Cisco XDR Integration

Step 1 - Create Webhook for Cisco XDR

  • Visit the Webhooks page in Binalyze AIR,

  • Click the "+ New Webhook" button in the upper right corner,

  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),

  • Select "Cisco XDR: Cisco XDR Webhook Parser" as the parser for this webhook,

  • Select an Acquisition Profile when Cisco XDR activates this webhook,

  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),

  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy

  • Click the "Save" button.

  • Copy the Webhook URL for Step 2.

Step 2 - Setting up Cisco XDR

  • Go to Automate - Targets

  • Click New Target.

  • Select HTTP Endpoint in Target Type

  • Enter a unique display name for the target in the Display Name field and a brief description in the Description field

  • In the HTTP area, paste the Webhook URL you created in Step 1.

    • Protocol - Choose the appropriate protocol (HTTP or HTTPS)

    • Host/IP Address - Enter the hostname or IP address for the HTTP Endpoint.

    • Port - Enter the HTTP port number

    • Path - Enter the HTTP path

  • Click Submit to add and save the target

  • For more information, please refer to Product's Documentation.

Last updated