Integration Tiles

Attack Surface Management

Tile Name	Description
All Current Active Alerts	Displays current active alerts in Cisco Attack Surface Management. The alerts are created in Attack Surface Management based on rules created by the Attack Surface Management administrator.
Alerts by Created Date	Displays a list of alerts created for the last X period of time, which is configurable in the tile up to the previous 30 days.
Accounts with AWS S3 Buckets Lacking Secure Transport	Displays a pie chart for the number of AWS S3 buckets based on the secure transport protocol used.
Accounts with AWS S3 Buckets Lacking Default Encryption	Displays a pie chart for the number of AWS S3 buckets based on the encryption used for these S3 buckets.

Cisco Defense Orchestration (CDO)

Tile Name	Description
CDO Device Summary	CDO device status summary.
CDO Objects and Policies	CDO objects and policies summary.
CDO VPN	CDO VPN summary.
CSDAC - Elements	CSDAC elements summary.
CSDAC - Source Connectors	CSDAC connectors by type and status.
CSDAC - Destination Adapters	CSDAC adapters by type and status.
CSDAC - Dynamic Objects	CSDAC dynamic objects and count of mappings.

Cisco Secure Access

Tile Name	Description
Security Blocks by Command-and-Control Category	A set of metrics summarizing security blocks by command-and-control category.
Security Blocks by Cryptomining Category	A set of metrics summarizing security blocks by the cryptomining category.
Security Blocks by Malware Category	A set of metrics summarizing security blocks by malware category.
Security Blocks by Phishing Category	A set of metrics summarizing security blocks by phishing category.
Firewall Sessions and Blocks	Total firewall sessions and blocks.
Proxy Sessions and Blocks	Total proxy sessions and blocks.
Proxy Security Blocks	Total proxy security blocks.
Request Summary	A set of metrics summarizing Cisco Secure Access requests.

Secure Cloud Analytics

Secure Cloud Analytics is a software as a service (SaaS) solution that monitors your on-premises and cloud-based network deployments. By gathering information about your network traffic, it creates observations about the traffic, which are facts about behavior on the network, and automatically identifies roles for network entities based on their traffic patterns. Observations on their own do not carry meaning beyond the fact of what they represent. Based on the combination of observations, roles, and other threat intelligence, Secure Cloud Analytics generates alerts, which are actionable items that represent possible malicious behavior as identified by the system.

Secure Cloud Analytics also identifies observations of interesting behavior (highlighted observations), which you can review from its portal UI. Though these observations do not signify malicious behavior on their own, they may represent otherwise notable traffic on your network.

The following describes the Secure Cloud Analytics tiles that you can display in Cisco XDR, which represent Secure Cloud Analytics findings.

Tile Name	Description
Alert Overview Chart	Displays a multilevel pie chart that shows, based on the selected time frame, in the outer ring: new Secure Cloud Analytics alerts created within the time frame open Secure Cloud Analytics alerts created before the time frame, and not yet closed within the time frame closed Secure Cloud Analytics alerts closed during the time frame And in the inner ring: assigned Secure Cloud Analytics alerts unassigned Secure Cloud Analytics alerts
Alert Quick View	Displays the current number of open Secure Cloud Analytics alerts and unassigned Secure Cloud Analytics alerts.
Device Count Chart	Displays the number of unique entities that Secure Cloud Analytics detected transmitting traffic on your network during a given time frame, displayed as a vertical bar chart.
Detection Ingest Status	Displays the last ingested time and the last verified time for each integrated detection source.
Observation Count	Displays the total number of observations that Secure Cloud Analytics generated in a given time frame, and the total number of highlighted observations in that time frame. The Observations and Highlighted Observations links take you to the Secure Cloud Analytics portal UI to view more information about these observations.
Sensor Status	Displays a list of your configured Secure Cloud Analytics sensors, and if they are active or inactive.
Traffic Over Time Chart	Displays the amount of inbound traffic, inbound encrypted traffic, outbound traffic, and outbound encrypted traffic monitored by Secure Cloud Analytics for the selected time frame as a stacked bar chart.

