Solved: Integrate Secure Cloud Analytics into XDR

YZ2 · ‎07-14-2025

Hello,

When integrating cisco Secure Cloud Analytics into Cisco XDR, I came across the following obstacles.

1. in the overview of XDR integrations of other services, SCA is always followed by +Enable. Even after performing the integration, this view remains, but I would expect a green tick or something similar. Is this a bug or just poorly implemented?

2. how is it possible to map the assets from the SCA in XDR? With other services it runs via webhooks, e.g. with Secure Endpoint. Unfortunately, I can't find such an option for SCA, but I would still like to see the devices from SCA in XDR.

3. closing alerts in SCA does not close the alerts in XDR and vice versa. I seem to remember that this used to work. Does this function no longer exist or did the integration of the two services not work completely?

Many thanks for your support

wajidhassan · ‎07-14-2025

Hi @YZ2 ,

Great questions — a few points to help clarify:

Integration status (“+Enable”): Yes, this is a known UX inconsistency. Even after successful integration of Secure Cloud Analytics (SCA), XDR sometimes continues to display the "+Enable" prompt instead of a green checkmark. It doesn’t impact functionality, but agreed — it can be confusing.
Asset mapping: Currently, XDR doesn't support direct asset mapping from SCA via webhook like it does for Secure Endpoint. Asset data from SCA isn't natively ingested into XDR's device inventory. The integration is primarily alert-driven. You can check if asset enrichment via APIs becomes available in future releases.
Alert synchronization: You're right — bi-directional alert closure (between SCA and XDR) used to work more smoothly, but recent updates may have impacted that. As of now, alerts closed in one console are not guaranteed to sync status to the other. It's best to track this with Cisco support or roadmap updates.

Hope this helps clarify the current state of the integration.

View solution in original post

wajidhassan · ‎07-14-2025

Hi @YZ2 ,

Great questions — a few points to help clarify:

Integration status (“+Enable”): Yes, this is a known UX inconsistency. Even after successful integration of Secure Cloud Analytics (SCA), XDR sometimes continues to display the "+Enable" prompt instead of a green checkmark. It doesn’t impact functionality, but agreed — it can be confusing.
Asset mapping: Currently, XDR doesn't support direct asset mapping from SCA via webhook like it does for Secure Endpoint. Asset data from SCA isn't natively ingested into XDR's device inventory. The integration is primarily alert-driven. You can check if asset enrichment via APIs becomes available in future releases.
Alert synchronization: You're right — bi-directional alert closure (between SCA and XDR) used to work more smoothly, but recent updates may have impacted that. As of now, alerts closed in one console are not guaranteed to sync status to the other. It's best to track this with Cisco support or roadmap updates.

Hope this helps clarify the current state of the integration.

Ken Stieers · ‎07-14-2025

1. In the main Integrations page, the page of what's possible will always be there... the My Integrations drop down will have yours.
2. It isn't... SCA "learns" what the assets are, you can't map them directly. XDR seems to be ok at tying assets it has from Duo/Amp/Orbital etc. to assets that come over from SCA incidents, but when the SCA assets are not well "learned" (I've had many cross-linked assets...) that it gets weird.
3. If it did work before, it doesn't now... they're actually starting to get traction at moving most of what SCA shows into XDR, but they DO need to get it in front of more people.