Secure Network Analytics and Cisco XDR
Introduction
Overview
This guide provides instructions for configuring the integration of Cisco Secure Network Analytics with Cisco XDR. Cisco XDR is a cloud-based solution, designed to simplify security operations and empower security teams to detect, prioritize, and respond to the most sophisticated threats. It reduces false positives and enhances threat detection, response, and forensic capabilities through clear prioritization of alerts and providing the shortest path from detection to
response.
This integration enables you to do the following:
- Send Secure Network Analytics security alarms and alerts to Cisco XDR.
- Allow Cisco XDR to request top security events from Secure Network Analytics to enrich the investigation context in Cisco XDR Threat Response workflows.
- Use Secure Network Analytics tiles on the Cisco XDR dashboards to monitor key operational metrics, such as Top Alarming Hosts, Top Alarms By Count, Top Inside
- Host Groups by Traffic, and more.
Audience
The intended audience for this guide includes network administrators and other personnel who are responsible for configuring Secure Network Analytics products.
Use this guide only if you have both Secure Network Analytics v7.5.3 and Cisco XDR.
Best Practices
Before you start the configuration, review the instructions so you understand the planning, time, and requirements for configuring your appliances.
The procedures are as follows:
- Registering your Manager in Cisco Security Cloud Control (formerly Cisco Security Service Exchange)
- Confirming Severity Levels for the Alarms
- Configuring Policy for the Alarms
- Configuring Secure Network Analytics to Send Data
- Configuring the Integration in Cisco XDR
Requirements
The instructions in this guide require you to have access to Secure Network Analytics v7.5.3 and Cisco XDR. Having a Threat Feed License with Secure Network Analytics and being registered for Cisco XDR are also requirements.
Disable Webhooks
If you’ve upgraded to Secure Network Analytics v7.5.3 from 7.4.2 or 7.5.0, and you enabled promoting specific alarm data to Cisco XDR using a webhook, confirm it is disabled before you start the configuration for v7.5.3.
To disable a webhook, do the following:
- From the navigation menu, choose Configure > Detection > Response Management.
- On the Response Management page, choose Actions tab.
- Locate the needed webhook action that was created to access Cisco XDR.
- Toggle off the Enabled field.
Cisco XDR
Make sure you’ve registered for Cisco XDR before you start the procedures in this guide. To confirm you’ve registered for Cisco XDR, contact your Cisco partner. For more information about Cisco XDR, go to Cisco XDR Help Center.
Cisco Security Cloud Control (formerly Cisco Security Service Exchange)
As part of this integration, your device needs to be registered in Cisco Security Cloud Control (formerly Cisco Security Service Exchange). Registering a device provides Cisco XDR permissions to access it. For more information, refer to 1. Registering your Manager in Cisco Security Cloud Control (formerly Cisco Security Service Exchange).
Threat Feed License
Make sure you’ve set up your Threat Feed License because it’s required to enable the Bot Infected Host – Successful C&C Activity alarm.
Licensing
Add the Threat Feed License to your Cisco Smart Account. For instructions, refer to the Secure Network Analytics Smart Software Licensing Guide.
Enabling
To enable the feed in Central Management, follow the instructions in the help. Please note that you will configure the DNS server and firewall as part of the instructions. Also, if you have a failover configuration, you need to enable Threat Feed on your primary Manager and secondary Manager.
- Log in to your primary Manager.
- Choose Configure > Global > Central Management.
- Click the
(User) icon. Choose Help. - Choose Appliance Configuration > Threat Feed.
Domain
Cisco XDR doesn’t support multiple Secure Network Analytics domains. You will choose a domain that will be used in this integration.
