Dashboard Tiles

Cisco XDR connects Cisco’s integrated security portfolio and your entire security infrastructure to unify visibility, enable automation, and strengthen security across your network. The result is simplified security, built into the solutions you already have. The Control Center page presents metrics and data from your integrated products to provide visibility across your security environment and accelerate threat response. After you've added your integrations to Cisco XDR, the tiles that are provided by the products are available for you to add when you customize your dashboard. This document is a supplemental list of tiles and their descriptions that may be available in Cisco XDR.

Note: While we periodically update this tiles list, it may not always reflect the complete list of tiles in every product integrated with Cisco XDR.

Tile Name Description
All Current Active Alerts Displays current active alerts in Cisco Attack Surface Management. The alerts are created in Attack Surface Management based on rules created by the Attack Surface Management administrator.
Alerts by Created Date Displays a list of alerts created for the last X period of time, which is configurable in the tile up to the previous 30 days.
Accounts with AWS S3 Buckets Lacking Secure Transport Displays a pie chart for the number of AWS S3 buckets based on the secure transport protocol used.
Accounts with AWS S3 Buckets Lacking Default Encryption Displays a pie chart for the number of AWS S3 buckets based on the encryption used for these S3 buckets.

By default, the Automation tiles are automatically available to all users in Cisco XDR. You do not need to add an integration to access the tiles.

Tile Name Description
Top workflow runs The Top workflow runs tile shows the total workflow runs for the top 10 workflows over the selected date range, and the workflow names and number of runs during that time.
Workflow Runs Over Time The Workflow Runs Over Time tile shows the total number of workflows that ran each day during the selected date range. This can be useful for seeing trends in your workflow runs. Hover the mouse over an item in the bar graph to see the total runs for that date.
Workflow Runs by Category The Workflow Runs by Category tile shows the top 5 categories based on the number of workflow runs during the selected date range. Hover the mouse over an item in the bar graph to see the number of workflow runs for each category on that date
Average Workflow Run Time (Seconds) The Average Workflow Run Time tile shows the per day average time that your workflows took to complete during the selected date range. Hover the mouse over a point in the line graph to see the average workflow run time for that date.
Workflows Added By Category The Workflows Added By Category tile shows the number of workflows created or imported during the selected date range and the number of workflows tagged to the top 5 categories for the selected date range. Hover the mouse over one of the colored segments of the circle graph to see the category name and number of workflows assigned to that category during the selected date range.
Tile Name Description
CDO Device Summary CDO device status summary.
CDO Objects and Policies CDO objects and policies summary.
CDO VPN CDO VPN summary.
CSDAC - Elements CSDAC elements summary.
CSDAC - Source Connectors CSDAC connectors by type and status.
CSDAC - Destination Adapters CSDAC adapters by type and status.
CSDAC - Dynamic Objects CSDAC dynamic objects and count of mappings.

By default, the Private Intelligence tiles are automatically available to all users in Cisco XDR. You do not need to add an integration to access the tiles.

Tile Name Description
Incident Status by Assignment Displays incidents that are assigned to the current logged in user and others, based on the incident status. Using this tile, you can quickly see incident status and assignees.
High Impact Incidents Displays the top priority compromises known to Cisco XDR. The tile displays the name of the incident, when it was created, its status, to whom its assigned, and the source.

MITRE ATT&CK® Incidents

Displays the tactics and techniques reported by incidents over the selected timeframe. When you hover over the bar graph, it displays the number of incidents reported by each technique for the specified tactic and a link to the MITRE ATT&CK® page for more information on the technique.

Note: Only tactics reported by incidents are displayed in the tile. If a tactic is not listed, it is because there are no tactics, techniques, and procedures in the selected timeframe related to that tactic.

Top Targeted Assets

Displays an overview of the number of incidents reported by the top six assets in descending order, over the selected timeframe.

Unassigned Incidents

Displays a list of incidents that have not been assigned to a user over a selected timeframe, organized by the severity of the incidents.

Detection Sources

Displays the number of incidents reported by the sources listed, over the selected timeframe. This is useful for users to see when there are spikes in the number of incidents.

Team Mean Time Summary

Displays the following data for your organization:

  • Mean Time to Engage - The average time the status of the incidents changed from New to Open by users within the selected timeframe. The New status only includes incidents that were created by a system during the selected timeframe. This allows you to quickly see the average time it took for users within your organization to respond to a new incident during the selected timeframe. It also displays the increased or decreased time from the previous day, week, or month, depending on the selected timeframe.