Secure Email Appliance

Incoming Email Metrics

Tile Name	Description
Incoming Files Handled by AMP	A set of metrics summarizing Secure Endpoint analysis of incoming email.
Incoming Mail Summary	A set of metrics summarizing mail flow activity.
Incoming Threat Messages Summary	A set of metrics summarizing threat activity.
Email Summary	A set of metrics summarizing mail flow activity.
Top Incoming Mail Connections by Country	A set of metrics summarizing top incoming mail connections by country.
Top Senders (Domains) by Total Incoming Threat Messages	A set of metrics summarizing top senders (domains) by total incoming threat messages.
Top Senders (IP Addresses) by Total Incoming Threat Messages	A set of metrics summarizing top senders (IP addresses) by total incoming threat messages.
Top Incoming Virus Types Detected	A set of metrics summarizing top incoming virus types detected.
Top URL Spam Messages	A set of metrics summarizing top URL spam messages.

Outgoing Email Metrics

Tile Name	Description
Outgoing Mail Summary	A set of metrics summarizing outgoing mail flow activity.
Top Outgoing Sender Domains by Total Outgoing Threat Messages	A set of metrics summarizing top sender domains by total outgoing threat messages.
Top Sender IP Addresses by Total Outgoing Threat Messages	A set of metrics summarizing top sender IP addresses by total outgoing threat messages.

Secure Email and Web Manager

Incoming Email Metrics

Tile Name	Description
Incoming Files Handled by AMP	A set of metrics summarizing Secure Endpoint analysis of incoming email.
Incoming Mail Summary	A set of metrics summarizing mail flow activity.
Incoming Threat Messages Summary	A set of metrics summarizing threat activity.
Email Summary	A set of metrics summarizing mail flow activity.
Top Incoming Mail Connections by Country	A set of metrics summarizing top incoming mail connections by country.
Top Senders (Domains) by Total Incoming Threat Messages	A set of metrics summarizing top senders (domains) by total incoming threat messages.
Top Senders (IP Addresses) by Total Incoming Threat Messages	A set of metrics summarizing top senders (IP addresses) by total incoming threat messages.
Top Incoming Virus Types Detected	A set of metrics summarizing top incoming virus types detected.
Top URL Spam Messages	A set of metrics summarizing top URL spam messages.

Outgoing Email Metrics

Tile Name	Description
Outgoing Mail Summary	A set of metrics summarizing outgoing mail flow activity.
Top Outgoing Sender Domains by Total Outgoing Threat Messages	A set of metrics summarizing top sender domains by total outgoing threat messages.
Top Sender IP Addresses by Total Outgoing Threat Messages	A set of metrics summarizing top sender IP addresses by total outgoing threat messages.

Secure Email Threat Defense

Note: The Secure Email Threat Defense (Australia) and Secure Email Threat Defense (India) integrations are available in the Asia Pacific, Japan, China region.

Tile Name	Description
Messages by Direction	Shows your total email traffic by direction. Mail is divided into Outgoing, Mixed, Internal, and Incoming.
Spam	Shows a snapshot of messages that were determined to be Spam.
Graymail	Shows a snapshot of messages that were determined to be Graymail.
Threats	Shows a snapshot of messages that were determined to be Malicious, Phishing, Scam, or BEC.
Malicious & Phishing	Shows a snapshot of messages that were determined to be Malicious or Phishing.

Secure Endpoint

Tile Name	Description
Compromises detected	A set of metrics summarizing compromises detected by Secure Endpoint.
Computers Summary	A set of metrics summarizing the state of Secure Endpoint computers.
Summary	A set of metrics summarizing Secure Endpoint detection and response.
Quarantines	A set of metrics summarizing Secure Endpoint quarantines by time.
MITRE ATT&CK Tactics detected	A set of metrics summarizing MITRE ATT&CK^® tactics detected by Secure Endpoint.
Threat Hunting	Threat hunting incidents by the threat hunting source.
Top Endpoint Compromises	Top compromises by severity score.
Top Dynamic Threats	Top dynamic threats.
Top Malware Threats	Top threats by compromise detections aggregated by detection name.
Top Compromise Observables	Top compromise observables.

