Cisco XDR Integration

Step 1 - Create Webhook for Cisco XDR
  • Visit the Webhooks page in Binalyze AIR,
  • Click the "+ New Webhook" button in the upper right corner,
  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
  • Select "Cisco XDR: Cisco XDR Webhook Parser" as the parser for this webhook,
  • Select an Acquisition Profile when Cisco XDR activates this webhook,
  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy
  • Click the "Save" button.
  • Copy the Webhook URL for Step 2.
Step 2 - Setting up Cisco XDR
  • Go to Automate - Targets
  • Click New Target.
  • Select HTTP Endpoint in Target Type
  • Enter a unique display name for the target in the Display Name field and a brief description in the Description field
  • In the HTTP area, paste the Webhook URL you created in Step 1.
    • Protocol - Choose the appropriate protocol (HTTP or HTTPS)
    • Host/IP Address - Enter the hostname or IP address for the HTTP Endpoint.
    • Port - Enter the HTTP port number
    • Path - Enter the HTTP path
  • Click Submit to add and save the target
  • For more information, please refer to Product's Documentation.