Integrating Your Appliance with Cisco XDR
Cisco XDR is a security platform embedded with every Cisco security product. It is cloud-native with no new technology to deploy. Cisco XDR simplifies the demands of threat protection by providing a platform that unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications. By connecting technology in an integrated platform, Cisco XDR delivers measurable insights, desirable outcomes, and unparalleled cross-team collaboration. Cisco XDR enables you to expand your capabilities by connecting your security infrastructure.
Cisco XDR is a threat incident response orchestration hub that supports and automates integrations across multiple Cisco Security products. As a key pillar of the Cisco integrated security architecture, XDR accelerates key security operations functions: detection, investigation, and remediation.
Integrating the Appliance with Cisco XDR contains the following section:
You can integrate your appliance with Cisco XDR, and perform the following actions in Cisco XDR:
-
View and send the email data from multiple appliances in your organization.
-
Identify, investigate and remediate threats observed in the email reports, sender and target relationships, search for multiple email addresses and subject lines and message tracking.
-
Block compromised users or users violating outgoing email policies.
-
Resolve the identified threats rapidly and provide recommended actions to take against the identified threats.
-
Document the threats to save the investigation and enable collaboration of information among other devices.
-
Block malicious domains, track suspicious observances, initiate an approval workflow or to create an IT ticket to update email policy.
You can access Cisco XDR using the following URL:
https://xdr.us.security.cisco.com/
Cisco Secure Email and Web Manager centralizes management and reporting functions across multiple Cisco Secure Email Gateways. For more information on observables that can be enriched by the Secure Email and Web Manager module, go to https://xdr.us.security.cisco.com/administration/integrations, navigate to the module to integrate with Cisco XDR, and click Get Started.
How to Integrate Your Appliance with Cisco XDR
|
Do This |
More Info |
|
|---|---|---|
|
Step 1 |
Review the prerequisites. |
|
|
Step 2 |
On your Secure Email and Web Manager, enable the Cisco Cloud Services portal . |
Enable the Cisco Cloud Services Portal on your Secure Email and Web Manager |
|
Step 3 |
On Cisco XDR, add your appliance as a device, register it, and generate a registration token. |
For more information, go to https://docs.xdr.security.cisco.com/Content/Administration/on-premises-appliances.htm. |
|
Step 4 |
Register your Secure Email and Web Manager with the Cisco Cloud Services portal. |
Register Secure Email and Web Manager with Cisco Cloud Services Portal |
|
Step 5 |
Confirm whether the registration was successful. |
|
|
Step 6 |
On Cisco XDR, add Secure Email and Web Manager Module. |
For more information, go to https://xdr.us.security.cisco.com/administration/integrations, navigate to the module to integrate with Cisco XDR, click Get Started, and see the instructions on the page. |
Prerequisites
 Note |
If you already have a Cisco Threat Response user account, you do not need to create a Cisco XDR user account. You can log in to Cisco XDR using your Cisco Threat Response user account credentials. |
-
Make sure that you create a user account in Cisco XDR with admin access rights. To create a new user account, go to Cisco XDR login page using the URL https://xdr.us.security.cisco.com and click Sign up now on the login page. If you are unable to create a new user account, contact Cisco TAC for assistance.
-
[Only if you are not using a proxy server] Make sure that you open HTTPS (In and Out) 443 port on the firewall for the following FQDNs to register your appliance with Cisco XDR:
-
api-sse.cisco.com (applicable for NAM users only)
-
api.eu.sse.itd.cisco.com (applicable for European Union (EU) users only)
-
api.apj.sse.itd.cisco.com (applicable for APJC users only)
-
est.sco.cisco.com (applicable for APJC, EU, and NAM users)
For more information, see Firewall Information.
