Skip to main content

Cisco XDR

Deprecation Notice: Cisco SecureX is deprecated. Use Cisco XDR for new integrations.

This guide describes how to collect Cisco XDR events using the Logz.io API Fetcher.

Pull the Docker image of the Logz.io API fetcher

docker pull logzio/logzio-api-fetcher:latest

Create a local directory for this integration

You will need a dedicated directory to mount into the Docker container of the Logz.io API fetcher.

mkdir logzio-api-fetcher
cd logzio-api-fetcher

Create a configuration file

In the directory created in the previous step, create a file config.yaml using the example configuration below:

logzio:
url: https://<<LISTENER-HOST>>:8071
token: <<LOG-SHIPPING-TOKEN>>

apis:
- name: cisco_xdr_events
type: cisco_xdr
cisco_client_id: ${CISCO_CLIENT_ID}
client_password: ${CISCO_CLIENT_SECRET}
scrape_interval: 5
data_request:
url: https://visibility.amp.cisco.com/iroh/iroh-event/event/search
method: POST
body:
query: <xdr_query>
limit: 1000
response_data_path: data
additional_fields:
product: cisco_xdr
source_type: security_event
Parameter NameDescriptionRequired/OptionalDefault
nameName of the API (custom name)Optionalthe defined url
cisco_client_idCisco Client IDRequired-
client_passwordCisco Client passwordRequired-
data_request.urlThe request URLRequired-
data_request.bodyThe request bodyOptional-
data_request.methodThe request method (GET or POST)OptionalGET
data_request.paginationPagination settings if neededOptional-
data_request.next_urlIf needed to update the URL in next requests based on the last responseOptional-
data_request.response_data_pathThe path to the data inside the responseOptionalresponse root
additional_fieldsAdditional custom fields to add to the logs before sending to Logz.ioOptional-
scrape_intervalTime interval to wait between runs (in minutes)Optional1 (minute)

Authentication

This module uses OAuth 2.0 client credentials flow with Basic Authentication. The credentials are automatically encoded and sent in the Authorization header to the /iroh/oauth2/token endpoint.

Create a Last Start Dates text file

Create an empty text file named last_start_dates.txt in the same directory as the config file:

touch last_start_dates.txt

After every successful iteration of an API, the last start date of the next iteration will be written to last_start_dates.txt. Each line begins with the API name and ends with the most recent start date.

If you stop the container, you can resume exactly where you left off by adding the date to the API filters in the configuration.

Run the Docker container

In the path where you saved your config.yaml, run:

docker run --name logzio-api-fetcher \
-v "$(pwd)":/app/src/shared \
logzio/logzio-api-fetcher

Stop the Docker container

When you stop the container, the code continues running until the current iteration is finished. To make sure it will finish the iteration on time, please give it a grace period of 30 seconds when you run the docker stop command.

docker stop -t 30 logzio-api-fetcher

Check Logz.io for your logs

Give your logs a few moments to reach Logz.io. To view the incoming Cisco XDR logs, open Explore and filter by your custom field’s product value or use the keyword api_fetcher.

If you still don't see your logs, refer to the log shipping troubleshooting.