Module 1: Evolution and Introduction to Cisco XDR
Lesson 1: Detection and Response and the challenges of traditional SOC
Lesson 2: What is the OODA loop?
Lesson 3: Overview of Cisco XDR
- High-level Architecture
- Associating SOC profiles to XDR
- Integrations and Response
- XDR/EDR/MDR/SOAR/SIEM – Shared Use cases
- Analytics and Correlation Engine
Module 2: Threat Detection and Incident Response Workflow
Lesson 1: Understanding Threat Detections with Diverse Intelligence
Lesson 2: How to read components: Judgement / Indicators / Feeds / Events
Lesson 3: Cisco XDR: Incident Manager
- Threat inspection captured Incidents
- Infrastructure-based Incident Prioritization: Detection Risk and Asset Value
- MITRE
- Correlated pictorial representation of the threat summary
- Severity Management based on Event types
- Identification/Containment/Eradication and Recovery Workflows
Module 3: Enrichment from Third-Party Integrations
Lesson 1: Overview of the third-party security landscape
Lesson 2: Built-in Integrations
- EDR: Crowdstrike, Sentinel One, MSFT Defender, and more...
- NDR: Dark Trace, Extrahop, and more...
Lesson 3: What is a Relay Module?
Lesson 4: XDR: Remote Connector
Lesson 5: Accomplishing arbitrary integrations
Module 4: XDR APIs
Lesson 1: Northbound and Southbound APIs
Lesson 2: Threat Intelligence APIs: Private and public databases of threat intel
Lesson 3: Investigation APIs: Enrich data using your integrated products
Lesson 4: Response APIs
Lesson 5: OAuth APIs: Use credentials and get access tokens
Lesson 6: Automation APIs: Trigger workflows in XDR to do just about anything you want!
Module 5: XDR Automation and Orchestration
Lesson 1: Understanding Orchestration Workflows: Types and sequence
Lesson 2: Workflows Components: Targets, Account Keys, Triggers, Variables, Events, Schedules & Reports
Lesson 3: Constructing a basic workflow
Lesson 4: Exploring built in cisco and third-party service activities and logics
Lesson 5: Customizing out of the box workflows to fit the business use case
Lesson 6: Nesting workflows
Lesson 7: Using Microsoft APIs to investigate/detect suspicious email with Cisco Secure Email
Lesson 8: Enforcing DLP policy on outgoing email using Cisco XDR automation
Module 6: Endpoint and Network Telemetry
Lesson 1: Network and Endpoint Visibility Together: Telemetry + Device Insights
Lesson 2: Network Visibility Module
Lesson 3: Cisco Secure Client/XDR: Architecture
Lesson 4: Reports and Audit logs
Lesson 5: Asset Tag Device Management
Module 7: Cisco XDR with ITSM, SIEM systems and Public Cloud
Lesson 1: Overview translation of Splunk CIM to XDR CTIM
Lesson 2: Initiating Cisco XDR investigation from Splunk
Lesson 3: Splunk and Cisco XDR Webhooks or Atomic Actions
Lesson 4: Overview of Cisco XDR and Service Now Integration
Lesson 5: Adding Context to ServiceNow incident – Using XDR Automate
Lesson 6: Fundamentals of working with Public Cloud with XDR Orchestration
Lab Outline:
Labs are designed to assure learners a whole practical experience, through the following practical activities:
- Accessing Cisco XDR
- Overview of Cisco XDR
- Validate an Attack and Determine the Incident Response
- Perform Threat Hunting
- Discover Third Party integrations
- Query and Recognize XDR API
- Explore Cisco XDR Orchestration
- Evaluate Assets in a Typical Enterprise Environment
- Work with Endpoint and Network Telemetry
- Explain how to initiate Cisco XDR investigations from Splunk
- Explore the integration of Splunk and Cisco XDR through Webhooks or Atomic Actions