Technology Integration
Important
Medium
80% Confidence
Cisco XDR Integrates Multi-Source Data for Precise Alert Tuning
Summary
Cisco security team integrated XDR, Splunk and Endace network telemetry to separate firewall IPS alert noise from real threats. Using Zeek log analysis to confirm benign network activities and implement suppression strategies for specific signature conditions. Demonstrates closed-loop tuning capability through multi-source data correlation.
Key Takeaways
Cisco faced firewall IPS-triggered 'overflow attempt' alert storm during Cisco Live EMEA. Integration of Cisco XDR, Splunk and Endace (Zeek) network telemetry revealed alert clusters originated from passive SPAN mirror traffic with IPS in detection mode (InlineResult: Would block).
Using Endace's Zeek log URI and User_Agent fields, confirmed alert-triggering host behaviors were benign activities including OS connection tests, Apple captive portal verification, iboss cloud proxy connectors and Qualys vulnerability management agent communications.
Team classified six incidents as false positives, implemented suppression for specific signatures (SigID 17536) under 'interface is SPAN/passive' and 'IPS action is Would block' conditions, successfully suppressing 17 subsequent similar events and hundreds of related alerts.
Using Endace's Zeek log URI and User_Agent fields, confirmed alert-triggering host behaviors were benign activities including OS connection tests, Apple captive portal verification, iboss cloud proxy connectors and Qualys vulnerability management agent communications.
Team classified six incidents as false positives, implemented suppression for specific signatures (SigID 17536) under 'interface is SPAN/passive' and 'IPS action is Would block' conditions, successfully suppressing 17 subsequent similar events and hundreds of related alerts.
Why It Matters
思科通过实际案例验证其XDR平台的多源集成能力,强化安全运营效率价值主张。这种数据关联方法可能成为行业应对告警疲劳的标准实践。...