自動化您的Cisco XDR工作流：從威脅搜索到發現和確認事件再到響應！.pdf

《自動化您的Cisco XDR工作流：從威脅搜索到發現和確認事件再到響應！.pdf》由會員分享，可在線閱讀，更多相關《自動化您的Cisco XDR工作流：從威脅搜索到發現和確認事件再到響應！.pdf（133頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveChristopher van der Made,Engineering Product Manager Cisco XDREmail:Twitter:ChriscoDevNetChriscoDevNetGitHub:https:/ your Cisco XDR Workflows:from Threat Hunting,to Finding and Confirming Incidents,to Responding!Christopher van der MadeHalf Dutch,Half American,living in Rotterdam

2、(NL)Studied at University of Amsterdam(NL):Major:Neuroscience,Minor:Computer ScienceMasters:Information ScienceBorn and raised in Cisco:Joined Ciscos graduate program in 2015 as Associate Systems EngineerConsulting Systems Engineer for Security in Northern Europe team from 2016-2020Developer Advocat

3、e for Security in Developer Relations team(Cisco DevNet)from 2020-2022Engineering Product Manager for Cisco XDR(and SecureX),with focus on Automation from 2022 and onwardsHobbies:coding,brewing&drinking,cooking&eating,board sports.whoami#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved

4、.Cisco PublicAgendaThreat Hunting,Incident Response and AutomationThe Cisco XDR PlatformData ModelAnalytics,Correlation and PrioritizationIncident ResponseAutomation,Automation,AutomationConcrete Use Cases and DemosConclusion and Next StepsBRKSEC-31165 2023 Cisco and/or its affiliates.All rights res

5、erved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in

6、 the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12346https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-31166There are two ways to view automation:as a potential weak link that can fail,or as an enabler to streamline your security opera

7、tions.Is your glass half full or half empty?#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaThreat Hunting,Incident Response and AutomationThe Cisco XDR PlatformData ModelAnalytics,Correlation and PrioritizationIncident ResponseAutomation,Automation,AutomationConcre

8、te Use Cases and DemosConclusion and Next StepsBRKSEC-31168Threat Hunting,Incident Response and Automation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311610 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThreat Hunting:Threat Hunting

9、:“The process of proactively and iteratively searching through environments to detect and isolate advanced threats that evadedexisting security solutions.”BRKSEC-311611 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTypes of HuntsIntelligence-DrivenAtomic Indicators Low-h

10、anging fruit hunts Known threats Security controls bypass1TTP-DrivenBehavioral&Compound Indicators TTPs:tactics,techniques,procedures Methodologies used by advanced attackers Systematic approach for discovering unknowns2Anomaly-DrivenGeneric Behaviors Low-prevalence artifacts Outlier behaviors Unkno

11、wn threat leads3BRKSEC-311612 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThreat Hunting Maturity ModelBRKSEC-311615 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIncident Response:Incident Response:“The monitoring and detection of security

12、 events on a computer or computer network,and the execution of proper responses to those events.”BRKSEC-311616 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBut what is a security event?But what is a security event?What is an incident?What is an incident?BRKSEC-311617 20

13、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA security event is an occurrence(i.e.detection)that might lead to a security breach.If a security event is confirmed to confirmed to have resulted in a breachhave resulted in a breach,the event is termed a security incidentinc

14、ident.BRKSEC-311618 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311619 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSANS Incident Response ModelBRKSEC-311620 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv

15、eFor Your Reference For Your Reference BRKSEC-311621 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomation:Automation:“Automation describes a wide range of technologies that reduce human intervention in processes,namely by predetermining decision criteria,subprocess r

16、elationships,and related actions,as well as embodying those predeterminations in machines.”BRKSEC-311622We need to talk statistics 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311624 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFalse

17、 Positives:False Positives:“False positives are mislabelled security alerts,indicating there is a threat when in actuality,there isnt.These false/non-malicious alerts increase noise for already over-worked security teams.”BRKSEC-311625 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi

18、c#CiscoLiveCommon Triggers for False PositivesSecurity detections with a low confidence;Software bugs or poorly written software;Unrecognized network traffic;Legitimate cleanup utilities that delete old shadow copies,triggering a malware or ransomware alert;Legitimate files with missing security cer

19、tificates may be flagged as“malicious.”BRKSEC-311626 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStats on False PositivesAccording to 2021 research by Fastly:About 45%of all alerts are cybersecurity false positives.75%of organizations spend the same amount(or more)time

20、 on false positives as they do on actual attacks.False positives cause the same amount of downtime as real cyber attacks.BRKSEC-311627 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThere is light at the end of the tunnelBRKSEC-311628 2023 Cisco and/or its affiliates.All

21、rights reserved.Cisco Public#CiscoLiveHow to combat False Positives?Reduce the size of the threat surface;Adjust alert thresholds and prioritize alerts;Enrich security detections with context;Improve enterprise-wide cybersecurity hygiene;Feedback loop:what have you learned,what can you tune?BRKSEC-3

