Secure Firewall Integration

Integrate Secure Firewall (formerly Secure Firewall Threat Defense) with Cisco XDR to unify your firewall deployment with Cisco's integrated security solutions, providing seamless visibility, enhanced automation, and strengthened security across your network.

This integration requires:

  • a Security Cloud Control (SCC) tenant

  • SAL (Security Analytics and Logging) for full integration with Cisco XDR's Data Analysis Platform

The complete integration allows Cisco XDR users to leverage Cisco Secure Firewall for incident generation, threat investigation, and response actions. A partial integration is also available that does not require SAL and only provides threat investigation and response outcomes.

Events that are available to drive investigation and incident responses are:

  • Cisco Secure Firewall Intrusion events (FTD version 6.4 and later)

  • File and malware events (FTD version 6.5 and later)

  • High-priority connection events related to file, malware and intrusion events (FTD version 6.5 and later) With SAL, these events are ingested into the Cisco XDR Data Analytics Platform and correlated with other detections and telemetry to form meaningful, holistic Incidents for your teams to process and respond to.

In all integrations, with or without SAL, these events are available to enrich Cisco XDR incidents and support ad-hoc threat hunting and investigation. Returned information when investigating network objects such as IPs and domains includes any of these alerts that involved the investigated observable, along with details such as internal and external IP address, the direction of the traffic that triggered the event, the title and message of the intrusion event if applicable, additional details of the event, and the date and time of the alert.

With this integration, customers can also use their Cisco Secure Firewall deployment to enforce IP and domain blocks in response to attacks or in proactive defense against expected threats. As well, the automatic inclusion of the firewall APIs in Cisco XDR Automate simplifies the use of these and other firewall capabilities from within the Cisco XDR interface, Automation workflows, and response playbooks.

To configure this integration, see the Cisco Secure Firewall Threat Defense and Cisco XDR Integration Guide.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Secure Firewall integration.

  3. Click Get Started. The Secure Firewall integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Secure Firewall integration in Cisco XDR.

You can perform the following tasks after you integrate Secure Firewall with Cisco XDR:

  • Incidents - When you enable Secure Firewall integration, Cisco XDR automatically ingests the events that are sent by Secure Firewall and uses them for incident correlation. For details, see Integrate with Cisco XDR section in the Cisco Secure Firewall Integrations Overview Guide.

  • Investigate - Start a new investigation into any combination of IP addresses, domains, URLs, file hashes, file names, registry keys, etc., and the results will include any records of them found in Secure Firewall. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Secure Firewall has recent information. For details, see Investigate.

  • Dashboard - Add Secure Firewall cards to a dashboard in Control Center to view data, such as intrusion events, network compliance, or traffic statistics. For details, see Configure Dashboards and Cards. For a list of available Secure Firewall cards, see Integration Cards.

  • Feeds - Create one or more feeds in Cisco XDR for consumption by Secure Firewall and then configure Secure Firewall to consume the feed at its URL. For details, see Feeds.

  • Automation:

    • Atomic Actions - The atomic actions for Secure Firewall can be used as building blocks in custom workflows. These can be found as available Activities in the left menu of the Workflow Editor. The workflows built using the Security Services Exchange (SSX) as proxy authenticate using the Automation APIs target. See Workflows, Atomic Actions,and Default Targets.

    • Playbooks - Cisco XDR has multiple incident response playbooks that can add observables to threat intelligence feeds. These feeds can be used by Secure Firewall to influence policy decisions related to IP addresses, URLs, and domains. See Containment on the Response page.