The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
From this page, you can configure ISE pxGrid Cisco Cyber Vision integration.
Cisco Platform Exchange Grid (pxGrid) is an open, scalable data-sharing and threat control platform that allows seamless integration between multivendor identity, network, security and asset management systems.
For more information about how to perform this integration, refer to the manual "Integrating Cisco Cyber Vision with Cisco Identity Services Engine (ISE) via pxGrid".
FMC administration page permits to configure a link between Cisco Cyber Vision with your Firepower Management Center. This connection will permit to send regularly (every 10 seconds) the components discovered by Cisco Cyber Vision. Every 10 seconds a list of new discovered components will be sent with the following properties in Cisco Cyber Vision:
Name
Id
Ip
Mac
And if they are available:
hw_version
model-ref
serial_number
fw_version
tags
The configuration of this connection consists of adding the IP address of FMC, then importing a certificate in Cisco Cyber Vision.
In FMC, to download the necessary certificate, please navigate to "System" then to "Integration" and open the "Host Input Client" tab. In the tab create a new Client with the button "Create Client". Add the Cisco Cyber Vision Center IP address as host name, then download the pkcs12 certificate.
Then, in FMC, menu "Policies", "Application Detectors" add a new Product Map with the button "Create Product Map Set". Please create the new product Map with the exact name and case as presented below:
The created hosts could be consulted in FMC, menu "Analysis", tab "Hosts – Network Map":
FTD administration page permits to connect Cisco Cyber Vision with your Firepower Threat Defense. It will allow to automatically kill anomalies detected by monitor mode and snort events. The corresponding session found in FTD will be killed.
Every 10 seconds Cisco Cyber Vision will browse the new monitor and SNORT events and send the corresponding action to the firewall. To enable that functionality, the user needs to add the following parameters in the FTD administration page:
Ip address of the firewall
Login: admin login, an ssh connection will be established between the center and the firewall
Password: corresponding password
Hostname: is the name of the device, by default "firepower"
Two option are available: kill session from monitor difference detection events and kill session from snort events.
Cyber vision could be integrated with XDR, a cloud-native, built-in platform that connects our Cisco Secure portfolio with your infrastructure. It allows you to radically reduce dwell time and human-powered tasks.
 Note |
SecureX will reach its end of life on July 31, 2024. However, it is still possible to utilize SecureX until then by adjusting the desired integration here. |
Cisco XDR is an online platform that centralizes security events from various Cisco software equipments through an API. For instance, events such as those from Cisco Cyber Vision or firewall activities can be transmitted to Cisco XDR and correlated, then presented across diverse dashboards.
XDR integration enables three features in Cisco Cyber Vision:
Without XDR SSO login, the Investigate in XDR Threat Response button will appear on components' technical sheets.
With XDR SSO login, the Report to XDR button will appear on certain events of the event calendar page. This button is utilized to push the events to XDR.
With XDR SSO login, an XDR ribbon featuring several functionalities can be activated within Cisco Cyber Vision.
This section details the configuration of XDR in Cisco Cyber Vision and different authorized features.
The Cisco XDR configuration in Cisco Cyber Vision requests:
An Admin access to Cisco Cyber Vision.
A Cisco Cyber Vision Center with internet access.
A XDR account with an admin role.
|
Step 1 |
In Cisco Cyber Vision, navigate to Admin > Integrations > XDR. |
|
Step 2 |
Select a Region.  The button Enable XDR appears.  |
|
Step 3 |
Click Enable XDR to enable the link. Once the link enabled, the button turns red to disable XDR.  By completing the steps above, you are now able to use the button Investigate in XDR Threat Response that will appear in the components' technical sheet. To install and use the XDR ribbon and the Report to XDR button, complete the steps herebelow. |
|
Step 4 |
Navigate to the user menu on the top right corner of the GUI and click My Settings. A new XDR menu appears on the right.  |
|
Step 5 |
Click the XDR SSO button. A popup appears with an authentication code.  A page opens in the browser to grant Cisco Cyber Vision access to XDR. First a login is required:  Then the authorization is required:  |
|
Step 6 |
Click Authorize Cyber Vision. |
|
Step 7 |
A Client Access Granted popup appears.  |
|
Step 8 |
In Cisco Cyber Vision > My Settings, the XDR menu indicates that Cisco Cyber Vision is connected to XDR. A toggle button to enable the XDR ribbon and a button to logout of XDR are displayed.  |
|
Step 9 |
Use the Ribbon status toggle button to enable the XDR ribbon. |
|
Step 10 |
Click Save settings.   A message indicating that the XDR ribbon is enabled appears.  |
Once configured and activated, the XDR ribbon will appear at the bottom of the Cisco Cyber Vision GUI of the Explore menu.
The XDR ribbon in the Device List view:
The Cisco XDR Getting Started Guide explains how to use the XDR ribbon.
For example, to find observables and investigate them in XDR Threat Response, click the Find Observables icon like below:
Once XDR has been configured in Cisco Cyber Vision, a Report to XDR button appears on some events of the event calendar page. Using this button will push the event to XDR and create an incident.
