Cisco XDR Automation Feature Overview

Questions and Answers

What is one of the outcomes delivered by automation in Cisco XDR?

• Delaying analyst response to threats
• Manual collection of data from various sources
• Automating incident investigation and hunting (correct)
• Disabling the Playbook feature of xdr incident manager

What do targets represent in Cisco XDR?

• Automated incident investigation components
• Resources workflows can communicate with (correct)
• Data collection mechanisms
• Authentication methods for analysts

What are account keys used for in Cisco XDR?

• Powering the Playbook feature of xdr incident manager
• Accessing targets that require authentication (correct)
• Integrating systems in new ways
• Automating analyst response to threats

What type of endpoint is used for email checks in Cisco XDR?

IMAP endpoints (C)

What is one of the tasks that can be automated in Cisco XDR?

Auditing (B)

What types of data can be stored and used in workflows using variables?

Booleans, date-times, and decimals (B)

What determines the types of events that cause workflows to run?

Automation rules (B)

What is the purpose of the runs page in the workflow editor?

To inspect previous workflow instances for detailed information (D)

What can be built into larger end-to-end use cases or smaller repeatable building blocks in workflows?

Workflows (D)

Where can workflows be created and edited?

Workflow editor (D)

Study Notes

• Matt Vanderhorst, a technical leader in marketing engineering for Cisco XDR, discusses Cisco XDR's automation feature and its main components and capabilities.
• Automation can deliver various outcomes, such as:
• Automating incident investigation and hunting by writing workflows that collect data from various sources and conduct automated investigations.
• Identifying issues in the environment more quickly and getting relevant information in front of an analyst as soon as possible.
• Automating analyst response to threats using workflows that take response actions at machine speed when specific criteria are met.
• Powering the Playbook feature of the xdr incident manager.
• Automating repetitive tasks, such as auditing, data collection, and reporting.
• Integrating systems in new ways by creating workflows that communicate between them.
• In Cisco XDR, Targets represent the resources workflows can communicate with. Types of targets include:
• HTTP endpoints for APIs.
• IMAP endpoints for email checks.
• Targets created by product integrations.
• Account keys, also known as credentials, are used to access targets that require authentication. Types of account keys include:
• Email credentials for IMAP endpoint targets.
• API keys for various targets.
• Variables allow the storage and use of various types of data in workflows, including strings, booleans, date-times, decimals, integers, and secure strings.
• Triggers determine what types of events cause workflows to run, such as automation rules, email arrivals, incident generations, schedules, or web hooks.
• Workflows consist of multiple steps and can be built into larger end-to-end use cases or smaller repeatable building blocks called atomics.
• Workflows can be imported from various sources, such as GitHub or the xdr automation exchange, and can be created and edited within the workflow editor.
• The workflow editor includes a toolbox, canvas, and properties editor for building and configuring workflows.
• The runs page shows workflow performance over time and allows you to inspect previous workflow instances for detailed information about what the workflow did and which parts succeeded or failed.

Description

Explore the main components and capabilities of the automation feature in Cisco XDR, including incident investigation and hunting, analyst response automation, Playbook feature, targets, account keys, variables, triggers, workflows, and the workflow editor. Learn about automating repetitive tasks, integrating systems, and importing workflows from various sources.