Managing Threat Defense Events and Analytics

The events and analytics management can be retained in the on-prem management center or transferred to CDO, where the devices must be configured to send events to CDO. While initiating the migration process, you are allowed to choose the manager to which the device events must be sent for analytics.


If you are migrating devices from on-prem management center 1000/2500/4500, it is not possible to use the on-prem management center for managing events due to limited availability. Therefore, you must use Security Analytics and Logging (OnPrem) or Security Analytics and Logging (SAAS) for devices to send events for analytics. See Cisco Security Analytics and Logging.

If you select the on-prem management center for analytics, CDO becomes the manager for selected devices but retains a copy of those devices on the on-prem management center in analytics-only mode. The devices continue to send events to the on-prem management center, and CDO manages the configuration changes.

If you select CDO for analytics, CDO becomes the manager for the selected devices and deletes these devices from the on-prem management center. CDO manages both configuration changes and events and analytics management. You must configure threat defense devices to send events to the Cisco cloud. You can use either Security Services Exchange or the Secure Event Connector (SEC) to send events from the devices to the Cisco Secure Analytics and Logging (SAL) in the cloud.