XDR Detection Findings
Overview
Cisco XDR produces OCSF 1.4–compliant bundles containing:
- Exactly 1 Detection Finding (
class_uid: 2004) - 0..N related Activities (e.g., Network, DNS, Process)
Before export, these bundles are parsed by XDR Automate Workflows, and each event is sent individually to external systems (e.g. Splunk, Microsoft Sentinel, Webhooks).
This means:
- Each exported record is a single valid OCSF object
- A single Detection Finding results in:
- 1 Detection Finding event
- 0..N Activity events
Workflows can be installed via the Cisco XDR Automate Exchange:
https://docs.xdr.security.cisco.com/Content/Automate/exchange.htm
They can be duplicated and customized to fit specific use cases.
Note: The Cisco XDR - Send Notifications for Detections workflow is an exception. It sends a notification for the bundle as a whole, containing metadata and a link, rather than full OCSF objects.
Export Model
Although data originates as a bundle (see below). This structure is not what downstream systems receive by default. Instead, each item in events[] is exported as an individual event.
{
"count": <number>,
"start_time": <epoch_ms>,
"end_time": <epoch_ms>,
"events": [ ... ]
}
Implications:
- No outer
events[]array in exported payloads - Each payload is one OCSF object
- Detection Finding and Activities must be correlated downstream (e.g., via observables and/or related event IDs)
Event Types
Detection Finding (Core Object)
"class_uid": 2004,
"class_name": "Detection Finding"
Core Fields
| Field | Description |
|---|---|
finding_info |
Detection metadata (incl. related events) |
severity |
Detection severity |
confidence |
Confidence level |
device |
Primary asset reference |
observables |
Normalized indicators (IP, URL, UID, etc.) |
enrichments |
XDR-added context (device/user intelligence) |
evidences |
Supporting telemetry or metrics |
metadata |
Product + schema metadata |
time |
Event timestamp |
unmapped |
Vendor-specific extensions |
Activity Objects
All supporting telemetry is represented as OCSF Activities.
Each activity is a separate exported event.
| Class UID | Activity |
|---|---|
| 4001 | Network Activity |
| 4002 | HTTP Activity |
| 4003 | DNS Activity |
| 4006 | SMB Activity |
| 4009 | Email Activity |
| 1007 | Process Activity |
| 1001 | File System Activity |
| 1005 | Module Activity |
| 7003 | Process Remediation |
| 3002 | Authentication Activity |
| 201001 | Windows Registry Key |
| 201002 | Windows Registry Value |
Reference: https://schema.ocsf.io/1.4.0/categories
Key Nested Structures (Detection Finding)
finding_info
"finding_info": {
"title": "...",
"desc": "...",
"uid": "...",
"src_url": "...",
"related_events": [...]
}
Primary identifier and display metadata.
observables
{
"name": "device.ip",
"type": "IP Address",
"value": "10.90.15.22"
}
Used for:
- Correlation across events
- Linking Detection Findings and Activities downstream
enrichments
{
"type": "device",
"provider": "Device Insights",
"data": { ... }
}
Contains contextual data such as:
- Hostname
- OS
- MAC
- Asset intelligence
unmapped
"unmapped": {
"alert_name": "...",
"alert_description": "...",
"detection_id": "..."
}
Non-OCSF extensions. Schema may evolve.
Parsing Strategy
1. Identify Event Type
if event.class_uid == 2004:
type = "finding"
else:
type = "activity"
2. Handle Detection Findings
Extract:
finding_info.uid(primary identifier)finding_info.titlefinding_info.related_events[...]severityobservablestime
3. Handle Activities
For each activity:
Identify via
class_uidExtract relevant fields (IP, process, domain, etc.)
Link back using:
- Shared observables
- Device identifiers
- Time proximity
Export Considerations
Workflow-Based Export
Powered by XDR Automate Workflows
Supports:
- Webhooks
- SIEM ingestion
- XDR Notifications (in-app, email, Webex, Slack)
Customization
| Area | Customizable |
|---|---|
| Payload format | Yes |
| Destination | Yes |
| Filtering | Yes |
| Enrichment | Yes |
Data Handling
- Treat events as independent records
- Do not assume ordering
- Expect partial context per event
Correlation
- Use
finding_info.uidandfinding_info.related_events[...].uidwhen available - Combine with time-based and/or observable-based grouping if needed
Schema Handling
- Always rely on
class_uid - Expect optional fields
- Preserve
unmapped