I use Cisco XDR because I'm a SOC analyst. It's something I use every single day. The majority of my work has been in Cisco XDR looking through incidents, reading reports that it gives, and making automations.

I use Cisco XDR as more of an integration tool for all of our Cisco tools. I work in a Cisco Suite. We have AMP, Umbrella, Firepower, and all these different tools connected to Cisco XDR, and I can get all my data in one place. It's easier to look at just one tool versus the eight to ten other tools that we have to get data. It saves time and puts us ahead of different threats since it's all in one spot.

I saw the benefits of Cisco XDR immediately after the tool came out. We had meetings with Cisco where they were telling us about the tool. The higher-ups that I work for saw a need for it first, and then they came to the SOC group. When we sat in on the first meeting, we immediately knew that this was a tool we needed to help us save time and get ahead.

One of my favorite features of Cisco XDR is the automation tool, which saves a lot of time because we can craft these automations and workflows. If we get a phishing email, I can set up a workflow that can be initiated the minute the email comes in. If it suspects that to be malicious, it goes ahead and quarantines the file so that it can't spread through our network.

An issue that we have with Cisco XDR is the observable list. These observables are basically similar to a chess board where you have a certain number of spots to put pieces. It's the same concept when we're doing investigations. We're only allowed 2,000 characters and up to 1,000 observables when we do investigations. If we have a list of domains we need to block, such as 4,000 domains, I can only block 100 domains at a time because if I put in more than 100 domains, I hit that 2,000 character max and can't continue with an investigation. Being able to put in all 4,000 domains, without a character limit or observable limit, would make doing those case books a whole lot easier and blocking those domains a whole lot easier too.

I have been using Cisco XDR for about a year and a half.

When we first started with Cisco XDR in August, everybody was having issues. There were three people in our organization, including me, who couldn't even log in to Cisco XDR. We were constantly in meetings and contacting them by sending network logs or through calls. They were remotely looking at our screens.

For about three months, our machines would freeze, and it wasn't just Cisco XDR. It was also integrated with AMP, and both sides would just freeze and lock up. We couldn't do anything, and even when we deleted the tabs, it would just crash out. That lasted for about three months, but once they got it fixed and figured out the issue with the observables and with the character limit, it's been flawless.

I have contacted the technical support for Cisco XDR. They answered pretty quickly, and they were always willing to get into a meeting with us. I didn't really have any issues with them besides minor things where they would tell me to do something that I had already tried or done. Other than that, they responded quickly, they were always willing to meet, and they were always willing to work as per my schedule.

Deployment went fine, but when it came to integration with tools, I was definitely the test guinea pig in terms of system failures. For two months, my Cisco XDR did not work because I was the one who found the observable issue and reported it to Cisco. There were multiple meetings and constant back and forth with engineers, telling them the things they were telling me to do were not working. They were not able to understand that I could not even log in to the application without it freezing. So, the deployment went well, but for the next two months, we had issues, which is normal with a new tool. We got it as soon as it hit the market, so we knew that there were going to be some complications.

I wouldn't say we have it fully set up right now. We're still integrating tools and workflows into it. We have it in working condition where we're able to do investigations in it, so we have it 95% set up now.

I'd rate Cisco XDR a nine out of ten overall.

We have four thousand endpoints, and I have installed XDR on these endpoints. They are integrated with Cisco Firepower Threat Defense. XDR can also integrate with Cisco Meraki solutions. Any issue in a PC will send a message to Meraki, the Firewall, and email security systems, ensuring that a PC will be isolated from the network if necessary.

Cisco XDR offers threat intelligence and links with the Firewall. I can see the Cisco XDR feature in the Firewall with Threat Intelligence. The integration with XDR and Cisco Meraki solutions allows detection of zero-day attacks. XDR connects with Cisco's cloud for updates on zero-day attacks. There is good integration with Splunk, which Cisco acquired, providing comprehensive log management and analysis.

They need to provide better pricing and bundle XDR licenses with products like Meraki solutions or Firepower Threat Defense. Offering some free XDR licenses for testing features, similar to VPN licenses, could have a significant impact on costs.

I have been familiar with Cisco XDR for the last two years.

I haven't thought about the return on investment since I am too busy.

We focus on one vendor, Cisco, which provides us with excellent discounts when we buy multiple products. This integration and discounting are something we cannot get from competitors, leading to reduced security costs.

I rate Cisco XDR as eight out of ten. They need to improve their pricing strategy for a higher rating.