Manuals+

Cisco Secure Network Analytics

Secure Network Analytics and Cisco XDR Integration Guide 7.5.3

Introduction

Overview

This guide provides instructions for configuring the integration of Cisco Secure Network Analytics with Cisco XDR. Cisco XDR is a cloud-based solution, designed to simplify security operations and empower security teams to detect, prioritize, and respond to the most sophisticated threats. It reduces false positives and enhances threat detection, response, and forensic capabilities through clear prioritization of alerts and providing the shortest path from detection to response. This integration enables you to do the following:

  • Send Secure Network Analytics security alarms and alerts to Cisco XDR.
  • Allow Cisco XDR to request top security events from Secure Network Analytics to enrich the investigation context in Cisco XDR Threat Response workflows.
  • Use Secure Network Analytics tiles on the Cisco XDR dashboards to monitor key operational metrics, such as Top Alarming Hosts, Top Alarms By Count, Top Inside Host Groups by Traffic, and more.

Audience

The intended audience for this guide includes network administrators and other personnel who are responsible for configuring Secure Network Analytics products.

ℹ️ Use this guide only if you have both Secure Network Analytics v7.5.3 and Cisco XDR.

Best Practices

Before you start the configuration, review the instructions so you understand the planning, time, and requirements for configuring your appliances. The procedures are as follows:

  1. Registering your Manager in Cisco Security Cloud Control (formerly Cisco Security Service Exchange)
  2. Confirming Severity Levels for the Alarms
  3. Configuring Policy for the Alarms
  4. Configuring Secure Network Analytics to Send Data
  5. Configuring the Integration in Cisco XDR

Requirements

Disable Webhooks

If you've upgraded to Secure Network Analytics v7.5.3 from 7.4.2 or 7.5.0, and you enabled promoting specific alarm data to Cisco XDR using a webhook, confirm it is disabled before you start the configuration for v7.5.3. To disable a webhook, do the following:

  1. From the navigation menu, choose Configure > Detection > Response Management.
  2. On the Response Management page, choose Actions tab.
  3. Locate the needed webhook action that was created to access Cisco XDR.
  4. Toggle off the Enabled field.

Cisco XDR

Make sure you've registered for Cisco XDR before you start the procedures in this guide. To confirm you've registered for Cisco XDR, contact your Cisco partner. For more information about Cisco XDR, go to Cisco XDR Help Center.

Cisco Security Cloud Control (formerly Cisco Security Service Exchange)

As part of this integration, your device needs to be registered in Cisco Security Cloud Control (formerly Cisco Security Service Exchange). Registering a device provides Cisco XDR permissions to access it. For more information, refer to 1. Registering your Manager in Cisco Security Cloud Control (formerly Cisco Security Service Exchange).

Threat Feed License

Make sure you've set up your Threat Feed License because it's required to enable the Bot Infected Host - Successful C&C Activity alarm.

Licensing

Add the Threat Feed License to your Cisco Smart Account. For instructions, refer to the Secure Network Analytics Smart Software Licensing Guide.

Enabling

To enable the feed in Central Management, follow the instructions in the help. Please note that you will configure the DNS server and firewall as part of the instructions. Also, if you have a failover configuration, you need to enable Threat Feed on your primary Manager and secondary Manager.

  1. Log in to your primary Manager.
  2. Choose Configure > Global > Central Management.
  3. Click the (User) icon. Choose Help.
  4. Choose Appliance Configuration > Threat Feed.

Domain

Cisco XDR doesn't support multiple Secure Network Analytics domains. You will choose a domain that will be used in this integration.

1. Registering your Manager in Cisco Security Cloud Control (formerly Cisco Security Service Exchange)

The Cisco Security Cloud Control (formerly Cisco Security Service Exchange) is available for your Manager in Central Management. Registering your Manager in the Cisco Security Cloud Control will allow Cisco XDR to retrieve enrichment data, such as Security Events, from your Manager to be included in the investigation workflows and retrieve Secure Network Analytics tiles for Cisco XDR dashboard. It will also allow Secure Network Analytics to send security alarms to Cisco XDR. For more details, refer to the Secure Network Analytics Enrichment Data for Cisco XDR and Secure Network Analytics Tiles for Cisco XDR dashboard sections.