  • Incidents Engaged - The total number of incidents that changed from New to Open status by users within the selected timeframe. The New status only includes incidents that were created by a system during the selected timeframe.

  • Mean Time to Resolution - The average time the status of the incidents changed from Open to Closed by users within the selected timeframe. The Open status only includes incidents that were opened by users during the selected timeframe. This allows you to quickly see the average time it took for users within your organization to open and resolve incidents during the selected timeframe. It also displays the increased or decreased time from the previous day, week, or month, depending on the selected timeframe.

  • Incidents Resolved - The total number of incidents that changed from Open to Closed status by users within the selected timeframe. The Open status only includes incidents that users opened during the selected timeframe.

User Mean Time Summary

Displays the following data:

  • Mean Time to Engage - The average time the status of the incidents changed from New to Open by you within the selected timeframe. The New status only includes incidents that were created by a system during the selected timeframe. This allows you to quickly see the average time it took for you to respond to a new incident within the selected timeframe. It also displays the increased or decreased time from the previous day, week, or month, depending on the selected timeframe.

  • Incidents Engaged - The total number of incidents that you changed from New to Open status within the selected timeframe. The New status only includes incidents that were created by a system during the selected timeframe.

  • Mean Time to Resolution - The average time the status of the incidents changed from Open to Closed by you within the selected timeframe. The Open status only includes incidents that you opened during the selected timeframe. This allows you to quickly see the average time it took for you to open and resolve incidents within the selected timeframe. It also displays the increased or decreased time from the previous day, week, or month, depending on the selected timeframe.

  • Incidents Resolved - The total number of incidents that you changed from Open to Closed status within the selected timeframe. The Open status only includes incidents that you opened during the selected timeframe.

By default, the Secure Client tiles are automatically available to all users in Cisco XDR. You do not need to add an integration to access the tiles.

Tile Name Description
Computer Summary Shows the number of computers and their issues such as those with conflicting instance key, no instance key, failed package install, failed package reconfigure, and without identity.
Unified Connector Stats Shows the number of unified connectors and their stats such as those with conflicting keys, without key, install failures, reconfigure failures, and without identity.

Secure Cloud Analytics is a software as a service (SaaS) solution that monitors your on-premises and cloud-based network deployments. By gathering information about your network traffic, it creates observations about the traffic, which are facts about behavior on the network, and automatically identifies roles for network entities based on their traffic patterns. Observations on their own do not carry meaning beyond the fact of what they represent. Based on the combination of observations, roles, and other threat intelligence, Secure Cloud Analytics generates alerts, which are actionable items that represent possible malicious behavior as identified by the system.

Secure Cloud Analytics also identifies observations of interesting behavior (highlighted observations), which you can review from its portal UI. Though these observations do not signify malicious behavior on their own, they may represent otherwise notable traffic on your network.

The following describes the Secure Cloud Analytics tiles that you can display in Cisco XDR, which represent Secure Cloud Analytics findings.

Tile Name Description
Alert Overview Chart

Displays a multilevel pie chart that shows, based on the selected time frame, in the outer ring:

  • new Secure Cloud Analytics alerts created within the time frame

  • open Secure Cloud Analytics alerts created before the time frame, and not yet closed within the time frame

  • closed Secure Cloud Analytics alerts closed during the time frame

And in the inner ring:

  • assigned Secure Cloud Analytics alerts

  • unassigned Secure Cloud Analytics alerts
Alert Quick View Displays the current number of open Secure Cloud Analytics alerts and unassigned Secure Cloud Analytics alerts.
Device Count Chart Displays the number of unique entities that Secure Cloud Analytics detected transmitting traffic on your network during a given time frame, displayed as a vertical bar chart.
Observation Count Displays the total number of observations that Secure Cloud Analytics generated in a given time frame, and the total number of highlighted observations in that time frame. The Observations and Highlighted Observations links take you to the Secure Cloud Analytics portal UI to view more information about these observations.
Sensor Status Displays a list of your configured Secure Cloud Analytics sensors, and if they are active or inactive.
Traffic Over Time Chart Displays the amount of inbound traffic, inbound encrypted traffic, outbound traffic, and outbound encrypted traffic monitored by Secure Cloud Analytics for the selected time frame as a stacked bar chart.