-
-
[For users with smart licensing registered on the Secure Email and Web Manager] Make sure you have already linked your smart account (created in Cisco Smart Software Manager portal) to Cisco Security Services Exchange . For more information, see the following documentation at:
-
[Applicable for NAM users] https://admin.sse.itd.cisco.com/assets/static/online-help/index.html#!t_link_accounts.html
-
[Applicable for European Union (EU) users] https://admin.eu.sse.itd.cisco.com/assets/static/online-help/index.html#!t_link_accounts.html
-
[Applicable for APJC users] https://admin.apj.sse.itd.cisco.com/assets/static/online-help/index.html#!t_link_accounts.html
-
Enable the Cisco Cloud Services Portal on your Secure Email and Web Manager
Before you begin
Make sure you enable Cisco Cloud Service to enable Cisco XDR on your Secure Email and Web Manager.
Perform the following steps to enable the Cisco Cloud Service and thereby enable Cisco XDR on your Secure Email and Web Manager.
Procedure
|
Step 1 |
Log in to your appliance. |
|
Step 2 |
Select Networks > Cloud Service Settings. |
|
Step 3 |
Click Edit Global Settings. |
|
Step 4 |
Check the Enable check box. |
|
Step 5 |
Submit and commit your changes. |
|
Step 6 |
Wait for few minutes, and check whether the Register button appears on your appliance. |
Note |
To enable Cisco XDR using the CLI, use the generalconfig command.
|
Note |
If you disable the Cisco Cloud Service, Cisco XDR is disabled on your appliance. |
What to do next
Register your appliance on Cisco XDR (https://xdr.us.security.cisco.com/administration/on-premise-appliances). For more information, go to https://docs.xdr.security.cisco.com/Content/Administration/on-premises-appliances.htm.
Register Secure Email and Web Manager with Cisco Cloud Services Portal
Procedure
|
Step 1 |
Go to Networks > Cloud Service Settings. |
|
Step 2 |
In Cloud Services Settings, enter the registration token, and click Register. |
Note |
To register your Secure Email and Web Manager with Cisco Cloud Services Portal using the CLI, use the cloudserviceconfig command.
|
What to do next
Reregistering with Cisco Cloud Service Portal
You can reregister your On Premises Cisco Secure Email and Web Manager with the Cisco Cloud Services portal based on any one of the following scenarios:
-
If you are unable to view or manage the devices (Cisco Secure Email and Web Managers) added to the Cisco Cloud Services portal when you automatically register your Cisco Secure Email and Web Manager with the Cisco Cloud Services portal.
-
If your Smart Account and Cisco Cloud Services Account are not linked when you automatically register your Cisco Secure Email and Web Manager with the Cisco Cloud Services portal.
You can also use the cloudserviceconfig > reregister sub command in the CLI to reregister your Cisco Secure Email and Web Manager with the Cisco Cloud Services portal.
Before you begin
Make sure you have met the following prerequisites:
-
Enabled Smart Software Licensing on your Cisco Secure Email and Web Manager.
-
Registered your Cisco Secure Email and Web Manager with Cisco Smart Software Manager.
Procedure
|
Step 1 |
Go to Networks > Cloud Service Settings page on your Cisco Secure Email and Web Manager. |
||
|
Step 2 |
Click Reregister.
|
||
|
Step 3 |
[Optional] Choose the appropriate Cisco XDR Server to connect your Cisco Secure Email and Web Manager to the Cisco Cloud Services portal if your device was automatically registered with an incorrect Cisco XDR server. |
||
|
Step 4 |
[Optional] Enter the registration token obtained from the Cisco Cloud Services portal, if your Cisco Secure Email and Web Manager was automatically registered with an incorrect Smart Account. |
||
|
Step 5 |
Click Submit, the ‘Confirm reregistration’ dialog box appears only if you do not enter a registration token in step 4. |
||
|
Step 6 |
Click Submit, in the ‘Confirm reregistration’ dialog box to allow Cisco Cloud Services to use the token auto-generated from the Cisco Cloud Services portal with the Smart Account information to reregister your Cisco Secure Email and Web Manager with the Cisco Cloud Services portal.
|
Confirm Whether the Registration was Successful
-
On Cisco XDR, navigate to the On-Premises Appliances page (https://xdr.us.security.cisco.com/administration/on-premise-appliances) and view the Secure Email and Web Manager that has been registered with Cisco XDR server.
