Cisco XDR

the cisco xdr connector enables automated interactions with cisco's threat detection and response platform, enhancing security operations with efficient data retrieval and event analysis cisco xdr is a cutting edge threat detection and response solution that provides comprehensive visibility and control over security events this connector enables swimlane turbine users to seamlessly integrate with cisco xdr, allowing for efficient searching and retrieval of event data using customizable criteria by leveraging the cisco xdr connector, users can automate the process of threat detection and investigation, enhancing their security posture and response capabilities within the swimlane ecosystem the connector's actions facilitate the querying of cisco xdr's telemetry, enabling users to filter and sort through security events, thus streamlining incident analysis and response workflows limitations none to date supported versions cisco xdr supports latest available version configuration prerequisites to utilize the cisco xdr connector within swimlane turbine, ensure you have the following http basic authentication with the following parameters url endpoint url for the cisco xdr api xdr client id unique identifier for the client accessing cisco xdr xdr client secret a secret key used in conjunction with the client id to authenticate to the cisco xdr api authentication methods basic authentication setup instructions choose administration > api clients in the navigation menu and click generate api client enter a client name and optionally, choose a client preset from the drop down list if you did not choose a client preset, check the check boxes for the scopes for which you want to grant privileges to the client you can also click select all to grant all scopes to the client optionally, enter a description in the description field and click add new client the client id and client secret are generated and are displayed in the add new client dialog box troubleshoot tips the api client is tied to your user identity if your user identity loses privileges, then your api client will also lose those privileges all actions taken by the api client will be done in your name, and recorded as your actions if your access to the application is revoked, then your api client will no longer be valid capabilities search events ctia search events search events ctia search events ctia leverages the cisco threat intelligence api (ctia), an api designed to interact with cisco’s broader threat intelligence services allowing users to query threat intelligence data directly from cisco, specifically focusing on events associated with known threats or indicators of compromise (iocs) example url may be started wtith https //private intel {{xdr api domain}} search events the search events action allows cisco xdr users to search for specific events within the cisco ecosystem, such as cisco secure endpoint, cisco umbrella, and other integrated security tools this action usually helps in identifying and filtering security events based on predefined criteria, like event types, sources, or timestamps example url may be started with https //visibility {{xdr api domain}} configurations cisco xdr http basic authentication authenticates using client id and client secret configuration parameters parameter description type required url a url to the target host string required username cisco xdr client id string required password client secret of cisco xdr string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions search events performs a search for iroh events within cisco xdr using criteria from the provided data body endpoint url iroh/iroh event/event/search method post input argument name type required description data body object required response data data body genericsearch string required filter on event data parameters from string optional parameters for the search events action parameters to string optional parameters for the search events action parameters offset integer optional parameters for the search events action parameters limit integer optional parameters for the search events action parameters search after string optional parameters for the search events action parameters sort by string optional parameters for the search events action parameters sort order string optional parameters for the search events action parameters fields array optional parameters for the search events action input example {"parameters" {"from" "2023 01 01t00 00 00z","to" "2023 12 31t23 59 59z"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data created at string response data data data string response data data issuer string response data data id string response data data acknowledged at string response data data emiter object response data data emiter user id string response data data emiter org id string response data data emiter client id string response data data sign object response data data sign value string response data data sign alg string response data data sign kid string response data paging object output field paging paging total hits number output field paging total hits paging previous object output field paging previous paging previous limit number output field paging previous limit paging previous search after array output field paging previous search after paging previous offset number output field paging previous offset paging next object output field paging next paging next limit number output field paging next limit paging next search after array output field paging next search after output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 nov 2024 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}],"paging" {"total hits" 0,"previous" {},"next" {},"sort" \[]}}} search event ctia retrieve event entities from cisco xdr using elasticsearch query syntax and field based filters endpoint url /ctia/event/search method get input argument name type required description parameters sort order string optional sort direction parameters from string optional parameters for the search event ctia action parameters sort by string optional sort result on fields the following fields are supported id, language, revision, schema version, source, source uri, timestamp, title, tlp fields can be combined with ',' and sort order can be specified by ' \ asc ' and ' \ desc ' for example id //sort by id ascending parameters query string optional parameters for the search event ctia action parameters to string optional parameters for the search event ctia action parameters tlp string optional parameters for the search event ctia action parameters fields array optional parameters for the search event ctia action parameters search after array optional pagination stateless cursor parameters language string optional parameters for the search event ctia action parameters id string optional parameters for the search event ctia action parameters limit integer optional pagination limit parameters offset integer optional pagination offset parameters simple query string optional query string with simple query format parameters revision integer optional parameters for the search event ctia action input example {"parameters" {"sort order" "asc","from" "2023 01 01t00 00 00z","sort by" "id\ desc","query" "event type\ malware","to" "2023 12 31t23 59 59z"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 nov 2024 20 37 23 gmt"},"reason" "ok","json body" {}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 5 nov 2024 20 37 23 gmt