Secure Cloud Analytics to Cisco XDR: UX Map Common Tasks View
How to use this map : This UX map is designed to help you quickly understand where the tasks you may perform today in Secure Cloud Analytics (SCA) live in Cisco XDR. The intent is to help you focus on outcomes and workflows, not just UI navigation.
High Level Model:
- Detections move into XDR detection findings and incident workflows
- Investigation moves into XDR Investigate
- Devices and assets move into XDR Asset Insights
- Notifications and exports move into XDR workflows
- Configuration and tuning moves toward XDR‑native workflows over time
Use this guide to:
- Identify the task you perform today in SCA
- See where that task is handled in XDR
- Understand what changes and what improves as part of the move
Common task mapping: Alerting, investigation, and context
If you do this in SCA today | Go here in XDR | What changes | What improves |
Review alerts or observations | XDR detection findings and incident workflows | Alert review moves into XDR‑centered detection and incident experiences | Stronger correlation, broader cross‑domain context, clearer evidence, and improved detection transparency |
Investigate events and activity | XDR Investigate | Event Viewer workflows move into the XDR investigation experience | More unified investigation flow, richer evidence, and better visibility across data sources |
Review device‑related context | XDR Asset Insights | Device views move into a centralized asset experience | Better asset context and a more connected view across detections, investigations, and entities |
Notifications, exports, and configuration
If you do this in SCA today | Go here in XDR | What changes | What improves |
Export detections or send notifications via webhooks | XDR workflows | Webhook‑based exports and notifications move to workflow‑driven configuration | More complete OCSF‑aligned export detail, stronger workflow control, and better long‑term scalability |
Tune or manage detection workflows | XDR detection and incident configuration | Configuration moves toward XDR‑native tuning and workflow paths | Better transparency, more granular tuning options, and greater consistency |
Consume lower‑usage reports or pages | XDR replacement where available, or guided retirement | Some reports are consolidated, moved, or deprecated over time | Simpler experience focused on higher‑value workflows |
Customer FAQ:
1. I mainly use SCA to investigate detections. Where should I go now?
- XDR detection findings and incident workflows to review what was detected
- XDR Investigate to explore event details, timelines, and related activity
Together, these provide a more connected investigation experience than SCA.
2. I primarily export detections or send notifications. What replaces that?
Use XDR workflows: are now the central control point for:
- Exports to SIEM, SOAR, and downstream systems
- Human notifications such as email, messaging tools, and collaboration platforms
This replaces the webhook‑driven patterns previously used in SCA.
3. I care most about device and asset context. Where does that live now?
Use XDR Asset Insights: Device and asset context moves out of SCA and into a centralized asset experience that connects assets, detections, and investigations more clearly.
4. What is the simplest way to think about this migration?
Think in terms of connected workflows instead of separate pages. Tasks that were spread across multiple SCA views now live in purpose‑built XDR experiences that are designed to work together.
