These integrations provide understanding of email as a threat vector by visualizing message, sender, and target relationships in the context of a threat. Email integrations provide tiles to the control center, as well as actions for orchestration so practitioners can build automated workflows, helping to obtain better insight into the context of a threat to combat phishing attacks, business email compromise, malware, and ransomware.
Endpoint detection and response (EDR) integration is a core foundation of Cisco XDR. EDRs provide a list of all managed endpoints. These endpoints and their details are extracted and stored within a centralized location of Cisco XDR, allowing for devices to be uniquely identified and acted upon without depending on unreliable IP addresses.
Endpoint context allows investigation on files and processes matching a SHA256 hash across URLs. These key data points are correlated to promote alerts to high-efficacy incidents. They are essential for taking response steps (one click or fully automated) to mitigate, contain, eradicate, or recover from an attack.
NDR is also a core foundational integration of Cisco XDR as it enriches threat detection with agentless behavioral and anomaly detection capabilities and unique network device context. It can be combined with sources of global threat intelligence and internal visibility to develop confirmed threat alerts based off known incidents of compromise.
By integrating, NDR, users gain a more holistic response by using Cisco XDR to process and manage high-priority alerts from NDRs (and any other configured alerting technology). NDRs also offer a rich set of network device context, which is essential to ascertain incident criticality. This historical network data is queried by Cisco XDR to enrich threat hunting and forensic audits and XDR incidents, simplifies visibility, and increases response efficiency.
The integration of NGFW devices provides sightings of IP addresses, URLs, and domains as context for XDR incidents and to further forensic investigations in Cisco XDR. Additionally, users can leverage Secure Firepower to block IPs at the perimeter. Cisco Secure Firewall devices also can be configured to provide alerts to Cisco XDR to be triaged and correlated such that the most pressing alerts are displayed to the user in the Cisco XDR incident manager.
The querying of all configured Secure Firewall and third-party firewall devices to enrich observable related to an XDR incident improves visibility and understanding of attacks. Combined with automated response capabilities and using them in coordinated, single-click defenses, simplifies visibility and increases response efficiency.
Cisco XDR can use SIEMs to query threat response for targets and verdicts from observables using built-in enrichment or through manual investigations. Supported observable types include IPv4 addresses, IPv6 addresses, domains, filenames, and SHA256 file hashes. These integrations enable an investigator to collect sightings from many data sources, by using the integration as a translation layer between data models within Cisco XDR workflows.
These sources have their own inventories of devices or device objects, and these integrations bring information about the devices into a centralized location within Cisco XDR. This comprehensive view provides the data and context needed to better identify vulnerabilities, prevent threats, and prioritize remediations. Enrich all investigations with leading reputational insight on domains and more. Discover—and quickly block—the sources of attacks, the recipients of potential or discovered data leakage, or other parts of adversary infrastructure. Protect your network against the most common threat vector, whether users are browsing the web in the office, on the road, and everywhere in between.
Cloud security integrations are valuable in reducing security and compliance risks, managing security policies across multiple products, determining which vulnerabilities pose the highest risk and which can be deprioritized, and securing applications in hybrid work environments. Additional capabilities from these integrations include protection against DDoS threats and OWASP attacks and extending web security.
Integrate Cisco XDR with the leading public cloud providers to gather network metadata from flow logs, proprietary logs, and APIs providing a powerful source for entity modeling, baselining, and detecting malicious network activity. Entity modeling uses flow metadata to build a model of normal activity from observed device behavior and uses this model to spot changes in behavior that may be due to misuse, malware, or compromise.
By integrating public cloud providers, Cisco XDR helps security operation centers (SOCs) stop chasing cybercriminals and their never-ending myriad of exploits, malware, and other threats by trying to keep up with their signatures. Instead, the SOC can focus security efforts on a small, prioritized number of significant and automatically detected deviations from established patterns and activities, as identified by entity modeling.
Access to numerous threat intelligence sources is included with Cisco XDR at no additional cost. These include the Talos database, the default Cisco threat intelligence architecture, and a private repository into which users can upload their own threat intelligence, whether the intelligence is generated in-house or acquired from other sources.
Integration of Cisco Secure Malware Analytics to Cisco XDR allows users to get detailed intelligence about malware, associated network traffic, system changes, and more to gain heightened malware threat intelligence through automated detonation of suspected files from a global user base.
Product names with the ‘N’ designation are native Cisco integrations, those with a ‘C’ are Cisco-curated integrations of third-party products, both of which are supported out-of-the-box.