Cisco XDR

the cisco xdr connector enables automated interactions with cisco's threat detection and response platform, enhancing security operations with efficient data retrieval and event analysis cisco xdr is a cutting edge threat detection and response solution that provides comprehensive visibility and control over security events this connector enables swimlane turbine users to seamlessly integrate with cisco xdr, allowing for efficient searching and retrieval of event data using customizable criteria by leveraging the cisco xdr connector, users can automate the process of threat detection and investigation, enhancing their security posture and response capabilities within the swimlane ecosystem the connector's actions facilitate the querying of cisco xdr's telemetry, enabling users to filter and sort through security events, thus streamlining incident analysis and response workflows limitations none to date supported versions cisco xdr supports latest available version configuration prerequisites to utilize the cisco xdr connector within swimlane turbine, ensure you have the following http basic authentication with the following parameters url endpoint url for the cisco xdr api xdr client id unique identifier for the client accessing cisco xdr xdr client secret a secret key used in conjunction with the client id to authenticate to the cisco xdr api authentication methods basic authentication setup instructions choose administration > api clients in the navigation menu and click generate api client enter a client name and optionally, choose a client preset from the drop down list if you did not choose a client preset, check the check boxes for the scopes for which you want to grant privileges to the client you can also click select all to grant all scopes to the client optionally, enter a description in the description field and click add new client the client id and client secret are generated and are displayed in the add new client dialog box troubleshoot tips the api client is tied to your user identity if your user identity loses privileges, then your api client will also lose those privileges all actions taken by the api client will be done in your name, and recorded as your actions if your access to the application is revoked, then your api client will no longer be valid capabilities search events ctia search events search events ctia search events ctia leverages the cisco threat intelligence api (ctia), an api designed to interact with cisco’s broader threat intelligence services allowing users to query threat intelligence data directly from cisco, specifically focusing on events associated with known threats or indicators of compromise (iocs) example url may be started wtith https //private intel {{xdr api domain}} https //private intel {{xdr api domain}} search events the search events action allows cisco xdr users to search for specific events within the cisco ecosystem, such as cisco secure endpoint, cisco umbrella, and other integrated security tools this action usually helps in identifying and filtering security events based on predefined criteria, like event types, sources, or timestamps example url may be started with https //visibility {{xdr api domain}} https //visibility {{xdr api domain}} configurations cisco xdr http basic authentication authenticates using client id and client secret configuration parameters parameter description type required url a url to the target host string required username cisco xdr client id string required password client secret of cisco xdr string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions search events performs a search for iroh events within cisco xdr using criteria from the provided data body endpoint url iroh/iroh event/event/search method post input argument name type required description data body object required response data genericsearch string required filter on event data from string optional parameter for search events to string optional parameter for search events offset integer optional parameter for search events limit integer optional parameter for search events search after string optional parameter for search events sort by string optional parameter for search events sort order string optional parameter for search events fields array optional parameter for search events output parameter type description status code number http status code of the response reason string response reason phrase data array response data created at string output field created at data string response data issuer string output field issuer id string unique identifier acknowledged at string output field acknowledged at emiter object output field emiter user id string unique identifier org id string unique identifier client id string unique identifier sign object output field sign value string value for the parameter alg string output field alg kid string unique identifier paging object output field paging total hits number output field total hits previous object output field previous limit number output field limit search after array output field search after offset number output field offset next object output field next limit number output field limit search after array output field search after example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 5 nov 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "data" \[], "paging" {} } } ] search event ctia retrieve event entities from cisco xdr using elasticsearch query syntax and field based filters endpoint url /ctia/event/search method get input argument name type required description sort order string optional sort direction from string optional parameter for search event ctia sort by string optional sort result on fields the following fields are supported id, language, revision, schema version, source, source uri, timestamp, title, tlp fields can be combined with ',' and sort order can be specified by ' \ asc ' and ' \ desc ' for example id //sort by id ascending query string optional parameter for search event ctia to string optional parameter for search event ctia tlp string optional parameter for search event ctia fields array optional parameter for search event ctia search after array optional pagination stateless cursor language string optional parameter for search event ctia id string optional unique identifier limit integer optional pagination limit offset integer optional pagination offset simple query string optional query string with simple query format revision integer optional parameter for search event ctia output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "tue, 5 nov 2024 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 5 nov 2024 20 37 23 gmt