Cisco Security Analytics and Logging allows you to capture connection, intrusion, file, malware, and Security-relared connection events from all your threat defense devices, and all syslog and Netflow Secure Event Logging (NSEL) events from your Adaptive Security Appliances (ASA) and view them in CDO. The events are stored in the Cisco Security Cloud and viewable from the Event Logging page in CDO, where you can filter and review them to gain a clear understanding of what security rules are triggering in your network.

ASA devices managed by Adaptive Security Device Manager (ASDM), Cisco Security Manager (CSM), or CDO can all send events to the Cisco Security Cloud by way of a Secure Event Connector (SEC). The SEC is installed on a virtual machine and you configure the ASA to send events to the SEC as it if were a syslog server. The SEC forwards the events securely to the Cisco Security Cloud.

The threat defense devices managed by firewall device manager, FMC, or CDO can also send events to the Cisco Security Cloud. They can be sent through the SEC or they can be sent directly to the Cisco Security Cloud.

Cisco XDR is a cloud-based solution that unifies visibility by correlating detections across multiple telemetry sources, and enables security teams to detect, prioritize, and respond to the most sophisticated threats. By integrating your CDO tenant with Cisco XDR, you can:

• Correlate and analyze the firewall events to determine end-to-end incidents and promote incident on the basis of risk to enable analysts to focus on what needs to be addressed with urgency.

• Enhances threat detection and response capabilities through clear prioritization of alerts and providing the shortest path from detection to response.

• Remediate threats confidently using automation and guided response recommendations.

For more information about Cisco XDR, see Cisco XDR Help Center.

.

Your ASA and FDM-managed devices are registered with either the Virtual Account cloud tenant or the CDO cloud tenant depending on how they are licensed and how they communicate with the Cisco Security Cloud infrastructure.

The tenants are isolated from each other and do not share event data.

Virtual Account Tenant

The threat defense devices that are “smart-licensed,” and are not onboarded to CDO account are registered to the Cisco Virtual Account tenant. The Virtual Account tenant has no automatic connection to the Cisco XDR tenant or the CDO tenant, therefore, events are not automatically forwarded to Cisco XDR.

Cisco Defense Orchestrator Tenant

Devices that have been onboarded to CDO are registered to the CDO tenant. Those devices can send events directly to the Cisco Security Cloud or through the SEC to the Cisco Security Cloud. The CDO tenant has no automatic connection to the Cisco XDR tenant or the Virtual Account Tenant, therefore, events are not automatically forwarded to Cisco XDR.

Cisco XDR Tenant

Cisco XDR is a separately licensed product. It requires an additional subscription beyond the licenses required for Cisco Secure Firewall products. For more information, see Cisco XDR Licenses.

You cannot log in to Cisco XDR using your Cisco Security Account or Cisco Secure Malware Analytics credentials.

The Cisco XDR tenant does not automatically receive events from the CDO tenant or Virtual account tenant unless those tenants are merged with it.

Security Services Exchange

These tenants are all separate but all reside in the Security Services Exchange (SSE). The SSE is a secure intermediary cloud service that handles cloud-to-cloud and premises-to-cloud identification, authentication, and data storage for use in Cisco cloud security products.