System > Smart Licenses page in Secure Firewall Management Center. If you have questions, search the Secure Firewall Management Center online help for "Cisco Success Network". This tile shows only data from deployments with Secure Firewall Management Center. Devices managed by Secure Firewall Device Manager are not reflected in this tile. For effective protection, your system should always use the latest threat intelligence. If this tile shows that your deployment is not up to date, download and install the latest updates. For information about these updates and options and instructions for manually or automatically installing them, see the "System Updates" chapter in your Secure Firewall Management Center online help. |
Security Capabilities |
Important: In order to use this tile, Cisco Success Network must be enabled in each Secure Firewall Management Center. Enable this feature on the System > Smart Licenses page in Secure Firewall Management Center. If you have questions, search the Secure Firewall Management Center online help for "Cisco Success Network". This tile shows only data from deployments with Secure Firewall Management Center. Devices managed by Secure Firewall Device Manager are not reflected in this tile. This tile indicates how extensively you are using the security features. Specifically: The number of devices managed by each Secure Firewall Management Center that have been assigned each type of license. The number of rules that require each type of license that have been deployed to any device managed by each Secure Firewall Management Center. As a simple example, if you have 1 access control policy that has 3 URL filtering rules, and you have deployed that policy to 4 managed devices, the rule count is 12. |
Tile Name | Description |
---|---|
Threat Scores | Counting submissions by threat score ranges. |
Total Submissions by Result | Counting submissions by status. |
Total Submissions by Threat Score | Counting submissions by threat score ranges. |
Total Convictions | Counting total convicted submissions. |
Submissions Source by Result | Counting submissions by status, grouped by submission source. |
Submission Source by Threat Score | Counting submissions by threat score ranges, grouped by submission source. |
Submission Environments | Counting convicted vs. non-convicted submissions, grouped by environment. |
Submission File Types | Counting submissions by file type. |
Entitlement API Sample Submissions | Counting submissions vs. rate-limited submissions. |
Submission Network Exits | Counting submissions by the network exit used during analysis. |
Top Tags | Counting submissions by tag. |
Top IP Addresses | Counting submissions by IP referenced during analysis. |
Top Domains | Counting submissions by domain referenced during analysis. |
Top Behavioral Indicators | Counting indicators triggered during submissions. |
Tile Name | Description |
---|---|
Alarming Hosts by Category | Number of hosts in the alarm categories since the last reset hour. |
Top Outside Host Groups by Traffic | Top 10 outside host groups by traffic. |
Network Visibility | Statistics for the number of hosts and the amount of traffic. |
Top Inside Host Groups by Traffic | Top 10 inside host groups by traffic. |
Visibility Assessment | Number of hosts in the Visibility Assessment categories. |
Top Alarms By Count | Top 10 alarms by count. |
Top Alarming Hosts | Top 7 inside hosts, sorted by alarm severity, that have been active on your network since the last reset hour. |
Tile Name | Description |
---|---|
Incoming Filed Analyzed by AMP | A set of metrics summarizing incoming files analyzed by Secure Endpoint. |
HTTPS Reports | A set of metrics summarizing web transactions for HTTP and HTTPS traffic. |
Top Domains | A set of metrics summarizing top domains in web transactions. |
Top Malware Categories | A set of metrics summarizing top malware categories in web transactions. |
Top URL Categories | A set of metrics summarizing top URL categories in web transactions. |
Tile Name | Description |
---|---|
Tetration Software Agents Summary |
Metrics describing the connected software agents. Secure Workload receives telemetry from agents distributed across your environment. Tracking the health and connectivity status of agents is key to ensuring continued visibility and effective policy enforcement. This tile shows the connected agent count, split into these subtypes:
Inactive Enforcement Agents is a critical metric to track, as these may need remediation to return to healthy operation. |
Tetration Vulnerable Workloads and Inventory |
Metrics describing workloads with known vulnerabilities and the total inventory count. Secure Workload tracks all endpoints that have been discovered whether they are data center workloads, endpoints accessing applications, or remote resources on the internet. This database is called the 'inventory' and it is important to keep an eye on the inventory level to monitor the health of a Secure Workload deployment and the effectiveness of policy enforcement. The inventory tracks potential software vulnerabilities on monitored workloads by analyzing packages that are installed on workloads via a software agent. This tile provides:
|
Tetration Policy Metrics |
Metrics describing the configured segmentation policies. Secure Workload provides a powerful policy discovery, analysis, and enforcement engine. As you grow your Secure Workload deployment, you will create scopes, filters and applications where policies will be discovered. As data center policy evolves, the number of these objects will grow, and will reflect the degree of segmentation that is in place. This tile provides:
|
Tile Name | Description |
---|---|
Security Blocks by Command-and-Control Category | A set of metrics summarizing security blocks by command-and-control category. |
Security Blocks by Cryptomining Category | A set of metrics summarizing security blocks by the cryptomining category. |
Security Blocks by Malware Category | A set of metrics summarizing security blocks by malware category. |
Security Blocks by Phishing Category | A set of metrics summarizing security blocks by phishing category. |
Cloud Malware Summary | A set of metrics summarizing Cloud Malware for approved applications. |
Firewall Sessions and Blocks | Total firewall sessions and blocks. |
Proxy Sessions and Blocks | Total proxy sessions and blocks. |
Proxy Security Blocks | Total proxy security blocks. |
Request Summary | A set of metrics summarizing Umbrella requests. |