Secure Firewall

Important Information about Tiles

Tiles showing metrics for events show events that have been sent from Secure Firewall Threat Defense devices to Security Services Exchange within the past 7 days.

To ensure that you see the correct set of events, you must correctly configure auto-promotion options in Security Services Exchange. For details, see the online help in Security Services Exchange. To access Security Services Exchange, you can click a summary value in the Event Summary tile.

Some tiles are applicable only to systems managed by Secure Firewall Management Center, not to deployments managed by Secure Firewall Device Manager.

Some links from these tiles take you to your Secure Firewall Management Center appliance. As long as your browser can connect to your internal network, you can access your Secure Firewall Management Center from within Cisco XDR. (Cisco XDR does not need to connect to your corporate network.)

To cross-launch Secure Firewall Management Center from the tiles in Cisco XDR, the Secure Firewall Management Center's name must be a Fully Qualified Domain Name (FQDM). To change the name of your Secure Firewall Management Center, go to System > Configuration > Information in the Secure Firewall Management Center web interface and modify the Name field.

Tile Name	Description
Event Summary	This tile summarizes Secure Firewall Threat Defense events in Security Services Exchange within the timeframe selected, up to 7 days. You can view event details in Security Services Exchange by clicking metrics in this tile. Security Services Exchange will open in a separate browser window.
Talos IP Reputation	This tile summarizes the Talos reputation scores of the public IP addresses associated with intrusion and malware events sent from Secure Firewall Threat Defense to Security Services Exchange within the timeframe selected (up to 7 days.) This value is based on the same threat data as the Talos Disposition value in the Incident Promotion Reason tile, but the counts may differ because of the way they are calculated. For example, Talos IP Reputation counts source and destination IP addresses separately, while the Talos Disposition value increments only once per incident, even if both source and destination IP addresses have poor reputation. The Talos IP Reputation threat metric used to promote events from Security Services Exchange to incidents is not used in Secure Firewall Threat Defense devices. It is similar to, but different from, the Security Intelligence data for networks. You can view event details in Security Services Exchange by clicking a metric in this tile. Security Services Exchange will open in a separate browser window. The count of events shown in Security Services Exchange may differ from the count of events shown in the tile. Duplicate events are automatically removed from Security Services Exchange, and your configurations in Security Services Exchange may automatically filter out events. The tile shows the event count before such actions are taken in Security Services Exchange.
Intrusion Top Attackers	List of top attackers for intrusion events in your organization that were sent from Secure Firewall Threat Defense devices to Security Services Exchange. This tile shows up to 7 days worth of data, even if a longer timeframe is selected at the top of the dashboard. Look at the timeframe selected on the tile itself.
Intrusion Top Targets	List of top targets for intrusion events in your organization that were sent from Secure Firewall Threat Defense devices to Security Services Exchange. This tile shows a maximum of 7 days worth of data, even if a longer timeframe is selected at the top of the dashboard. Look at the timeframe selected on the tile itself.
Intrusion Top Signatures	List of top signatures for intrusion events in your organization that were sent from Secure Firewall Threat Defense devices to Security Services Exchange. This tile shows a maximum of 7 days worth of data, even if a longer timeframe is selected at the top of the dashboard. Look at the timeframe selected on the tile itself.
Device Inventory	Important: In order to use this tile, Cisco Success Network must be enabled in each Secure Firewall Threat Defense. Enable this feature on the System > Smart Licenses page in Secure Firewall Management Center. If you have questions, search the Secure Firewall Management Center online help for "Cisco Success Network". This tile shows only data from deployments with Secure Firewall Management Center. Devices managed by Secure Firewall Device Manager are not reflected in this tile. This tile shows whether the Secure Firewall Management Center appliances that are registered to Cisco XDR, and their managed devices, are running at least the suggested software version. This minimum version may not be the latest available software version. Instead, it is determined by Cisco based on software quality, stability, and longevity. For best protection, all of your Secure Firewall Management Centers and all managed devices should be running at least the suggested version. For upgrade instructions, see the Cisco Firepower Management Center Upgrade Guide at https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-guides-list.html. Clicking the Suggested version link takes you to the Software Downloads page on Cisco.com for Virtual Appliance downloads. The same download can be used for all virtual and hardware Secure Firewall Management Center appliances. A zero (0) in the Managed devices needing upgrade column indicates that all of this Secure Firewall Management Center's managed devices are up to date.
Security Update Status	Important: In order to use this tile, Cisco Success Network must be enabled in each Secure Firewall Management Center. Enable this feature on the System > Smart Licenses page in Secure Firewall Management Center. If you have questions, search the Secure Firewall Management Center online help for "Cisco Success Network". This tile shows only data from deployments with Secure Firewall Management Center. Devices managed by Secure Firewall Device Manager are not reflected in this tile. For effective protection, your system should always use the latest threat intelligence. If this tile shows that your deployment is not up to date, download and install the latest updates. For information about these updates and options and instructions for manually or automatically installing them, see the "System Updates" chapter in your Secure Firewall Management Center online help.
Security Capabilities	Important: In order to use this tile, Cisco Success Network must be enabled in each Secure Firewall Management Center. Enable this feature on the System > Smart Licenses page in Secure Firewall Management Center. If you have questions, search the Secure Firewall Management Center online help for "Cisco Success Network". This tile shows only data from deployments with Secure Firewall Management Center. Devices managed by Secure Firewall Device Manager are not reflected in this tile. This tile indicates how extensively you are using the security features. Specifically: The number of devices managed by each Secure Firewall Management Center that have been assigned each type of license. The number of rules that require each type of license that have been deployed to any device managed by each Secure Firewall Management Center. As a simple example, if you have 1 access control policy that has 3 URL filtering rules, and you have deployed that policy to 4 managed devices, the rule count is 12.

