Overview
The Cisco XDR integration enhances your security operations by providing security analysts with visibility into malware-related attacks targeting users within your organization.
Cisco XDR is a cloud-based extended detection and response platform that simplifies security operations by integrating and correlating data from multiple security sources to provide a unified view of threats. This integration enables Mimecast to pull malware events identified by Cisco XDR in your environment and automatically adjust each employee's malware score in the Human Risk Platform.
This feature is only available to Email security Cloud Gateway customers.
Prerequisites
- Valid Cisco XDR license
- Administrative access to Cisco XDR
- Access to Mimecast Integrations Hub
- Available with Human Risk Command Center (HRCC) via license of Email Security Cloud Gateway (CG)and/or Engage
You must have the following roles:
- Global System Administrator
- System Administrator - SD Full
- Super Administrator
- Full Administrator
- Basic Administrator
- Partner Administrator
- Custom Role with Integrations Marketplace (Read/Write permissions must be enabled)
How it Works
The integration reads incident data from Cisco XDR via API. These events are forwarded to the Human Risk Platform, which associates each event with a user and updates the malware component for that user accordingly.
Historical events will not be pulled from Cisco XDR. Only events from the point of integration onward will be processed. This simplifies onboarding as it won't change historical attack factor scores that administrators may have already reviewed.
Configuring the Cisco XDR Integration
To authenticate to the Cisco XDR API, you need to create an API client with a Client ID and Client Password. These credentials are used to generate an access token for API requests.
Steps to create an API Client:
- Log in to the Cisco XDR console.
- Navigate to Administration | API Clients in your Cisco XDR console.
- Click Generate API client.
- Fill in the following details:
- Client name: Choose a descriptive name (e.g., "Mimecast Integration").
- Scopes: Select investigations (this provides access to the incidents endpoint).
- Click Add New Client.
Note down the Client ID and Client Password. The client password will only be shown once.
- Provide both the Client ID and Client Password to Mimecast for configuration.
The Client ID and Client Password are used to authenticate to https://visibility.amp.cisco.com/iroh/oauth2/token to receive an access token, which is then used in the Authorization header for all subsequent API requests.
Accessing the Cisco XDR Integration
- Log in to the Mimecast Administration Console.
- Navigate to Integrations | Cisco XDR.
- Click Configure New.
- Populate the following fields:
- Name
- Description
- Client ID
- Client Password
- API Host Name
- Click Save.
To check if the integration has been added:
- Navigate to Cisco XDR.
- Click View.
- The integration is listed and the status reflects as Connected.
To view the Individual Risk Profile, a list of Malware events, and Additional Details:
- Navigate to the Human Risk Command Center | Dashboard.
- Click Malware dropdown arrow | View Details.
- Click Latest Events.
- Select the individual whose Individual Risk Profile you'd like to view.
- Click Malware, where you should see the Events page where you can view the list of Malware events.
- Click on a Malware event to view Additional Details.
Frequently Asked Questions
| Q: | How long does it take to deploy the integration? |
| A: | The integration can be fully deployed in just a couple of minutes. It may take up to 24 hours for malware-related scores to appear in the Human Risk Platform. |
| Q: | Is any historical data loaded from Cisco XDR? |
| A: | Historical events will not be pulled from Cisco XDR; only events from the point of integration onward. |
| Q: | Why do I not see many malware events affecting users’ risk score? |
| A: | A frequent concern users have with Cisco XDR is marking innocent users risky due to false positives in the security solutions we leverage for data. To mitigate this, only incidents with a true positive disposition are counted against users. |
Comments
Please sign in to leave a comment.