Incoming Email Metrics

Tile Name Description
Incoming Files Handled by AMP A set of metrics summarizing Secure Endpoint analysis of incoming email.
Incoming Mail Summary A set of metrics summarizing mail flow activity.
Incoming Threat Messages Summary A set of metrics summarizing threat activity.
Email Summary A set of metrics summarizing mail flow activity.
Top Incoming Mail Connections by Country A set of metrics summarizing top incoming mail connections by country.
Top Senders (Domains) by Total Incoming Threat Messages A set of metrics summarizing top senders (domains) by total incoming threat messages.
Top Senders (IP Addresses) by Total Incoming Threat Messages A set of metrics summarizing top senders (IP addresses) by total incoming threat messages.
Top Incoming Virus Types Detected A set of metrics summarizing top incoming virus types detected.
Top URL Spam Messages A set of metrics summarizing top URL spam messages.

Outgoing Email Metrics

Tile Name Description
Outgoing Mail Summary A set of metrics summarizing outgoing mail flow activity.
Top Outgoing Sender Domains by Total Outgoing Threat Messages A set of metrics summarizing top sender domains by total outgoing threat messages.
Top Sender IP Addresses by Total Outgoing Threat Messages A set of metrics summarizing top sender IP addresses by total outgoing threat messages.

Incoming Email Metrics

Tile Name Description
Incoming Files Handled by AMP A set of metrics summarizing Secure Endpoint analysis of incoming email.
Incoming Mail Summary A set of metrics summarizing mail flow activity.
Incoming Threat Messages Summary A set of metrics summarizing threat activity.
Email Summary A set of metrics summarizing mail flow activity.
Top Incoming Mail Connections by Country A set of metrics summarizing top incoming mail connections by country.
Top Senders (Domains) by Total Incoming Threat Messages A set of metrics summarizing top senders (domains) by total incoming threat messages.
Top Senders (IP Addresses) by Total Incoming Threat Messages A set of metrics summarizing top senders (IP addresses) by total incoming threat messages.
Top Incoming Virus Types Detected A set of metrics summarizing top incoming virus types detected.
Top URL Spam Messages A set of metrics summarizing top URL spam messages.

Outgoing Email Metrics

Tile Name Description
Outgoing Mail Summary A set of metrics summarizing outgoing mail flow activity.
Top Outgoing Sender Domains by Total Outgoing Threat Messages A set of metrics summarizing top sender domains by total outgoing threat messages.
Top Sender IP Addresses by Total Outgoing Threat Messages A set of metrics summarizing top sender IP addresses by total outgoing threat messages.

Note: The Secure Email Threat Defense (Australia) and Secure Email Threat Defense (India) integrations are available in the Asia Pacific, Japan, China region.

Tile Name Description
Messages by Direction Shows your total email traffic by direction. Mail is divided into Outgoing, Mixed, Internal, and Incoming.
Malicious & Phishing Shows a snapshot of messages that were determined to be Malicious or Phishing.
Spam Shows a snapshot of messages that were determined to be Spam.
Graymail Shows a snapshot of messages that were determined to be Graymail.
Tile Name Description
Compromises detected A set of metrics summarizing compromises detected by Secure Endpoint.
Computers Summary A set of metrics summarizing the state of Secure Endpoint computers.
Summary A set of metrics summarizing Secure Endpoint detection and response.
Quarantines A set of metrics summarizing Secure Endpoint quarantines by time.
MITRE ATT&CK Tactics detected A set of metrics summarizing MITRE ATT&CK® tactics detected by Secure Endpoint.
Threat Hunting Threat hunting incidents by the threat hunting source.
Top Endpoint Compromises Top compromises by severity score.
Top Dynamic Threats Top dynamic threats.
Top Malware Threats Top threats by compromise detections aggregated by detection name.
Top Compromise Observables Top compromise observables.

Important Information about Tiles

Tiles showing metrics for events show events that have been sent from Secure Firewall Threat Defense devices to Security Services Exchange within the past 7 days.

To ensure that you see the correct set of events, you must correctly configure auto-promotion options in Security Services Exchange. For details, see the online help in Security Services Exchange. To access Security Services Exchange, you can click a summary value in the Event Summary tile.

Some tiles are applicable only to systems managed by Secure Firewall Management Center, not to deployments managed by Secure Firewall Device Manager.

Some links from these tiles take you to your Secure Firewall Management Center appliance. As long as your browser can connect to your internal network, you can access your Secure Firewall Management Center from within Cisco XDR. (Cisco XDR does not need to connect to your corporate network.)

To cross-launch Secure Firewall Management Center from the tiles in Cisco XDR, the Secure Firewall Management Center's name must be a Fully Qualified Domain Name (FQDM). To change the name of your Secure Firewall Management Center, go to System > Configuration > Information in the Secure Firewall Management Center web interface and modify the Name field.