Secure Malware Analytics

Tile Name	Description
Threat Scores	Counting submissions by threat score ranges.
Total Submissions by Result	Counting submissions by status.
Total Submissions by Threat Score	Counting submissions by threat score ranges.
Total Convictions	Counting total convicted submissions.
Submissions Source by Result	Counting submissions by status, grouped by submission source.
Submission Source by Threat Score	Counting submissions by threat score ranges, grouped by submission source.
Submission Environments	Counting convicted vs. non-convicted submissions, grouped by environment.
Submission File Types	Counting submissions by file type.
Entitlement API Sample Submissions	Counting submissions vs. rate-limited submissions.
Submission Network Exits	Counting submissions by the network exit used during analysis.
Top Tags	Counting submissions by tag.
Top IP Addresses	Counting submissions by IP referenced during analysis.
Top Domains	Counting submissions by domain referenced during analysis.
Top Behavioral Indicators	Counting indicators triggered during submissions.

Secure Network Analytics

Tile Name	Description
Alarming Hosts by Category	Number of hosts in the alarm categories since the last reset hour.
Top Outside Host Groups by Traffic	Top 10 outside host groups by traffic.
Network Visibility	Statistics for the number of hosts and the amount of traffic.
Top Inside Host Groups by Traffic	Top 10 inside host groups by traffic.
Visibility Assessment	Number of hosts in the Visibility Assessment categories.
Top Alarms By Count	Top 10 alarms by count.
Top Alarming Hosts	Top 7 inside hosts, sorted by alarm severity, that have been active on your network since the last reset hour.

Secure Web Appliance

Tile Name	Description
Incoming Filed Analyzed by AMP	A set of metrics summarizing incoming files analyzed by Secure Endpoint.
HTTPS Reports	A set of metrics summarizing web transactions for HTTP and HTTPS traffic.
Top Domains	A set of metrics summarizing top domains in web transactions.
Top Malware Categories	A set of metrics summarizing top malware categories in web transactions.
Top URL Categories	A set of metrics summarizing top URL categories in web transactions.

