Third-Party Integrations

Integrating Cohesity DataProtect with Cisco XDR allows SOC and IT teams to automatically take a snapshot of business-critical data as often as needed, early in the incident response process. Automated workflows also allow teams to rapidly recover impacted assets from recent and immutable backup snapshots.

CrowdStrike Falcon is an Extended Detection and Response (XDR) and Endpoint Detection and Response (EDR) offering. CrowdStrike security events can generate and contribute to correlated incidents in Cisco XDR.

In Cisco XDR, we enable CrowdStrike users to leverage it for threat hunting and investigation features as well as rapid response actions to understand and defend against threats on the endpoint. It also provides important device inventory context to help triage detected threats.

Use the CrowdStrike integration to query for security detections of many different observables including file, network, email, host, and process identifiers, as well as to add MD5 and SHA-256 file hashes, IPv4 and IPv6 addresses, and domain names to blocklists, and isolate specific hosts from the network. This integration can also provide host and vulnerability information to Cisco XDR for triaging detections and incidents. It also creates a target automatically in Automation for out-of-box workflows.

Cybereason is an Extended Detection and Response (XDR) and Endpoint Detection and Response (EDR) offering. In Cisco XDR, we enable Cybereason users to leverage it for threat hunting and investigation features, as well as rapid response actions to understand and defend against threats on the endpoint. It also provides important device inventory context to help triage detected threats.

Use the Cybereason integration to search for security detections involving specific hostnames, host GUIDs, or filenames. Cybereason can also be used through Cisco XDR to isolate hosts from the network and block file hashes on endpoints.

Darktrace is a Network Detection and Response (NDR) offering. In Cisco XDR, we enable Darktrace users to leverage it for threat hunting and investigation features. Use the Darktrace integration to query for security detections of observables including IP, hostname, and Darktrace device ID.

ExtraHop Reveal(x) Enterprise is a network detection and response (NDR) solution that provides east-west visibility, real-time threat detection inside the perimeter, and intelligent response. With SaaS-based ExtraHop Reveal(x) 360, you can unify across hybrid, multicloud, containerized and IoT environments with NDR.

Integration with ExtraHop Reveal(x) Enterprise allows you to automatically search for devices, add or remove devices from a watchlist, and search for detections. This integration also creates an HTTP target automatically in Automation for out-of-box workflows.

Ivanti Neurons (formerly MobileIron) is an Enterprise Mobility Manager (EMM), also known as a Mobile Device Manager (MDM) or a Unified Endpoint Manager (UEM). When you integrate Ivanti Neurons with the current platform, it will enrich the endpoint details available in Assets and the endpoint data available when investigating incidents.

Jamf Pro is a leader for management of Apple macOS, iOS, and tvOS devices. When you integrate Jamf Pro with Cisco XDR, it enriches the endpoint details available in Assets and the endpoint data available when you investigate incidents.

Jira Cloud is built for every member of your software team to plan, track, and manage their work. Jira offers bug tracking, issue tracking, agile project management, and more.

Enabling this integration in Cisco XDR will make the Jira API available as a target for Automation workflows.

Microsoft Azure Active Directory (AD) is a cloud-based identity and access management service.

Integrating Microsoft Azure AD with Cisco XDR provides user and device information to the Cisco XDR Assets feature and it enriches investigations and incident triage and response with device and user context.

Microsoft Defender for Endpoint is an Endpoint Detection and Response (EDR) offering. Microsoft Defender for Endpoint security events can generate and contribute to correlated incidents in Cisco XDR.

In Cisco XDR, we enable Microsoft Defender for Endpoint users to leverage it for threat hunting and investigation features, as well as rapid response actions to understand and defend against threats on the endpoint.

Use the Defender for Endpoints integration to search for security detections involving specific hostnames, machine IDs, IPs, and file hashes. Defender for Endpoints can also be used through Cisco XDR to isolate hosts from the network and block many types of observables, including file hashes, network resources (such as IP addresses, domains, and URLs), and certificates. This application can also be used to provide host information, including vulnerability information for use in triaging incidents and detections. It also creates a target automatically in Automation for out-of-box workflows and it provides important device inventory context to help triage detected threats.

Note: This is listed as an application in the Microsoft Cloud integration on the Integrations page.

Microsoft Intune is an Enterprise Mobility Manager (EMM), also known as a Mobile Device Manager (MDM) or a Unified Endpoint Manager (UEM). When you configure the Microsoft Intune integration, it enriches the endpoint details available in Assets and the endpoint data available when you investigate incidents.

Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your organization against advanced threats delivered via email and collaboration tools, like phishing, business email compromise, and malware attacks. In Cisco XDR, we enable Defender for Office 365 users to leverage email intelligence and detections while performing incident investigations and threat hunting.

Use the Microsoft Defender for Office 365 integration to search for security detections and associated indicators, reputations, and references, involving specified email addresses, URLs, email subjects, message IDs, IPs, domains, or file hashes. It also creates a target automatically in Automation for out-of-box workflows.

