cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
904
Views
0
Helpful
2
Replies

Trigger Incident Event in Cisco XDR

Nara_D
Level 1
Level 1

Greetings,

My name is Nara, I have a question regarding how to trigger security incident in Cisco XDR.

The background is that this is my first time to handle XDR Technology and I am trying to setup Cisco XDR in my lab environment.

I want to try scenario where I try to download malware file (from eicar or etc) then it gets detected by EDR and the event will be sent to XDR Dashboard. Then, I can do investigate and use workflows features in XDR to block the url/domain by sending the block workflows command to Cisco Umbrella. But I am having issues in generate the security incident in Cisco XDR.

What I have done before are:

1. Setup Integration between Cisco XDR, Cisco Umbrella, and Trend Micro Vison One (as EDR).

2. Install XDR Default Deployments compnent into my lab computer/endpoint.

3. Install EDR in my lab computer/endpoint.

The thing is my test endpoint already showing in Cisco XDR and all of the integrations status is fine. I already do test to download file from EICAR and the EDR works fine too (EDR block the EICAR file). But the Incident is still not generating in Cisco XDR Dashboard.

Have anyone maybe have insights about this issue that I am facing? Thank you.

2 Replies 2

rory586foster
Level 1
Level 1

Hello,

It seems you have integrated Cisco XDR with Cisco Umbrella and Trend Micro Vision one successfully in your lab environment. However, despite testing with EICAR files you are encountering an issue where security incidents are not generating in the Cisco XDR Dashboard. To troubleshoot verify the integration settings for accuracy, ensure event forwarding from trend micro vision one to cisco XDR is configured correctly check incident detection rules in cisco XDR monitor for incoming events in the XDR console and confirm that dashboard settings are correctly configured to display incidents.

sthangal
Cisco Employee
Cisco Employee

Hello, In my setup I have Cisco XDR integrated with the Cisco Umbrella and Cisco Secure Endpoints. I tried to test my setup with initiating the traffic from my endpoints accessing EICAR files, it gets blocked in the machine, and in XDR dashboard also the events are showing. But I couldn't able to generate any incidents in the XDR console. Could anyone help me to get incidents in the XDR console.