Link Your Cisco Defense Orchestrator and Cisco XDR Tenant Accounts
If your Firepower Threat Defense or Firepower Management Center device is used with Cisco Defense Orchestrator or Cisco Security Analytics and Logging (SaaS) and Cisco XDR, you must link your Cisco Defense Orchestrator tenant account with the Cisco XDR tenant account associated with the device.
Note the following:
-
Only one Cisco Defense Orchestrator tenant account can be linked with one Cisco XDR tenant account.
If you have tenant accounts on more than one regional cloud, you must link tenant accounts separately for each regional cloud.
If you link a Cisco XDR tenant to Cisco Defense Orchestrator on one cloud, you do not need to do it again for Cisco XDR on the same cloud, and vice versa.
Note | This operation is not reversible. |
Before you begin
-
You must be able to sign in to Cisco Defense Orchestrator and to the applicable regional Cisco XDR cloud with your Security Cloud Sign On account.
-
Your Cisco Defense Orchestrator user account must have admin or super admin privileges.
-
Your Cisco XDR user account must have admin privileges.
Procedure
Step 1 | Sign in to the appropriate regional Cisco Defense Orchestrator site that contains the tenant you wish to link with Cisco XDR. For example, the US cloud is https://defenseorchestrator.com and the EU cloud is https://defenseorchestrator.eu. |
Step 2 | Choose the tenant to link with Cisco XDR. |
Step 3 | Generate a new API token for your account:
For more information about API tokens, see the online help in Cisco Defense Orchestrator at https://docs.defenseorchestrator.com/#!c-api-tokens.html. |
Step 4 | In Security Services Exchange, click the tools menu icon in the top right of any page and select Link Cisco Defense Orchestrator Account. |
Step 5 | Paste the token that you copied from Cisco Defense Orchestrator. |
Step 6 | Verify that you are linking the tenant that you intended to link. |
Step 7 | Click Link Cisco Defense Orchestrator Account. |
Step 8 | Sign out of your Cisco Defense Orchestrator account, and then sign back in. |
What to do next
-
Your account credentials do not change as a result of this procedure. After linking tenants, continue to use your Security Cloud Sign On account credentials to access each product (Cisco Defense Orchestrator, SaaS, Cisco XDR, and so on) as before.
-
If you completed this procedure before registering your devices to Security Services Exchange, continue with the steps in How to Send Events Directly to the Cisco Cloud and Integrate with SecureX.
-
If you performed this procedure after registering your devices for Cisco Defense Orchestrator and Cisco XDR integration, you may have duplicate device instances on the Devices page in Security Services Exchange.
-
In this case, the instance of your device that was previously associated with your Cisco Defense Orchestrator registration is now also associated with the linked Cisco XDR tenant.
-
Events generated by devices before linking tenants will have a different device ID than events generated by the same device after linking tenants.
-
If you do not need to map events to the devices that generated them, you can delete the "Unregistered" device entries for devices that are now associated with the linked tenant.