Cisco XDR

cisco xdr is a security solution that provides extended detection and response capabilities across diverse it environments cisco xdr is a comprehensive extended detection and response platform that enhances threat detection and response capabilities across various security layers by integrating with swimlane turbine, users can automate the search and retrieval of event data from cisco xdr, leveraging advanced query capabilities to filter and sort events efficiently this integration empowers security teams to streamline their workflows, improve incident response times, and enhance overall security posture by automating complex data retrieval processes limitations none to date supported versions cisco xdr supports latest available version configuration prerequisites before you can use the cisco xdr connector for turbine, you'll need access to the cisco xdr api this requires the following http basic authentication using the following parameters url the endpoint url for accessing cisco xdr services xdr client id a unique identifier for your client application xdr client secret a secret key associated with your client id for authentication purposes authentication methods basic authentication setup instructions choose administration > api clients in the navigation menu and click generate api client enter a client name and optionally, choose a client preset from the drop down list if you did not choose a client preset, check the check boxes for the scopes for which you want to grant privileges to the client you can also click select all to grant all scopes to the client optionally, enter a description in the description field and click add new client the client id and client secret are generated and are displayed in the add new client dialog box troubleshoot tips the api client is tied to your user identity if your user identity loses privileges, then your api client will also lose those privileges all actions taken by the api client will be done in your name, and recorded as your actions if your access to the application is revoked, then your api client will no longer be valid capabilities search events ctia search events search events ctia search events ctia leverages the cisco threat intelligence api (ctia), an api designed to interact with cisco’s broader threat intelligence services allowing users to query threat intelligence data directly from cisco, specifically focusing on events associated with known threats or indicators of compromise (iocs) example url may be started wtith https //private intel https //private intel {{xdr api domain}} search events the search events action allows cisco xdr users to search for specific events within the cisco ecosystem, such as cisco secure endpoint, cisco umbrella, and other integrated security tools this action usually helps in identifying and filtering security events based on predefined criteria, like event types, sources, or timestamps example url may be started with https //visibility https //visibility {{xdr api domain}} additional documentation cisco xdr connector documentation https //docs swimlane com/connectors/cisco xdrcisco xdr api documentation https //developer cisco com/docs/xdr/ configurations cisco xdr http basic authentication authenticates using client id and client secret configuration parameters parameter description type required url a url to the target host string required username cisco xdr client id string required password client secret of cisco xdr string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions search events perform a search for iroh events within cisco xdr using criteria from the provided data body endpoint url iroh/iroh event/event/search method post input argument name type required description data body object required response data data body genericsearch string required filter on event data parameters from string optional parameters for the search events action parameters to string optional parameters for the search events action parameters offset integer optional parameters for the search events action parameters limit integer optional parameters for the search events action parameters search after string optional parameters for the search events action parameters sort by string optional parameters for the search events action parameters sort order string optional parameters for the search events action parameters fields array optional parameters for the search events action input example {"parameters" {"from" "2023 01 01t00 00 00z","to" "2023 12 31t23 59 59z"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data created at string response data data data string response data data issuer string response data data id string response data data acknowledged at string response data data emiter object response data data emiter user id string response data data emiter org id string response data data emiter client id string response data data sign object response data data sign value string response data data sign alg string response data data sign kid string response data paging object output field paging paging total hits number output field paging total hits paging previous object output field paging previous paging previous limit number output field paging previous limit paging previous search after array output field paging previous search after paging previous offset number output field paging previous offset paging next object output field paging next paging next limit number output field paging next limit paging next search after array output field paging next search after output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 nov 2024 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}],"paging" {"total hits" 0,"previous" {},"next" {},"sort" \[]}}} search event ctia retrieve event entities from cisco xdr using elasticsearch query syntax and field based filters endpoint url /ctia/event/search method get input argument name type required description parameters sort order string optional sort direction parameters from string optional parameters for the search event ctia action parameters sort by string optional sort result on fields the following fields are supported id, language, revision, schema version, source, source uri, timestamp, title, tlp fields can be combined with ',' and sort order can be specified by ' \ asc ' and ' \ desc ' for example id //sort by id ascending parameters query string optional parameters for the search event ctia action parameters to string optional parameters for the search event ctia action parameters tlp string optional parameters for the search event ctia action parameters fields array optional parameters for the search event ctia action parameters search after array optional pagination stateless cursor parameters language string optional parameters for the search event ctia action parameters id string optional parameters for the search event ctia action parameters limit integer optional pagination limit parameters offset integer optional pagination offset parameters simple query string optional query string with simple query format parameters revision integer optional parameters for the search event ctia action input example {"parameters" {"sort order" "asc","from" "2023 01 01t00 00 00z","sort by" "id\ desc","query" "event type\ malware","to" "2023 12 31t23 59 59z"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 5 nov 2024 20 37 23 gmt"},"reason" "ok","json body" {}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated tue, 5 nov 2024 20 37 23 gmt