10 Questions
What is one of the outcomes delivered by automation in Cisco XDR?
Automating incident investigation and hunting
What do targets represent in Cisco XDR?
Resources workflows can communicate with
What are account keys used for in Cisco XDR?
Accessing targets that require authentication
What type of endpoint is used for email checks in Cisco XDR?
IMAP endpoints
What is one of the tasks that can be automated in Cisco XDR?
Auditing
What types of data can be stored and used in workflows using variables?
Booleans, date-times, and decimals
What determines the types of events that cause workflows to run?
Automation rules
What is the purpose of the runs page in the workflow editor?
To inspect previous workflow instances for detailed information
What can be built into larger end-to-end use cases or smaller repeatable building blocks in workflows?
Workflows
Where can workflows be created and edited?
Workflow editor
Study Notes
- Matt Vanderhorst, a technical leader in marketing engineering for Cisco XDR, discusses Cisco XDR's automation feature and its main components and capabilities.
- Automation can deliver various outcomes, such as:
- Automating incident investigation and hunting by writing workflows that collect data from various sources and conduct automated investigations.
- Identifying issues in the environment more quickly and getting relevant information in front of an analyst as soon as possible.
- Automating analyst response to threats using workflows that take response actions at machine speed when specific criteria are met.
- Powering the Playbook feature of the xdr incident manager.
- Automating repetitive tasks, such as auditing, data collection, and reporting.
- Integrating systems in new ways by creating workflows that communicate between them.
- In Cisco XDR, Targets represent the resources workflows can communicate with. Types of targets include:
- HTTP endpoints for APIs.
- IMAP endpoints for email checks.
- Targets created by product integrations.
- Account keys, also known as credentials, are used to access targets that require authentication. Types of account keys include:
- Email credentials for IMAP endpoint targets.
- API keys for various targets.
- Variables allow the storage and use of various types of data in workflows, including strings, booleans, date-times, decimals, integers, and secure strings.
- Triggers determine what types of events cause workflows to run, such as automation rules, email arrivals, incident generations, schedules, or web hooks.
- Workflows consist of multiple steps and can be built into larger end-to-end use cases or smaller repeatable building blocks called atomics.
- Workflows can be imported from various sources, such as GitHub or the xdr automation exchange, and can be created and edited within the workflow editor.
- The workflow editor includes a toolbox, canvas, and properties editor for building and configuring workflows.
- The runs page shows workflow performance over time and allows you to inspect previous workflow instances for detailed information about what the workflow did and which parts succeeded or failed.
Explore the main components and capabilities of the automation feature in Cisco XDR, including incident investigation and hunting, analyst response automation, Playbook feature, targets, account keys, variables, triggers, workflows, and the workflow editor. Learn about automating repetitive tasks, integrating systems, and importing workflows from various sources.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