Note |
If you want to switch to another Cisco XDR server (for example, 'Europe - api.eu.sse.itd.cisco.com'), you must first deregister your appliance from Cisco XDR and follow steps mentioned in How to Integrate Your Appliance with Cisco XDR. After you have integrated your appliance with Cisco XDR , you do not need to integrate your Secure Email Gateway with Cisco XDR because the email and web reporting features are centralized. After successful registration of your appliance on security services exchange, add the Secure Email and Web Manager module on Cisco XDR. For more information, go to https://xdr.us.security.cisco.com/administration/integrations, navigate to the module to integrate with Cisco XDR, and click Get Started, and see the instructions on the page. |
Deregister Secure Email and Web Manager from Cisco Cloud Services Portal
Perform the following steps to deregister Secure Email and Web Manager from Cisco Cloud Services portal.
Procedure
|
Step 1 |
Go to Networks > Cloud Service Settings. |
|
Step 2 |
Click Deregister on the Cloud Service Settings page. |
|
Step 3 |
Click Deregister on the Deregister Appliance pop-up window. |
Performing Threat Analysis using Cisco XDR Ribbon Plugin
Cisco XDR supports a distributed set of capabilities that unify visibility, enable automation, accelerate incident response workflows, and improve threat hunting. These distributed capabilities are available in the Cisco XDR Ribbon Plugin.
For information on Installing Cisco XDR Ribbon Plugin, see https://docs.xdr.security.cisco.com/Content/Ribbon/install-ribbon-extension.htm.
For information on investigating using Cisco XDR Ribbon plugin, see https://docs.xdr.security.cisco.com/Content/Ribbon/investigate-using-ribbon-extension.htm.
Example - Using Cisco XDR Ribbon Plugin through Secure Email and Web Manager NGUI
Perform the following steps to access the Cisco XDR Ribbon Plugin through new web interface of Secure Email and Web Manager:
Procedure
|
Step 1 |
Log in to the new web interface of your Secure Email and Web Manager. |
|
Step 2 |
Choose Monitoring > Mail Flow Details > Incoming Mails. |
|
Step 3 |
Select the IP Addresses tab. |
|
Step 4 |
Select the IP address you want to investigate, right-click, and select Cisco XDR. The Cisco XDR ribbon plugin is displayed. |
Performing Remedial Actions on Messages in Cisco XDR
Before you begin
In Cisco XDR, you can now investigate and apply the following remedial actions on messages processed by your Secure Email and Web Manager:
-
Delete
-
Forward
-
Forward and Delete
Make sure you have met the following prerequisites before you perform remedial actions on messages in Cisco XDR:
-
Enabled and registered your Secure Email and Web Manager with the Cisco XDR server. For more information, see Enable the Cisco Cloud Services Portal on your Secure Email and Web Manager and Register Secure Email and Web Manager with Cisco Cloud Services Portal.
-
Added your Secure Email and Web Manager module to Cisco XDR and specified the Remediation Forwarding Address in Cisco XDR. For more information, go to https://xdr.us.security.cisco.com/administration/integrations navigate to the required Secure Email and Web Manager module to integrate with Cisco XDR, click Get Started, and see the instructions on the page.
-
Enabled and configured the remediation profiles in the System Administration > Account Settings page in your email gateway. For more information, see the Remediating Messages in Mailboxes chapter of the Cisco Secure Email Gateway User Guide.
Procedure
|
Step 1 |
Log in to Cisco XDR with your user credentials. |
|
Step 2 |
Perform an investigation for threat analysis by entering required IOCs (for example, URLs, Email Message ID and so on) in the Investigate panel and click Investigate. For more information, see the Investigate topic in the Help section at https://docs.xdr.security.cisco.com/Content/Investigate/investigate.htm. |
|
Step 3 |
Click the pivot menu button next to the Cisco Message ID or Email Message ID and select the required remedial action (for example, ‘Forward’). For more information, see the Pivot Menu topic in the Help section at https://visibility.amp.cisco.com/help/investigate. |
Feedback