22、11629 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWho has time to do any of this?BRKSEC-311630#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaThreat Hunting,Incident Response and AutomationThe Cisco XDR PlatformData ModelAnalytics,Corr

23、elation and PrioritizationIncident ResponseAutomation,Automation,AutomationConcrete Use Cases and DemosConclusion and Next StepsBRKSEC-311631The Cisco XDR Platform 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe dream of XDR:automating the analyst and responderData-1Da

24、ta-3Data-5Magic BoxPrioritized incident with automated response decision Data-nData-2Data-4BRKSEC-311633 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe reality of XDR:upleveling the analyst and responderEnsure all the relevant data is available to an analyst for obser

25、vation and orientationPrioritize&Accelerate orientation and decision making in the context of the business Execute a recommended action(automatically)InputCorpusOutputObserveOrientDecideActBRKSEC-311634 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveXDR outcomes and compo

26、nentsInvestigationInvestigationDetect Detect SoonerSoonerPrioritize by Prioritize by ImpactImpactReduce Reduce Investigation Investigation TimeTimeAutomated Automated WorkflowsWorkflowsIncident ManagerIncident ManagerCorrelated Correlated EventsEventsAssetAssetInsightsInsightsPrebuiltPrebuiltPlayboo

27、ksPlaybooksThreat HuntingThreat HuntingIntelligenceIntelligenceAccelerate Accelerate ResponseResponseMachine Machine LearningLearningAutomated Automated EnrichmentEnrichmentExtend Extend Asset Asset ContextContextAccountAccountand and Device Device CorrelationCorrelationIntegrationsIntegrationsInteg

28、rationsIntegrationsBRKSEC-311635 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLets address the elephant in the roomBRKSEC-311636 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XDR:what is new?Brand new UI,with new Incident Manager and m

29、oreAdvanced event correlation and analytics,with prioritized incidentsNVM,NetFlow and other log/flow ingest methods(public cloud and private network)Cisco managed and supported(3rdparty)integrationsSecurity event storage for Cisco and 3rd Party(default 90 days)Built-in,guided and automated Incident

30、Response PlaybookAutomation Rules,with an Incident triggerMany,many,many more enhancementsBRKSEC-311637#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaThreat Hunting,Incident Response and AutomationThe Cisco XDR PlatformData ModelAnalytics,Correlation and Prioritiza

31、tionIncident ResponseAutomation,Automation,AutomationConcrete Use Cases and DemosConclusion and Next StepsBRKSEC-311638Cisco XDR:Data Model 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311640 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicRelati

32、onships can be advanced BRKSEC-311641 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRecognize CTIM in Cisco XDRBETABRKSEC-311642#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaThreat Hunting,Incident Response and AutomationThe Cisco XDR

33、PlatformData ModelAnalytics,Correlation and PrioritizationIncident ResponseAutomation,Automation,AutomationConcrete Use Cases and DemosConclusion and Next StepsBRKSEC-311643Cisco XDR:Analytics,Correlation and Prioritization 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveX

34、DR Analytics:prioritized and multi-source IncidentsAnalytics&CorrelationAnalytics&CorrelationEnrichmentEnrichmentPrioritizationPrioritizationExtended Extended DetectionsDetectionsNVM LogsEDR EventsNetFlowFirewall LogsCloud LogsDNS LogsEtc.Incident ResponseIncident ResponseBRKSEC-311645 2023 Cisco an

35、d/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAny object upon which we can make an observationAutomatic correlation of related alerts Incident Created and sent for PrioritizationConfig that influences the modelFunctional classification of an entity based on observed attributesNotific

36、ation of something of potential interestXDR Analytics:how does the engine work?Data Data Warehouse:Warehouse:Flow DataNVM logsCloud logsNGFW logsISE logsEtc.EntityEntityIP AddressIP AddressHostnameHostnameUsernameUsernameInstance IDInstance IDEtc.Etc.RoleRulesObservationsTelemetryAn activity that we

37、 are watching forAlertAttack ChainBRKSEC-311646 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIncident Prioritized by Risk and ValueTotal priority score used to prioritize incidents User Defined User Defined Asset Value represents the value of the asset involved in the i

38、ncidentPriority Score=Detection Risk x Asset Value0-10000-1000-10Cisco XDR Defined Cisco XDR Defined Detection Risk computed using data model leveraging multiple value including:MITRE TTP Financial RiskNumber of MITRE TTPsSource SeverityBETABRKSEC-311647 2023 Cisco and/or its affiliates.All rights r

39、eserved.Cisco Public#CiscoLivePrioritized and multi-source IncidentsSingle view for incidents from multiple sourcesEnhanced incident view focused on the most critical incidentsIncidents prioritized by business impact and asset valueBETABRKSEC-311648 2023 Cisco and/or its affiliates.All rights reserv

40、ed.Cisco Public#CiscoLiveWait What if I do want to create my own Incident,is that not possible in Cisco XDR?BRKSEC-311649 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA note on the Private Intel APIIn Cisco XDR,there are two private intelligence APIs:https:/*-Legacy Sec