  • Cisco Security Cloud Control is enabled by default.
  • If you use Automatic Registration, you will need to link your Cisco Security Cloud Control account and your Smart Licensing Account.

Requirements for Choosing a Regional Cloud

As part of this procedure, you will choose a regional cloud.

  • When possible, use the regional cloud nearest to your Secure Network Analytics deployment.
  • Data in different clouds can't be aggregated or merged.
  • If you need to aggregate data from multiple regions, devices in all regions must send data to the same regional cloud.

Confirm your Manager is connected to outbound Cisco clouds, Cisco XDR Private Intelligence API, and regional Cisco XDR Analytics portals:

North America clouds:

  • api-sse.cisco.com, port 443
  • sensor.ext.obsrvbl.com, port 443

EU clouds:

  • api.eu.sse.itd.cisco.com, port 443
  • sensor.eu-prod.obsrvbl.com, port 443

Asia (APJC) clouds:

  • api.apj.sse.itd.cisco.com, port 443
  • sensor.anz-prod.obsrvbl.com, port 443

Device Registration

Follow the instructions based on your configuration.

Automatically Register a Device

Your Manager will automatically register in the Cisco Security Cloud Control if the following conditions are met:

  • The Cisco Security Cloud Control option is enabled for your Manager under External Services.
  • Your Manager is not already registered in Cisco Security Cloud Control.
  • Your Manager is registered with Cisco Smart Software Licensing. To check your registration status, got to Configure > Global > Central Management > Smart Licensing.

For more information, refer to the Secure Network Analytics Smart Software Licensing Guide.

To enable or disable Cisco Security Cloud Control, complete the following steps:

  1. Log in to your Manager.
  2. Choose Configure > Global > Central Management.
  3. Click the ... (Ellipsis) icon under the Actions column for your Manager, then click Edit Appliance Configuration.

Screenshot of the Central Management Inventory page, showing a list of appliances and their status, with an 'Actions' column that includes 'Edit Appliance Configuration'.

  1. Click General.
  2. Under External Services, check the Cisco Security Cloud Control check box to enable automatic registration.

Screenshot of the Appliance Configuration General tab within Central Management, highlighting the 'External Services' section with the 'Enable Cisco Security Cloud Control' checkbox.

  1. Click Apply Settings.

If you have enabled the Cisco Security Cloud Control, continue to step 7 to register your device.

  1. Return to the Security Insight Dashboard.
  2. Choose Configure > Integrations > Cisco XDR.
  3. In the Device Registration section, click New Device Registration.
  4. In the opened dialog box, select the Cloud Region that matches your Cisco XDR regional cloud.
  5. Choose Register Automatically.
  6. Click Save.

Device Registration dialog box, allowing selection of a 'Cloud Region' and the option to 'Register Automatically'.

Where possible, use the regional cloud nearest to your primary Secure Network Analytics Manager.

Manually Register a Device

To manually register your Manager in Cisco Security Cloud Control, complete the following steps:

  1. Log in to your Secure Network Analytics Manager.
  2. From the navigation menu, choose Configure > Integrations > Cisco XDR.
  3. In the Device Registration section, click New Device Registration.
  4. Choose Register Using Device Token.
  5. Click the Cisco Security Cloud Control Portal link to be taken to the portal.

Device Registration dialog box, presenting the option to 'Register Using Device Token'.

  1. Choose the Cloud Services tab and enable Cisco XDR.

Screenshot of the Cisco Security Services Exchange Cloud Services tab, showing 'Cisco XDR' enablement.

  1. Choose the Devices tab and click Generate Token.

Screenshot of the Cisco Security Services Exchange Devices tab, displaying a list of devices and the 'Generate Token' button.

