Troubleshoot XDR Device Insights and Umbrella Integration

Available Languages

Download Options

  • PDF     (116.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (176.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (122.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 7, 2023
Document ID:220684

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the steps to configure the integration and troubleshoot XDR Device Insights and Cisco Umbrella integration.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics.

    • XDR
    • Umbrella
    • Basic knowledge of APIs
    • Postman API tool

    Components Used

    The information in this document is based on these software and hardware versions.

    • XDR 

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    XDR Device Insights provides a unified view of the devices in your organization and consolidates inventories from integrated data sources.

    Umbrella automatically uncovers attacker infrastructure staged for current threats and proactively blocks malicious requests before they reach an organization’s network or endpoints. With integration, you can stop malware infections earlier, identify already-infected devices faster, and prevent data exfiltration. The integration provides complete visibility into Internet activity across all locations and users and allows you to take action with a two-click response to quickly block domains. Multiple Umbrella functions are supported and linked via API keys that have been generated in the Umbrella Platform.

    If you want to know more about the configuration, please review the integration module details.

    Troubleshoot

    In order to troubleshoot common issues with the XDR and Umbrella integration, you can verify the connectivity and performance of the API.

    Connectivity test with XDR Device Insights and Umbrella

    Step 1. You can select Basic Authas an authorization method, as shown in the image.

    Note: Postman is not a Cisco-developed tool. If you have a question about Postman tool functionality, please contact Postman support.

    leisanch_7-1650212799536

    Step 2. You can get theroaming computers, with this API call (the default page limit is 100 entries).

    https://management.api.umbrella.com/v1/organizations/<OrgID>/roamingcomputers

    Step 3. In response to the first call, the total number of objects is returned. You can use limit and page parameters to get the next pages.

    https://management.api.umbrella.com/v1/organizations/<OrgID>/roamingcomputers?limit=5&page=2

    Wrong Key

    XDR Device Insights does not use the same keys that XDR, then you need to verify and confirm the Keys configured as Umbrella API keys are correct, as shown in the image. 

    • Umbrella Network Devices: API used to learn what DNS policies
    • Umbrella Management: API used to learn endpoints

    create_APIs

    Verify

    Once Umbrella is added as a source to XDR Device Insights, you can see a successful REST API connection status.

    • You can see the REST API connection with a green status
    • Click on SYNC NOW to trigger the initial full sync, as shown in the image

    leisanch_0-1649868078108

    In case the issue persists with the Device Insights and Umbrella integration,please collect HAR logs from the browser and contact TAC support in order to perform a deeper analysis.

    Revision History

    Revision Publish Date Comments
    1.0
    30-Jul-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Brenda Marquez
      TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products