Note: This is listed as an application in the Microsoft Cloud integration on the Integrations page.

The PagerDuty Operations Cloud is the platform for mission-critical, time-critical operations work in the modern enterprise. Through the power of AI and automation, it detects and diagnoses disruptive events, mobilizes the right team members to respond, and streamlines infrastructure and workflows across your digital operations. The Operations Cloud is essential infrastructure for revolutionizing digital operations to compete and win as a modern digital business.

Enabling this integration in Cisco XDR will make the PagerDuty REST and Events APIs available as targets for Automation workflows. Workflows can be used to do things like send a page through PagerDuty when Cisco XDR incidents are generated.

Palo Alto Networks Cortex XDR is an Extended Detection and Response (XDR) and Endpoint Detection and Response (EDR) offering. Integration with Palo Alto Networks Cortex XDR allows Cisco XDR to leverage Cortex response actions to respond to incidents or proactively mitigate threats in the following ways: add files to blocklists, quarantine or unquarantine endpoints, and perform malware scan on endpoints.

This integration also creates a target automatically in Automation for out-of-box workflows and it also provides important device inventory context to help triage detected threats.

Red Sift Pulse provides IP, hostname, and domain-based threat intelligence to Cisco XDR users to aid swift identification and remediation of phishing and impersonation attacks.

By leveraging Red Sift OnDMARC’s email security capabilities, Red Sift Pulse gives Security teams complete visibility into and control over what’s happening across their email-sending infrastructure. For example, it constantly monitors and discovers new domains and subdomains, ingests spam trap emails, and detects unauthenticated emails and malicious IPs.

This integration enables:

• Enriched threat intelligence - Red Sift Pulse is a key source of email and domain-based data, feeding Cisco XDR intelligence on unauthenticated traffic, spam and malicious IPs, and user-reported email threats.

• Augmented threat response - Threat intelligence provided by Red Sift Pulse enriches and bolsters findings to expedite data-driven decision-making.

• Scalable remediation efforts - Analysts can build automated workflows based on the detection of specific incidents by Red Sift Pulse to aid more efficient remediation and quickly close the loop on investigations.

SentinelOne Singularity is an Extended Detection and Response (XDR) and Endpoint Detection and Response (EDR) offering. In Cisco XDR, we enable Singularity users to leverage it for threat hunting and investigation features, as well as rapid response actions to understand and defend against threats on the endpoint. It also provides important device inventory context to help triage detected threats.

Use the SentinelOne integration to search for security detections involving specific hostnames, host GUIDs, filenames, paths, hashes, process names, and process arguments. SentinelOne can also be used through Cisco XDR to isolate hosts from the network and block file hashes on the endpoint. This integration can also be used to provide host information, including vulnerability information for use in triaging incidents and detections. It also creates a target automatically in Automation for out-of-box workflows.

ServiceNow allows you to simplify the way you work. Deliver great experiences and enhance productivity with powerful digital workflows across all areas of your business. ServiceNow is a suite of products that provided various capabilities.

Enabling this integration in Cisco XDR will make the ServiceNow API available as a target for Automation workflows. This target can be used to perform tasks such as creating incidents, creating change tickets, and more.

Slack brings team communication and collaboration into one place so you can get more work done, whether you belong to a large enterprise or a small business. This integration allows Cisco XDR users to leverage Slack as a team collaboration and communication tool in Automation workflows, including incident notification and response.

Trend Vision One is an Extended Detection and Response (XDR) and Endpoint Detection and Response (EDR) offering. In Cisco XDR, we enable Trend Vision One users to leverage it for threat hunting and investigation features, as well as rapid response actions to understand and defend against threats on the endpoint. It also provides important device inventory context to help triage detected threats.

Use the Trend Vision One integration to search for security detections involving specific hostnames, host GUIDs, domains, IPs, file hashes, email senders and subjects, usernames, process names, and process arguments. Trend Vision One can also be used through Cisco XDR to isolate hosts from the network and block many kinds of observables, including file hashes, email senders, and network resources such as IP addresses, domains, and URLs.

VMWare Workspace ONE (formerly AirWatch) is an Enterprise Mobility Manager (EMM), also known as a Mobile Device Manager (MDM) or a Unified Endpoint Manager (UEM). When you integrate VMWare Workspace ONE with Cisco XDR, it enriches the endpoint details available in Assets and the endpoint data available when you investigate incidents.​

xMatters service reliability platform helps DevOps, SREs, and Ops teams automate workflows, ensure infrastructure availability, and deliver products at scale. Eliminate digital event disruptions by leveraging AI, analytics, and workflows to automate and accelerate response times all the way to resolution.

Enabling this integration in Cisco XDR will make the xMatters API available as a target for Automation workflows. Workflows can be used to do things like send a page through xMatters when Cisco XDR incidents are generated.