Registering your Manager in Cisco Security Cloud Control (formerly Cisco Security Service Exchange)
The Cisco Security Cloud Control (formerly Cisco Security Service Exchange) is available for your Manager in Central Management. Registering your Manager in the Cisco Security Cloud Control will allow Cisco XDR to retrieve enrichment data, such as Security Events, from your Manager to be included in the investigation workflows and retrieve Secure Network Analytics tiles for Cisco XDR dashboard. It will also allow Secure Network Analytics to send security alarms to Cisco XDR. For more details, refer to the Secure Network Analytics Enrichment Data for Cisco XDR and Secure Network Analytics Tiles for Cisco XDR dashboard sections.
- Cisco Security Cloud Control is enabled by default.
- If you use Automatic Registration, you will need to link your Cisco Security Cloud Control account and your Smart Licensing Account.
Requirements for Choosing a Regional Cloud
As part of this procedure, you will choose a regional cloud.
- When possible, use the regional cloud nearest to your Secure Network Analytics deployment.
- Data in different clouds can’t be aggregated or merged.
- If you need to aggregate data from multiple regions, devices in all regions must send data to the same regional cloud. Confirm your Manager is connected to outbound Cisco clouds, Cisco XDR Private
Intelligence API, and regional Cisco XDR Analytics portals:
- North America clouds:
- api-sse.cisco.com, port 443
- sensor.ext.obsrvbl.com, port 443
- EU clouds:
- api.eu.sse.itd.cisco.com, port 443
- sensor.eu-prod.obsrvbl.com, port 443
- o Asia (APJC) clouds:
- api.apj.sse.itd.cisco.com, port 443
- sensor.anz-prod.obsrvbl.com, port 443
Device Registration
Follow the instructions based on your configuration.
- If your Manager is registered in Cisco Smart Software Licensing, go to Automatically Register a Device
- If your Manager is in Cisco Smart Software Licensing evaluation mode, go to Manually Register a Device
Automatically Register a Device
Your Manager will automatically register in the Cisco Security Cloud Control if the following conditions are met:
- The Cisco Security Cloud Control option is enabled for your Manager under External Services.
- Your Manager is not already registered in Cisco Security Cloud Control.
- Your Manager is registered with Cisco Smart Software Licensing. To check your registration status, got to Configure > Global > Central Management > Smart Licensing.
For more information, refer to the Secure Network Analytics Smart Software Licensing Guide.
To enable or disable Cisco Security Cloud Control, complete the following steps:
- Log in to your Manager.
- Choose Configure > Global > Central Management.
- Click the (Ellipsis) icon under the Actions column for your Manager, then click Edit Appliance Configuration.
- Click General.
- Under External Services, check the Cisco Security Cloud Control check box to enable automatic registration.
- Click Apply Settings.
If you have enabled the Cisco Security Cloud Control, continue to step 7 to register your device. - Return to the Security Insight Dashboard.
- Choose Configure > Integrations > Cisco XDR.
- In the Device Registration section, click New Device Registration.
- In the opened dialog box, select the Cloud Region that matches your Cisco XDR regional cloud.
- Choose Register Automatically.
- Click Save.
Where possible, use the regional cloud nearest to your primary Secure Network Analytics Manager.
Manually Register a Device
To manually register your Manager in Cisco Security Cloud Control, complete the following steps:
- Log in to your Secure Network Analytics Manager.
- From the navigation menu, choose Configure > Integrations > Cisco XDR.
- In the Device Registration section, click New Device Registration.
- Choose Register Using Device Token.
- Click the Cisco Security Cloud Control Portal link to be taken to the portal.
- Choose the Cloud Services tab and enable Cisco XDR.
- Choose the Devices tab and click Generate Token.
- Specify the number of devices and the token expiration time (the default is 1 hour), and click Continue.
- Copy the generated token (click Copy to Clipboard or Save To File) and click Close to exit the dialog box.
- Confirm the device has been created on the Devices page. New and unused tokens appear in the devices list as New Device with a random number.
- Return to the Device Registration section.
- In the opened dialog box, select the Cloud Region that matches your Cisco XDR regional cloud and insert the device token generated and saved in step 9 and click Save.