Tile Name Description
Event Summary This tile summarizes Secure Firewall Threat Defense events in Security Services Exchange within the timeframe selected, up to 7 days. You can view event details in Security Services Exchange by clicking metrics in this tile. Security Services Exchange will open in a separate browser window
Incident Promotion Reason

This tile summarizes Secure Firewall Threat Defense events in Security Services Exchange that have been promoted to incidents within the timeframe selected, up to 7 days.

The tile displays the reasons that events were promoted to incidents, which can be:

  • Automatically by the system (Talos Disposition)

    Intrusion events that involve an IP address with a poor Talos IP reputation score are automatically promoted to incidents. If you have enabled auto-promotion of malware events in Security Services Exchange, this metric also includes malware events with a poor source IP reputation score.

  • Automatically based on your organization's configured auto-promote settings in Security Services Exchange.

    These settings are located in Security Services Exchange by clicking Cloud Services > Eventing > > Auto-Promote Events

    Security Intelligence categories (DNS, URL, and IP addresses) include events promoted based on matches based on Talos threat intelligence data and, if Security Services Exchange is configured to automatically promote events based on custom security intelligence lists and feeds, those events as well.

    The other configurable auto-promotion reasons are Intrusion Rules Category, Malware Threat Score, and Custom IP Address.

  • Manually by a user from the Events page in Security Services Exchange. (User Promoted)

Select or deselect check boxes to modify the graph display.

For more information about promoting events to incidents, see the online help in Security Services Exchange.
Talos IP Reputation

This tile summarizes the Talos reputation scores of the public IP addresses associated with intrusion and malware events sent from Secure Firewall Threat Defense to Security Services Exchange within the timeframe selected (up to 7 days.)

This value is based on the same threat data as the Talos Disposition value in the Incident Promotion Reason tile, but the counts may differ because of the way they are calculated. For example, Talos IP Reputation counts source and destination IP addresses separately, while the Talos Disposition value increments only once per incident, even if both source and destination IP addresses have poor reputation.

The Talos IP Reputation threat metric used to promote events from Security Services Exchange to incidents is not used in Secure Firewall Threat Defense devices. It is similar to, but different from, the Security Intelligence data for networks.

You can view event details in Security Services Exchange by clicking a metric in this tile. Security Services Exchange will open in a separate browser window.

The count of events shown in Security Services Exchange may differ from the count of events shown in the tile. Duplicate events are automatically removed from Security Services Exchange, and your configurations in Security Services Exchange may automatically filter out events. The tile shows the event count before such actions are taken in Security Services Exchange.
Intrusion Top Attackers

List of top attackers for intrusion events in your organization that were sent from Secure Firewall Threat Defense devices to Security Services Exchange.

This tile shows up to 7 days worth of data, even if a longer timeframe is selected at the top of the dashboard. Look at the timeframe selected on the tile itself.
Intrusion Top Targets

List of top targets for intrusion events in your organization that were sent from Secure Firewall Threat Defense devices to Security Services Exchange.

This tile shows a maximum of 7 days worth of data, even if a longer timeframe is selected at the top of the dashboard. Look at the timeframe selected on the tile itself.
Intrusion Top Signatures

List of top signatures for intrusion events in your organization that were sent from Secure Firewall Threat Defense devices to Security Services Exchange.

This tile shows a maximum of 7 days worth of data, even if a longer timeframe is selected at the top of the dashboard. Look at the timeframe selected on the tile itself.
Device Inventory

Important: In order to use this tile, Cisco Success Network must be enabled in each Secure Firewall Threat Defense. Enable this feature on the System > Smart Licenses page in Secure Firewall Management Center. If you have questions, search the Secure Firewall Management Center online help for "Cisco Success Network".

This tile shows only data from deployments with Secure Firewall Management Center. Devices managed by Secure Firewall Device Manager are not reflected in this tile.

This tile shows whether the Secure Firewall Management Center appliances that are registered to Cisco XDR, and their managed devices, are running at least the suggested software version. This minimum version may not be the latest available software version. Instead, it is determined by Cisco based on software quality, stability, and longevity.

For best protection, all of your Secure Firewall Management Centers and all managed devices should be running at least the suggested version. For upgrade instructions, see the Cisco Firepower Management Center Upgrade Guide at https://www.cisco.com/c/en/us/support/security/defense-center/products-installation-guides-list.html.