  1. Specify the number of devices and the token expiration time (the default is 1 hour), and click Continue.
  2. Copy the generated token (click Copy to Clipboard or Save To File) and click Close to exit the dialog box.

Dialog box for 'Add Devices and Generate Tokens', showing generated tokens and options to 'Copy to Clipboard' or 'Save To File'.

  1. Confirm the device has been created on the Devices page. New and unused tokens appear in the devices list as New Device with a random number.
  2. Return to the Device Registration section.
  3. In the opened dialog box, select the Cloud Region that matches your Cisco XDR regional cloud and insert the device token generated and saved in step 9 and click Save.
  4. The device will be registered in Cisco Security Cloud Control and the status will show as Enrolled.

Device Registration dialog box showing a selected 'Cloud Region' and the status 'Enrolled'.

  1. Verify the status of the device in the Cisco Security Cloud Control portal. The status of the device should show as Registered.

2. Confirming Severity Levels for the Alarms

The alarms are notifications of unusual network activity that meets or exceeds a defined set of criteria indicating unacceptable behavior on your network. Only the following three alarms generate data to send to Cisco XDR:

  • Bot Infected Host - Successful C&C Activity
  • Suspect Data Hoarding
  • Suspect Data Loss

While these alarms typically default to a severity level of Major, make sure to confirm the severity level is either Critical or Major for each one. If an alarm doesn't have a severity of Critical or Major, it's data won't be sent to Cisco XDR.

The following table provides information about the Critical and Major alarm severity levels.

Alarm SeverityAlarm Definition
CriticalA Critical alarm is well-tuned, well-understood, and typically a low-volume alarm. The chance of a false positive is generally quite low. ℹ️ When indicated by a color, it is red.
MajorA Major alarm should be of interest to you. When you have tuned a Major alarm to the point that you believe it is a valuable source of intelligence, you can re-assign it to Critical. ℹ️ When indicated by a color, it is orange.

Make sure all three alarms have a Critical or Major severity level. If not, the data won't be shared with Cisco XDR.

Assign or Confirm the Alarm Severity for Each Alarm

To configure or confirm that the alarm severity for each of the three alarms is set to Critical or Major, do the following:

  1. From the main menu, choose Configure > Detection > Alarm Severity.
  2. When the Alarm Severity page displays, locate the first alarm, Bot Infected Host - Successful C&C Activity.

ℹ️ The Threat Feed License is required to enable the Bot Infected Host – Successful C&C Activity alarm. Refer to Threat Feed License for more information.

Screenshot of the Cisco Secure Network Analytics Alarm Severity page, displaying alarms like 'Bot Infected Host - Successful C&C Activity' with their severity levels, showing 'Major' selected.

  1. Select either Critical or Major for Alarm Severity.

Alarm Severity dialog box, offering choices for alarm severity including 'Major' and 'Critical'.

  1. Repeat Step 3 for each of the other two alarms.
  2. Click Save.

Screenshot of the Alarm Severity page, showing 'Suspect Data Hoarding' and 'Suspect Data Loss' alarms with their severity set to 'Major'.

2. Confirming Severity Levels for the Alarms

Review Additional Information About the Alarms

The following table provides more details about these alarms.

Secure Network AnalyticsMITRE Tactics and Techniques
Display NameEvent IDEvent DescriptionMITRE TacticTactic IDMITRE TechniqueTechnique ID
Bot Infected Host - Successful C&C Activity42The source host has successfully contacted a C&C server using a port identified in the Command-and-Control (C&C) server list. The communication is two-way, indicating the C&C server has responded. The inside host, as the initiator, accumulates Concern Index (CI) points. If the C&C server it contacts is also an inside host, then that C&C server accumulates Target Index (TI) points.Command and Control (C&C)TA0011Application Layer ProtocolT1071
Suspect Data Hoarding315The source host has downloaded an unusual amount of data from one or more hosts.CollectionTA0009Data StagedT107
Suspect Data Loss40This indicates that an inside host has uploaded an abnormal amount of data to outside hosts.ExfiltrationTA0010Exfiltration over C2 ChannelT1041

3. Configuring Policy for the Alarms

To configure, or confirm, the alarm policy for each of the three alarms, do the following:

  1. From the main menu, choose Configure > Detection > Policy Management
  2. When the Policy Management page displays, click the Core Events tab.
  3. Locate the first alarm, Bot Infected Host - Successful C&C Activity.
  4. Choose On + Alarm on When Host is Source column for each policy.
  5. Choose On + Alarm on When Host is Target column for each policy.