- The device will be registered in Cisco Security Cloud Control and the status will show as Enrolled.
- Verify the status of the device in the Cisco Security Cloud Control portal. The status of the device should show as Registered.
Confirming Severity Levels for the Alarms
The alarms are notifications of unusual network activity that meets or exceeds a defined set of criteria indicating unacceptable behavior on your network. Only the following three alarms generate data to send to Cisco XDR:
- Bot Infected Host – Successful C&C Activity
- Suspect Data Hoarding
- Suspect Data Loss
While these alarms typically default to a severity level of Major, make sure to confirm the severity level is either Critical or Major for each one. If an alarm doesn’t have a severity of Critical or Major, it’s data won’t be sent to Cisco XDR. The following table provides information about the Critical and Major alarm severity levels
Assign or Confirm the Alarm Severity for Each Alarm
To configure or confirm that the alarm severity for each of the three alarms is set to
Critical or Major, do the following:
- From the main menu, choose Configure > Detection > Alarm Severity.
- When the Alarm Severity page displays, locate the first alarm, Bot Infected Host – Successful C&C Activity.
The Threat Feed License is required to enable the Bot Infected Host – Successful C&C Activity alarm. Refer to Threat Feed License for more information.
Review Additional Information About the Alarms
The following table provides more details about these alarms.
| Secure Network Analytics | MITRE Tactics and Techniques | |||||
| Display Name | Event ID | Event Description | MITRE
Tactic |
Tactic ID |
MITRE Technique |
Technique ID |
|
Bot Infected Host – Successful C&C Activity |
42 |
The source host has successfully contacted a C&C server using a port identified in the Command-
and-Control (C&C) server list. The communication is two-way, indicating the C&C server has responded. The inside host, as the initiator, accumulates Concern Index (CI) points. If the C&C server it contacts is also an inside host, then that C&C server accumulates Target Index (TI) points. |
Command and Control (C&C) |
TA0011 |
Application Layer Protocol |
T1071 |
|
Suspect Data Hoarding |
315 |
The source host has downloaded an unusual amount of data from one or more hosts. |
Collection |
TA0009 |
Data Staged |
T107 |
| Secure Network Analytics | MITRE Tactics and Techniques | |||||
| Display Name | Event ID | Event Description | MITRE
Tactic |
Tactic ID |
MITRE Technique |
Technique ID |
|
Suspect Data Loss |
40 |
This indicates that an inside host has uploaded an abnormal amount of data to outside hosts. |
Exfiltration |
TA0010 |
Exfiltration over C2 Channel |
T1041 |
Configuring Policy for the Alarms
To configure, or confirm, the alarm policy for each of the three alarms, do the following:
- From the main menu, choose Configure > Detection > Policy Management
- When the Policy Management page displays, click the Core Events tab.
- Locate the first alarm, Bot Infected Host – Successful C&C Activity.
- Choose On + Alarm on When Host is Source column for each policy.
- Choose On + Alarm on When Host is Target column for each policy
- Repeat Steps 3 to 5 for each of the other two alarms.
- Click Save.
Configuring Secure Network Analytics to Send Data
- Log in to your Secure Network Analytics Manager.
- From the navigation menu, choose Configure > Integrations > Cisco XDR.
- On the Cisco XDR Configuration section, click Add New Configuration.
- Choose a Domain that will be used to return data to Cisco XDR.
- Confirm Cisco XDR Integration Options are checked:
- Enable sending security findings to Cisco XDR
- Enable Cisco XDR dashboard tiles service requests
- Enable Cisco XDR Investigation enrichment requests
- Choose Number of top security events. These security events will be presented as sightings in the Cisco XDR investigation console.
- Choose Period of time (days).
- Click Save.
- Confirm that the API Status field shows the configuration as Connected.
Configuring the Integration in Cisco XDR
- Log in to Cisco XDR.