Clicking the Suggested version link takes you to the Software Downloads page on Cisco.com for Virtual Appliance downloads. The same download can be used for all virtual and hardware Secure Firewall Management Center appliances.

A zero (0) in the Managed devices needing upgrade column indicates that all of this Secure Firewall Management Center's managed devices are up to date.
Security Update Status

Important: In order to use this tile, Cisco Success Network must be enabled in each Secure Firewall Management Center. Enable this feature on the System > Smart Licenses page in Secure Firewall Management Center. If you have questions, search the Secure Firewall Management Center online help for "Cisco Success Network".

This tile shows only data from deployments with Secure Firewall Management Center. Devices managed by Secure Firewall Device Manager are not reflected in this tile.

For effective protection, your system should always use the latest threat intelligence.

If this tile shows that your deployment is not up to date, download and install the latest updates.

For information about these updates and options and instructions for manually or automatically installing them, see the "System Updates" chapter in your Secure Firewall Management Center online help.
Security Capabilities

Important: In order to use this tile, Cisco Success Network must be enabled in each Secure Firewall Management Center. Enable this feature on the System > Smart Licenses page in Secure Firewall Management Center. If you have questions, search the Secure Firewall Management Center online help for "Cisco Success Network".

This tile shows only data from deployments with Secure Firewall Management Center. Devices managed by Secure Firewall Device Manager are not reflected in this tile.

This tile indicates how extensively you are using the security features. Specifically:

The number of devices managed by each Secure Firewall Management Center that have been assigned each type of license.

The number of rules that require each type of license that have been deployed to any device managed by each Secure Firewall Management Center.

As a simple example, if you have 1 access control policy that has 3 URL filtering rules, and you have deployed that policy to 4 managed devices, the rule count is 12.
Tile Name Description
Threat Scores Counting submissions by threat score ranges.
Total Submissions by Result Counting submissions by status.
Total Submissions by Threat Score Counting submissions by threat score ranges.
Total Convictions Counting total convicted submissions.
Submissions Source by Result Counting submissions by status, grouped by submission source.
Submission Source by Threat Score Counting submissions by threat score ranges, grouped by submission source.
Submission Environments Counting convicted vs. non-convicted submissions, grouped by environment.
Submission File Types Counting submissions by file type.
Entitlement API Sample Submissions Counting submissions vs. rate-limited submissions.
Submission Network Exits Counting submissions by the network exit used during analysis.
Top Tags Counting submissions by tag.
Top IP Addresses Counting submissions by IP referenced during analysis.
Top Domains Counting submissions by domain referenced during analysis.
Top Behavioral Indicators Counting indicators triggered during submissions.
Tile Name Description
Alarming Hosts by Category Number of hosts in the alarm categories since the last reset hour.
Network Visibility Statistics for the number of hosts and the amount of traffic.
Top Alarming Hosts Top 7 inside hosts, sorted by alarm severity, that have been active on your network since the last reset hour.
Top Alarms By Count Top 10 alarms by count.
Top Inside Host Groups by Traffic Top 10 inside host groups by traffic.
Top Outside Host Groups by Traffic Top 10 outside host groups by traffic.
Visibility Assessment Number of hosts in the Visibility Assessment categories.
Tile Name Description
Incoming Filed Analyzed by AMP A set of metrics summarizing incoming files analyzed by Secure Endpoint.
HTTPS Reports A set of metrics summarizing web transactions for HTTP and HTTPS traffic.
Top Domains A set of metrics summarizing top domains in web transactions.
Top Malware Categories A set of metrics summarizing top malware categories in web transactions.
Top URL Categories A set of metrics summarizing top URL categories in web transactions.
Tile Name Description
Tetration Monitored Inventory Metrics Metrics describing the current learned inventory.
Tetration Policy Metrics Metrics describing the configured segmentation policies.
Tetration Software Agents Summary Metrics describing the connected software agents.
Tile Name Description
Security Blocks by Command-and-Control Category A set of metrics summarizing security blocks by command-and-control category.
Security Blocks by Cryptomining Category A set of metrics summarizing security blocks by the cryptomining category.
Security Blocks by Malware Category A set of metrics summarizing security blocks by malware category.
Security Blocks by Phishing Category A set of metrics summarizing security blocks by phishing category.
Cloud Malware Summary A set of metrics summarizing Cloud Malware for approved applications.
Request Summary A set of metrics summarizing Umbrella requests.
Firewall Sessions and Blocks Total firewall sessions and blocks.
Proxy Sessions and Blocks Total proxy sessions and blocks.
Proxy Security Blocks Total proxy security blocks.