Screenshot of the Cisco Secure Network Analytics Policy Management page, Core Events tab, illustrating alarm policies with 'When Host Is Source' and 'When Host Is Target' columns set to 'On + Alarm'.

  1. Repeat Steps 3 to 5 for each of the other two alarms.

ℹ️ To check the Alarms list for this configuration, refer to 2. Confirming Severity Levels for the Alarms.

  1. Click Save.

4. Configuring Secure Network Analytics to Send Data

1. Log in to your Secure Network Analytics Manager.

2. From the navigation menu, choose Configure > Integrations > Cisco XDR.

3. On the Cisco XDR Configuration section, click Add New Configuration.

4. Choose a Domain that will be used to return data to Cisco XDR.

5. Confirm Cisco XDR Integration Options are checked:

  • [x] Enable sending security findings to Cisco XDR
  • [ ] Enable Cisco XDR dashboard tiles service requests
  • [ ] Enable Cisco XDR Investigation enrichment requests

6. Choose Number of top security events. These security events will be presented as sightings in the Cisco XDR investigation console.

7. Choose Period of time (days).

Screenshot of the Cisco XDR Configuration dialog, detailing fields for Domain, Cisco XDR Integration Options, Number of top security events, and Period of time.

8. Click Save.

9. Confirm that the API Status field shows the configuration as Connected.

Screenshot of the Cisco XDR Configuration page, indicating 'API Status' as 'Connected'.

5. Configuring the Integration in Cisco XDR

1. Log in to Cisco XDR.

2. In the navigation menu, choose Administration > Integrations.

3. On the Integrations page, click the Cisco tab and navigate to the Secure Network Analytics integration.

4. Click Get Started. The Secure Network Analytics integration page is displayed.

5. Expand the Integration Guide area and follow the instructions on how to add the Secure Network Analytics integration in Cisco XDR. For more information refer to Cisco XDR Help.

6. After you have finished the configuration in Cisco XDR, configure enrichment and tiles.

  • Configure Secure Network Analytics Enrichment Data for Cisco XDR: Intelligence
  • Configure Secure Network Analytics Tiles for Cisco XDR: Configure Dashboards and Tiles

Secure Network Analytics Enrichment Data for Cisco XDR

Once your Manager is registered with Cisco Security Cloud Control and Secure Network Analytics module is configured in Cisco XDR, you will be able to see the enrichment data from Secure Network Analytics in Cisco XDR investigate workflow.

For every valid IP address requested in the investigation, Secure Network Analytics will return security events associated with this IP in the form of corresponding sightings and indicator objects.

You can configure the following parameters for the security events returned in the Cisco XDR configuration form:

  • Whether to allow investigation requests from Cisco XDR.
  • Which Secure Network Analytics domains to return Security Events.
  • Number of top events to be sent.
  • What time period to return Security Events.

Secure Network Analytics Tiles for Cisco XDR

The following Secure Network Analytics tiles are available for the Cisco XDR dashboard:

Tile NameDescriptionAvailable Time PeriodPivots to...
Top Alarming HostsProvides Top 7 inside hosts, sorted by alarm severity, that have been active on your network since the last reset hour.Last 24 hoursHost Report
Alarming Hosts by CategoryTop 7 inside hosts, sorted by alarm severity, that have been active on your network since the last reset hour.Last 24 hoursNetwork Security dashboard
Top Alarms By CountRepresents Top 10 alarms by count.Last 24 hours
Last 7 days		Network Security dashboard
Visibility AssessmentNumber of hosts in the Visibility Assessment Categories including Internal Network Scanners, Remote Access Breach, Possible Malware, Vulnerable Protocol Servers, DNS Risk.Last 24 hours
Last 7 days		Visibility Assessment dashboard
Network VisibilityProvides statistics for the number of hosts and the amount of traffic.Last 24 hours
Last 7 days		Visibility Assessment dashboard
Top Inside Host Groups by TrafficTop 10 Inside host groups by traffic communicated with each other.Last 12 hoursHost Group Report for Inside Host Group
Top Outside Host Groups by TrafficTop 10 Outside host groups by traffic communicated with Inside Hosts Group.Last 12 hoursHost Group Report for Inside Host Group

Changing Cisco XDR Integration

To edit the Cisco XDR integration, do the following:

  1. From the navigation menu, choose Configure > Integrations > Cisco XDR.
  2. On the Cisco XDR Configuration page, choose Cisco XDR Configuration.
  3. On the Actions field click the ... (Ellipsis) icon.
  4. Choose Edit.

Alternatively, you can Refresh or Delete the configuration.

On the Device Registration section, you can only Refresh or Delete the device.

Contacting Support

If you need technical support, please do one of the following:

Change History

Document VersionPublished DateDescription
1_0August 11, 2025Initial version.

Copyright Information

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

Models: Secure Network Analytics and Cisco XDR, Network Analytics and Cisco XDR, Analytics and Cisco XDR, Cisco XDR

PDF preview unavailable. Download the PDF instead.

7 5 3 SNA XDR Integration Guide DV 1 0 madbuild

Related Documents

PreviewCisco Secure Network Analytics: Detections, Alerts, and Observations v7.5.3
This document provides a comprehensive guide to Cisco Secure Network Analytics, detailing its capabilities in detections, alerts, and observations. It covers system requirements, API usage, alert management, and troubleshooting for version 7.5.3.
PreviewCisco Secure Network Analytics: Security Events and Alarm Categories 7.5.3 Guide
This document provides a detailed reference for understanding the various security events and alarm categories managed by Cisco Secure Network Analytics, formerly known as Stealthwatch. It serves as a crucial resource for identifying and responding to network threats.
PreviewCisco Secure Cloud Analytics: On-Premises Device, Hostname, and IP Mapping Guide
Explore how Cisco Secure Cloud Analytics maps on-premises devices, hostnames, and IP addresses. This guide details integration methods, system limitations, and answers common questions for enhanced network visibility and security.
PreviewCisco Secure Cloud Analytics: Alerts and Observations Reference Guide
A comprehensive reference guide detailing alerts and observations within Cisco Secure Cloud Analytics, covering various security events and anomalies across cloud environments like AWS and Azure, as well as on-premises systems.
PreviewCisco Secure Network Analytics Proxy Log Configuration Guide 7.5.3
This guide provides detailed instructions for configuring proxy logs from various proxy servers, including Cisco WSA, Blue Coat, McAfee, and Squid, to send data to Cisco Secure Network Analytics. It covers the setup of the Flow Collector and verification of data flow.
PreviewCisco Secure Network Analytics System Configuration Guide 7.5.3
A comprehensive guide for configuring Cisco Secure Network Analytics (formerly Stealthwatch) version 7.5.3. This document details the setup and management of various appliances, including Managers, Data Nodes, Flow Collectors, Flow Sensors, and UDP Directors, to establish a secure and visible network environment.
PreviewCisco Secure Client (AnyConnect) Administrator Guide: Release 5
Comprehensive guide for administrators on deploying, configuring, and managing Cisco Secure Client, including AnyConnect VPN, for secure remote access. Covers deployment methods, endpoint preparation, module management, and session configurations for various operating systems.
PreviewCisco Secure Network Analytics NVM Configuration Guide 7.5.3
A comprehensive guide for configuring the Network Visibility Module (NVM) for Cisco Secure Network Analytics, covering setup, data store capabilities, and verification steps.