- In the navigation menu, choose Administration > Integrations.
- On the Integrations page, click the Cisco tab and navigate to the Secure Network Analytics integration.
- Click Get Started. The Secure Network Analytics integration page is displayed.
- Expand the Integration Guide area and follow the instructions on how to add the Secure Network Analytics integration in Cisco XDR. For more information refer to Cisco XDR Help.
- After you have finished the configuration in Cisco XDR, configure enrichment and tiles.
- Configure Secure Network Analytics Enrichment Data for Cisco XDR: Intelligence
- Configure Secure Network Analytics Tiles for Cisco XDR: Configure Dashboards and Tiles
Secure Network Analytics Enrichment Data for Cisco XDR
Once your Manager is registered with Cisco Security Cloud Control and Secure Network Analytics module is configured in Cisco XDR, you will be able to see the enrichment data from Secure Network Analytics in Cisco XDR investigate workflow. For every valid IP address requested in the investigation, Secure Network Analytics will return security events associated with this IP in the form of corresponding sightings and indicator objects.
You can configure the following parameters for the security events returned in the Cisco XDR configuration form:
- Whether to allow investigation requests from Cisco XDR.
- Which Secure Network Analytics domains to return Security Events.
- Number of top events to be sent.
- What time period to return Security Events.
Secure Network Analytics Tiles for Cisco XDR
The following Secure Network Analytics tiles are available for the Cisco XDR dashboard:
|
Tile Name |
Description |
Available Time Period |
Pivots to… |
|
Top Alarming Hosts |
Provides Top 7 inside hosts, sorted by alarm severity, that have been active on your network since the last reset hour. |
Last 24 hours |
Host Report |
|
Alarming Hosts by Category |
Top 7 inside hosts, sorted by alarm severity, that have been active on your network since the last reset hour. |
Last 24 hours |
Network Security dashboard |
| Top Alarms By Count | Represents Top 10 alarms by count. | Last 24 hours
Last 7 days |
Network Security dashboard |
|
Visibility Assessment |
Number of hosts in the Visibility Assessment Categories including Internal Network Scanners, Remote Access Breach, Possible Malware, Vulnerable Protocol Servers, DNS Risk. |
Last 24 hours Last 7 days |
Visibility Assessment dashboard |
|
Network Visibility |
Provides statistics for the number of hosts and the amount of traffic. |
Last 24 hours Last 7 days |
Visibility Assessment dashboard |
|
Tile Name |
Description |
Available Time Period |
Pivots to… |
|
Top Inside Host Groups by Traffic |
Top 10 Inside host groups by traffic communicated with each other. |
Last 12 hours |
Host Group Report for Inside Host Group |
|
Top Outside Host Groups by Traffic |
Top 10 Outside host groups by traffic communicated with Inside Hosts Group. |
Last 12 hours |
Host Group Report for Inside Host Group |
Changing Cisco XDR Integration
To edit the Cisco XDR integration, do the following:
- From the navigation menu, choose Configure > Integrations > Cisco XDR.
- On the Cisco XDR Configuration page, choose Cisco XDR Configuration.
- On the Actions field click the (Ellipsis) icon.
- Choose Edit.
Alternatively, you can Refresh or Delete the configuration. On the Device Registration section, you can only Refresh or Delete the device.
Contacting Support
If you need technical support, please do one of the following:
- Contact your local Cisco Partner
- Contact Cisco Support
- To open a case by web: http://www.cisco.com/c/en/us/support/index.html
- For phone support: 1-800-553-2447 (U.S.)
- For worldwide support numbers:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Change History
| Document Version | Published Date | Description |
| 1_0 | August 11, 2025 | Initial version. |
Copyright Information
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Documents / Resources
 |
CISCO Secure Network Analytics and Cisco XDR [pdf] User Guide Secure Network Analytics and Cisco XDR, Network Analytics and Cisco XDR, Analytics and Cisco XDR, Cisco XDR |