Integration Modules

With Cisco SecureX, incident responders can better understand threats on their network by gathering, combining and correlating threat intelligence available from Cisco Talos with network and security data from Cisco and third-party security products deployed within their organization. It brings together threat intelligence and local security context and control in one place for the security analyst. Each source of global or local intelligence is provided by a module, which is linked via an API key.

SecureX offers integration modules for Cisco security products and third-party solutions. Use the Integration Modules tab on SecureX menu bar to configure and view your integration modules, and to view all Cisco and third-party integration modules that are available for configuration.

All of the Cisco and third-party modules that are available for configuration are shown on the Available Integration Modules page.

Available Integrations

Note: Only Admin users can add integration modules. The Add button is not visible if you are logged in as a non-admin user.

All modules configured for your environment are shown on the My Integration Modules page. The module panel indicates whether the module is Integrated (successfully configured) or if it has an Error with the configuration. It also displays a Bidirectional icon if SecureX and the integrating product has bidirectional API communication with each other through the integration module interface.

Integrations

In SecureX Demo, all the Cisco integration modules that are available for configuration are shown at the top of the Integration Modules page.

Demo Integration Module

See Configuring Integration Modules for more information.

Built-in Integration Modules

By default, the following integration modules are automatically integrated with SecureX:

  • Cisco File Reputation - Cisco File Reputation is the database that powers Cisco file hash lookups. It stores billions of file hashes and associated dispositions, sourced from Cisco Talos, Cisco Secure Malware Analytics (formerly Cisco Threat Grid), and other trusted providers. By default, SecureX Threat Response comes configured to connect to Cisco File Reputation.
  • SecureX Global Threat Intelligence - The SecureX Global Threat Intelligence is a repository of Cisco and third-party intelligence curated by Cisco. By default, SecureX Threat Response comes configured to connect to SecureX Global Threat Intelligence.
  • Private Intelligence - Private Intelligence is a data storage facility built into Cisco SecureX Threat Response to store the incidents that display in the SecureX Threat Response Incident Manager, Casebooks, Snapshots, and user-provided data used in investigations, such as the user’s own threat intelligence or internal observations by other security tools. By default, SecureX Threat Response comes configured to connect to Private Intelligence.
  • Talos Intelligence - Talos is Cisco’s industry-leading threat intelligence team that protects your organization’s people, data and infrastructure from active adversaries. The Talos team collects information about existing and developing threats, and provides comprehensive protection against more attacks and malware than anyone else. All Cisco Security products utilize Talos threat intelligence, providing fast and effective security solutions. Their job is protecting your network.

Cisco Integration Modules and Supported Capabilities

Integration modules provide various capabilities to SecureX, leveraging the information available in the integrated product. The following is a list of the various capabilities:

  • Dashboard Tiles - Products may provide tiles showing metrics of usage, prevention, and other system performance indicators. The tiles are displayed on the SecureX dashboard. For more information on adding new tiles, see Adding and Removing Tiles.

  • Device Insights - SecureX Device Insights provides you with a unified view of the devices in your organization by consolidating inventories from the products you've integrated with SecureX. The integration modules with Device Insights capability can report inventory and system data to Device Insights to contribute to that holistic view in order to better identify vulnerabilities, prevent threats, and prioritize remediations. See Getting Started with Device Insights for more information on Device Insights sources.

  • Orchestration Targets - SecureX Orchestration uses the integrated product credentials to automatically create targets for out-of-box and custom workflows. For details, see Targets Created From Integration Modules.

  • Enrichments (observe) - In response to queries from SecureX during investigations, the integrated product can report sightings, reputations, and other information about the queried observables to include and display in SecureX's investigation results. For example, "file hash a03e[...] was seen on endpoint sdf-01 at 2023-01-23 13:45:32 and initiated a connection to <domain>" or "file hash a03e[...] is rated Malicious".

  • Reference Links (refer) - In response to queries from SecureX during investigations or in rendering Pivot menus, the integrated product can provide links to websites with more information or intelligence about the queried observable(s) to display in the Pivot menus on the observable. For example, "analysis history of file hash a03e[...] <link>".

  • Response Actions (respond) - In response to queries from SecureX during investigations or in rendering Pivot menus, the integrated product can provide links to enact its responses or controls on or about the queried observable(s). These links will be provided in the Pivot menus for the observables in the SecureX UI and the interfaces of SecureX-capable products. For example, "add file hash a03e[...] to blocklist".

  • Deliberation (reputation) - In response to queries from SecureX during investigations or in rendering Pivot menus, the integrated product can provide reputation information about the queried observable(s). These reputations and (optionally) related reasons will be displayed in SecureX investigations and/or in Pivot menus. For example, "file hash a03e[...] is rated Malicious".

The following table provides a list of the Cisco integration modules and the capabilities supported by each module, along with links to access the product documentation:

 Cisco Integration Module   Dashboard Tiles Device Insights   Orchestration Targets Investigate

Enrichments (observe)

Reference Links (refer)

Response Actions (respond)

Deliberation (reputation)

Cisco Defense Orchestrator Yes No No No No No No
Cisco Threat intelligence API Yes No No Yes Yes Yes Yes
Kenna Security No No No No No No No
Meraki No Yes Yes No No No No
Orbital No Yes Yes No Yes No No
SMA Web Yes No No Yes Yes Yes Yes
Secure Access by Duo Yes Yes No No No No No
Secure Cloud Analytics Yes No No Yes Yes No Yes
Secure Cloud Insights Yes No No No No No No
Secure Email Appliance Yes No No Yes Yes Yes Yes
Secure Email Threat Defense Yes No No No No No No
Secure Email and Web Manager Yes No No Yes Yes No Yes
Secure Endpoint Yes Yes Yes Yes Yes Yes Yes
Secure Firewall Yes No No Yes Yes Yes Yes
Secure Malware Analytics Yes No No Yes Yes No Yes
Secure Network Analytics Yes No No Yes Yes Yes Yes
Secure Web Appliance Yes No No Yes Yes No Yes
Secure Workload Yes No No No No No No
Umbrella Yes Yes No Yes Yes Yes Yes