The XDR button appears on three categories of event:
Anomaly Detection
Control Systems Events
Signature Based Detection
The Report to XDR button on a Control Systems Events:
Once XDR has been configured in Cisco Cyber Vision, the button Investigate in Cisco Threat Response appears on the components' technical sheet. The component's IP and MAC addresses will be investigated in XDR Threat Response if you use this button.
Herebelow is the list of all URLs called by the Cisco Cyber Vision Center in case you need to authorize them, for example in a firewall.
Center:
North America
Cisco XDR Platform: https://visibility.amp.cisco.com/iroh/
Cisco XDR Private Intelligence: https://private.intel.amp.cisco.com/ctia/
Cisco XDR Automation: https://automate.us.security.cisco.com/api/
Europe
Cisco XDR Platform: https://visibility.eu.amp.cisco.com/iroh/
Cisco XDR Private Intelligence: https://private.intel.eu.amp.cisco.com/ctia/
Cisco XDR Automation: https://automate.eu.security.cisco.com/api/
Asia Pacific, Japan, and China
Cisco XDR Platform: https://visibility.apjc.amp.cisco.com/iroh/
Cisco XDR Private Intelligence: https://private.intel.apjc.amp.cisco.com/ctia/
Cisco XDR Automation: https://automate.apjc.security.cisco.com/api/
Web client:
conure.apjc.security.cisco.com
conure.us.security.cisco.com
conure.eu.security.cisco.com
Cisco SecureX is an online platform that centralizes security events from different Cisco software equipments through an API. For example, events like Cisco Cyber Vision events or firewall events can be sent to Cisco SecureX and correlated to be presented through different dashboards.
SecureX integration enables three features in Cisco Cyber Vision:
without SecureX SSO login, the button Investigate in SecureX Threat Response will appear in components' technical sheet.
with SecureX SSO login, the button Report to SecureX will appear in some events of the event calendar page. This button is used to push the events to SecureX.
with SecureX SSO login, a SecureX ribbon with several features can be activated in Cisco Cyber Vision.
This section describes how to configure SecureX in Cisco Cyber Vision and the different features authorized.
The Cisco SecureX configuration in Cisco Cyber Vision requests:
An Admin access to Cisco Cyber Vision.
A Cisco Cyber Vision Center with internet access.
A SecureX account with an admin role.
|
Step 1 |
In Cisco Cyber Vision, navigate to Admin > Integrations > SecureX. |
|
Step 2 |
Select a Region. The button Enable SecureX appears.  |
|
Step 3 |
Click Enable SecureX to enable the link. Once the link enabled, the button turns red to disable SecureX.  By completing the steps above, you are now able to use the button Investigate in SecureX Threat Response that will appear in the components' technical sheet. To install and use the SecureX ribbon and the Report to SecureX button, complete the steps herebelow. |
|
Step 4 |
Navigate to the user menu on the top right corner of the GUI and click My Settings. A new SecureX menu appears on the right.  |
|
Step 5 |
Click the SecureX SSO button. A popup appears with an authentication code.  A page opens in the browser to grant Cisco Cyber Vision access to SecureX.  |
|
Step 6 |
Click Authorize Cyber Vision. |
|
Step 7 |
A Client Access Granted popup appears. |
|
Step 8 |
In Cisco Cyber Vision > My Settings, the SecureX menu indicates that Cisco Cyber Vision is connected to SecureX. A toggle button to enable the SecureX ribbon and a button to logout of SecureX are displayed. |
|
Step 9 |
Use the Ribbon status toggle button to enable the SecureX ribbon. |
|
Step 10 |
Click Save settings.   A message indicating that the SecureX ribbon is enabled appears.  |
Once configured and activated, the SecureX ribbon will appear at the bottom of the Cisco Cyber Vision GUI of the Explore menu.
The Cisco SecureX Getting Started Guide explains how to use the SecureX ribbon.
Once SecureX has been configured in Cisco Cyber Vision, a Report to SecureX button appears on some events of the event calendar page. Using this button will push the event to SecureX and create an incident.
The SecureX button appears on three categories of event:
Anomaly Detection
Control Systems Events
Signature Based Detection
The Report to SecureX button on a Control Systems Events:
Once SecureX has been configured in Cisco Cyber Vision, the button Investigate in Cisco Threat Response appears on the components' technical sheet. The component's IP and MAC addresses will be investigated in SecureX Threat Response if you use this button.
Herebelow is the list of all URLs called by the Cisco Cyber Vision Center in case you need to authorize them, for example in a firewall.
Center:
private.intel.eu.amp.cisco.com
private.intel.apjc.amp.cisco.com
private.intel.amp.cisco.com
intel.amp.cisco.com
visibility.eu.amp.cisco.com
visibility.apjc.amp.cisco.com
visibility.amp.cisco.com
Web client:
securex.apjc.security.cisco.com
securex.us.security.cisco.com
Feedback