Introduction
Cisco XDR collects and correlates data across email, endpoints, servers, cloud workloads, and networks, enabling visibility and context into advanced threats. Threats can then be analyzed, prioritized, hunted, and remediated to prevent data loss and security breaches. This document contains everything you need to get started with custom integrations and automation with the Cisco XDR platform.
Overview of Cisco XDR APIs
There are many available REST APIs that can be used for integrations. These include the following:
API Endpoint | Description |
---|---|
Automation | Managing Automation objects and running Automation workflows. |
Platforms APIs (IROH) | XDR Platform features (see table below). |
Incidents and Investigations | Search Incidents and manage Investigations. |
Global Intelligence | [Read-Only] Cisco Managed instance of Cisco Threat Intelligence API (CTIA). |
Private Intelligence | Private instance of CTIA to manage judgements, indicators and more. |
Playbook | Create and manage Incident Response Playbooks. |
The Cisco XDR Platform APIs (IROH) are broken down into multiple lower-level API endpoints:
Platform API Endpoint | Description |
---|---|
Dashboard | [Read-Only] Lists all the Control Center tiles and data. |
Enrich | Query local and global threat intelligence for observables. |
Inspect | Parses a string of text and extracts supported observables. |
Invite | Invites new users to your organization and manage invites (batch also available). |
OAuth2 | Manage Authentication, including OAuth2 Token generation. |
Incident Management | Create and manage XDR Incidents. |
Profile | Retrieves and manages profile information of your profile, or users within your organization. |
Response | Used to take action on an observable within a product. |
User | Retrieves and manages user information for your organization. |
About the Cisco XDR APIs
The Cisco XDR platform connects the breadth of Cisco’s integrated security portfolio and the customer’s infrastructure for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoint, cloud, and applications. By connecting technology in an integrated platform, Cisco XDR delivers measurable insights, desirable outcomes, and unparalleled cross-team collaboration. Cisco XDR consists of sub-components, such as, Control Center, Incidents, Automation, Devices and Administration.
Cisco XDR is an "API first" application, which means that the API endpoint that performs a task is the first developed component, and the UI component that calls that API endpoint is the second. The entire user interface of Cisco XDR is an API client that uses the same APIs to which you also have direct access. Any actions that you can perform in the UI can also be performed with the API.
Cisco XDR is built upon a collection of various REST APIs which can be used to integrate your Cisco and third-party security products, automate the incident response process, and manage threat intelligence and security context data in a single location. This guide will serve as a single location to find anything related to these APIs.
For most parts of Cisco XDR, the Cisco Threat Intelligence Model (CTIM) is a data model, an abstract model that organizes data and defines data relationships. CTIM is of utmost importance for Cisco XDR because it provides a common representation of threat information, regardless of whether its source is Cisco or a third party. See the Cisco Threat Intellligence Model Git repository to learn more about CTIM and its components.
For more information about Cisco XDR, go to the Cisco XDR product page.
Use Cases
With Cisco XDR REST APIs, you can:
- Enrich an IP address, file hash, or any observable types with local and global threat intelligence
- Load threat intelligence into your Private Intel Store
- Automate routine tasks using prebuilt workflows that align to common SecOps use cases
- Share playbooks between Security Operations Center (SOC) teams
- Automated triage and prioritization of alerts from other security portfolio solutions
- Create custom response actions to reduce response time
- Automate enrichment from multiple data sources, overlayed with threat intelligence