Secure Workload

Tile Name	Description
Tetration Software Agents Summary	Metrics describing the connected software agents. Secure Workload receives telemetry from agents distributed across your environment. Tracking the health and connectivity status of agents is key to ensuring continued visibility and effective policy enforcement. This tile shows the connected agent count, split into these subtypes: Inactive Enforcement Agents Enforcement Agents Visibility Agents ISE Collectors ISE Endpoints AnyConnect Collectors AnyConnect Endpoints AWS Agents F5 Enforcer Citrix Enforcer Inactive Enforcement Agents is a critical metric to track, as these may need remediation to return to healthy operation.
Tetration Vulnerable Workloads and Inventory	Metrics describing workloads with known vulnerabilities and the total inventory count. Secure Workload tracks all endpoints that have been discovered whether they are data center workloads, endpoints accessing applications, or remote resources on the internet. This database is called the 'inventory' and it is important to keep an eye on the inventory level to monitor the health of a Secure Workload deployment and the effectiveness of policy enforcement. The inventory tracks potential software vulnerabilities on monitored workloads by analyzing packages that are installed on workloads via a software agent. This tile provides: Total count of all inventory items Workloads with major vulnerabilities (CVSS v2 and v3) Workloads with critical vulnerabilities (CVSS v2 and v3)
Tetration Policy Metrics	Metrics describing the configured segmentation policies. Secure Workload provides a powerful policy discovery, analysis, and enforcement engine. As you grow your Secure Workload deployment, you will create scopes, filters and applications where policies will be discovered. As data center policy evolves, the number of these objects will grow, and will reflect the degree of segmentation that is in place. This tile provides: Total count of scopes Total count of filters Total count of applications

Tile Name

Description

Tetration Software Agents Summary

Metrics describing the connected software agents.

Secure Workload receives telemetry from agents distributed across your environment. Tracking the health and connectivity status of agents is key to ensuring continued visibility and effective policy enforcement. This tile shows the connected agent count, split into these subtypes:

Inactive Enforcement Agents
Enforcement Agents
Visibility Agents
ISE Collectors
ISE Endpoints
AnyConnect Collectors
AnyConnect Endpoints
AWS Agents
F5 Enforcer
Citrix Enforcer

Inactive Enforcement Agents is a critical metric to track, as these may need remediation to return to healthy operation.

Tetration Vulnerable Workloads and Inventory

Metrics describing workloads with known vulnerabilities and the total inventory count.

Secure Workload tracks all endpoints that have been discovered whether they are data center workloads, endpoints accessing applications, or remote resources on the internet. This database is called the 'inventory' and it is important to keep an eye on the inventory level to monitor the health of a Secure Workload deployment and the effectiveness of policy enforcement. The inventory tracks potential software vulnerabilities on monitored workloads by analyzing packages that are installed on workloads via a software agent.

This tile provides:

Total count of all inventory items
Workloads with major vulnerabilities (CVSS v2 and v3)
Workloads with critical vulnerabilities (CVSS v2 and v3)

Tetration Policy Metrics

Metrics describing the configured segmentation policies.

Secure Workload provides a powerful policy discovery, analysis, and enforcement engine. As you grow your Secure Workload deployment, you will create scopes, filters and applications where policies will be discovered. As data center policy evolves, the number of these objects will grow, and will reflect the degree of segmentation that is in place.

This tile provides:

Total count of scopes
Total count of filters
Total count of applications

Umbrella

Tile Name	Description
Security Blocks by Command-and-Control Category	A set of metrics summarizing security blocks by command-and-control category.
Security Blocks by Cryptomining Category	A set of metrics summarizing security blocks by the cryptomining category.
Security Blocks by Malware Category	A set of metrics summarizing security blocks by malware category.
Security Blocks by Phishing Category	A set of metrics summarizing security blocks by phishing category.
Cloud Malware Summary	A set of metrics summarizing Cloud Malware for approved applications.
Firewall Sessions and Blocks	Total firewall sessions and blocks.
Proxy Sessions and Blocks	Total proxy sessions and blocks.
Proxy Security Blocks	Total proxy security blocks.
Request Summary	A set of metrics summarizing Umbrella requests.