Cisco Secure Access Integration
Cisco Secure Access is Cisco's cloud security product, enforcing security via DNS, Secure Web Gateway (SWG), Firewall as a Service (FWaaS) and Intrusion Prevention System (IPS), Zero Trust Network Access (ZTNA), Cloud Access Security Broker (CASB), and Data Loss Prevention (DLP). Cisco Secure Access automatically uncovers attacker infrastructure staged for current and emerging threats and proactively blocks malicious requests before they reach a customer’s network or endpoints. When integrated with Cisco XDR, customers can stop phishing and malware infections earlier, identify already-infected devices faster, and prevent data exfiltration. The integration provides complete visibility into internet activity across all users in all covered locations. The following Cisco Secure Access functions are supported and linked via an API key generated in the Cisco Secure Access Platform:
-
Investigate: Provides a view into global threat data via a browser or API. This allows Cisco XDR to use that API to add threat intelligence from Cisco Secure Access Investigate to perform automated enrichment for IPs and domains that are being investigated.
-
Reports: Provides details associated with sightings of domain observables that are being investigated, API usage, and cloud-based applications and services.
-
Deployments: Provides Cisco XDR with a view into your networks and network entities data.
-
Policies: Enables Cisco XDR to add and manage Secure Access policies, which include destination lists and private resource groups.

-
In the Cisco XDR navigation menu, choose Administration > Integrations.
-
On the Integrations page, click the Cisco tab and navigate to the Cisco Secure Access integration.
-
Click Get Started. The Cisco Secure Access integration page is displayed.
-
Expand the Integration Guide area and follow the instructions on how to add the Cisco Secure Access integration in Cisco XDR.

You can perform the following tasks after you integrate Cisco Secure Access with Cisco XDR:
-
Dashboard - Add Cisco Secure Access cards to a dashboard in Control Center to view data, such as event summary. For details, see Configure Dashboards and Cards. For a list of available Cisco Secure Access tiles, see Integration Cards.
- Investigate - Start a new investigation by searching on suspicious indicators of compromise to extract observables for enrichment. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Cisco Secure Access observables has recent information. For details, see Investigate.
-
Pivot Menu - Use the Pivot menu to access actions in Cisco Secure Access. Available actions include investigating an IP address. You can also install workflows from the Automation Exchange to add more actions to the Pivot menu.
-
Assets - View devices reported by Cisco Secure Access. For more information, including how to filter the view to only the reports from Cisco Secure Access, see Devices.
- Automation:
Atomic Actions - The atomic actions for Cisco Secure Access can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.
Workflows - The workflows for Cisco Secure Access can be installed from the Automation Exchange. See Workflows and Exchange.