Re: Query Regarding Cisco XDR Platform

shahaash28 · ‎10-20-2024

Hello everyone! I’m new to the Cisco XDR platform and I've couple of queries which I've listed below, if someone could help:

1. How can I build integrations within the Cisco XDR platform? I’ve noticed many third-party integrations, such as CrowdStrike, ServiceNow, and Slack. Are these integrations developed and managed by the Cisco XDR team, or can individual developers create their own?

2. I’ve seen that many built-in cisco integrations include dashboard panels and tiles. How does the data comes in cisco XDR and where is it stored? And, how are the tiles rendered from this data? Is there a background query that retrieves and displays this data?

3. Is it possible to create custom tiles in Cisco XDR, similar to how I can create dashboard panels using SPL queries in Splunk?

4. I have endpoint data in third party platform that I would like to send to Cisco XDR to create a custom dashboard for visualization. Is this possible with the platform, or is this platform primarily intended for incident review rather than visualization? Please correct me if I’m mistaken.

Regards,
Aash Shah

ben.greenbaum · ‎02-14-2025

Hi Aash,

> 1. How can I build integrations within the Cisco XDR platform? I’ve noticed many third-party integrations, such as CrowdStrike, ServiceNow, and Slack. Are these integrations developed and managed by the Cisco XDR team, or can individual developers create their own?

The ones you listed are developed by Cisco, but Cisco development partners (Radware, Red Sift, several others) can author integrations for their own products. Users themselves can also create their own integrations to perform many of the functions XDR offers for integrated products and tools.

> 2. I’ve seen that many built-in cisco integrations include dashboard panels and tiles. How does the data comes in cisco XDR and where is it stored? And, how are the tiles rendered from this data? Is there a background query that retrieves and displays this data?

> The dashboard is driven by part of the XDR API. XDR sends a query to a specific API structure that the product must publish, and the product responds with only the data needed to draw the tile. XDR does not do the calculation to determine the shape of a line on a graph based on a large volume of base data; the product replies with a simple series of data points that XDR then draws.

> 3. Is it possible to create custom tiles in Cisco XDR, similar to how I can create dashboard panels using SPL queries in Splunk?

A product can (must) define the exact tiles it is going to make available. There is a catalog of tile types (line graph, bar chart, map, etc) from which they can choose, but the data can be anything. Users can not define arbitrary tiles in the UI, however.

> 4. I have endpoint data in third party platform that I would like to send to Cisco XDR to create a custom dashboard for visualization. Is this possible with the platform, or is this platform primarily intended for incident review rather than visualization? Please correct me if I’m mistaken.

It could be possible with a relay server, which is a piece of middleware that publishes the tiles API for XDR to use, creates and requests the appropriate queries of the product's API, and then translates the responses back into the format that XDR requires. This is the most common way of achieving this and several other top use cases for an XDR integration. But, data visualization is not the top XDR use case, by a long stretch. To do all that work to only get dashboard tiles seems counterproductive.

The how-to information for all of this is in the product docs and here on DevNet (or linked to from here). Reply if you have further questions, and apologies for the delayed response.