41、ureX API that can be used to manage raw objects like feeds,indicators,judgements,relationships,sightings,and so on.https:/ API used to manage Cisco XDR Incidents(with priority with priority score!score!)and related objects such as Worklog Notes.-Cisco XDR Automation Atomic Workflow available to crea

42、te a prioritized incident!*New unified XDR URL coming(backward compatible)BRKSEC-311650 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInteract with Cisco XDR via the API!BETABRKSEC-311651 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XD

43、R APIsBuild on top of OpenAPIOpenAPI(Swagger),which is an open-source suite of API developer tools,enabling development across the entire API lifecycle,from design and documentation,to test and deployment.Uses OAuth 2.0OAuth 2.0 to do authentication.The authentication flow is as follows:1.Use your C

44、lientID and Password to obtain a token.2.Use the token to access the APIs for all other functions.3.When the token expires,request a new token with your API ClientID and API Secret.4.Use the new token to continue using the APIs for all other functions,until it expires.5.Repeat steps 3-4 as needed.BR

45、KSEC-311652 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNew API documentation coming soon!BRKSEC-311655#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaThreat Hunting,Incident Response and AutomationThe Cisco XDR PlatformData ModelAnaly

46、tics,Correlation and PrioritizationIncident ResponseAutomation,Automation,AutomationConcrete Use Cases and DemosConclusion and Next StepsBRKSEC-311656Cisco XDR:Incident Response 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBETABRKSEC-311658 2023 Cisco and/or its affilia

47、tes.All rights reserved.Cisco Public#CiscoLiveLooks familiar?BRKSEC-311659 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveXDR Response PlaybookAbility to respond throughout the interfaceSimplified response workflows available from within incidentsBroad set of workflows to

48、 achieve a variety of outcomesVendor agnostic and work out of the box based on integration module targetsFour stages to resolution(based on SANS PICERL):IdentifyContainEradicateRecoverBETABRKSEC-311660 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWorklog keeps track of

49、Notes and AutomationBRKSEC-311661 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePowered by Cisco XDR AutomationBETABRKSEC-311662 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePivot Menu:quick response to ObservablesBETABRKSEC-311663 2023 Cisc

50、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePowered by Cisco XDR AutomationNEW UI COMING SOONBRKSEC-311664#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaThreat Hunting,Incident Response and AutomationThe Cisco XDR PlatformData ModelAnalytics,C

51、orrelation and PrioritizationIncident ResponseAutomation,Automation,AutomationConcrete Use Cases and DemosConclusion and Next StepsBRKSEC-311665Cisco XDR:Automation,Automation,Automation1.Cisco XDR APIs3.Cisco XDR Relay Modules2.Cisco XDR AutomationLow-to-no-code platform to automate(scheduled/trigg

52、ered)security workflows.Perfect middleware and easy to get started.Most advanced and native way of integrating with Cisco XDR.Offers possibility to integrate as module in Cisco XDR.Uses the same APIs under the hood.Work with CTIM to create incidents,casebooks,judgments,sightings etc.Anything that ca

53、n be done in GUI can be done via API(also enrichment and investigations).The 3 custom methods of integrating and The 3 custom methods of integrating and automating with Cisco XDR:automating with Cisco XDR:2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XDR Automation

54、*Cloud-Native,microservice architecture with“API-first”designHighly Performant,Scalable and SecureReusable and Embeddable Intuitive drag-drop UI with visual workflowsCombine flexible out of the box adapters to create new integrationsAutomate tasks according to schedules or external events such as em

55、ail eventsStartEndTargetTargetTargetInvokeResponse12NInvokeResponseInvokeResponse*Based on the best of SecureX OrchestrationNEW UI COMING SOONBRKSEC-311669 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe perfect middleware!Cloud-Native,microservice architecture with“AP

56、I-first”designHighly Performant,Scalable and SecureReusable and Embeddable Intuitive drag-drop UI with visual workflowsCombine flexible out of the box adapters to create new integrationsAutomate tasks according to schedules or external events such as email eventsStartEndTargetTargetTargetInvokeRespo

57、nse12NInvokeResponseInvokeResponseNEW UI COMING SOONBRKSEC-311670 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveActivity GroupAtomic Action(Activity)Drag n Drop UILogical ConstructsDetails PaneValidate&SaveRun&AuditVariablesCreates Atomic ActionDrag n Drop UITags Workflo

58、w“Stacked Activities”indicates Atomic Action Cisco XDR Automation:Workflow Editor For Your Reference For Your Reference NEW UI COMING SOONBRKSEC-311671 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSNEAK PEAK*subject to changeBRKSEC-311672 2023 Cisco and/or its affiliate

59、s.All rights reserved.Cisco Public#CiscoLiveNew:Automation Rule with an Incident EventBETABRKSEC-311673 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSelect a wide variety of criteria for conditions BETABRKSEC-311674 2023 Cisco and/or its affiliates.All rights reserved.C

60、isco Public#CiscoLiveDescribe incident type in more detailPhishingInitial AccessCommand&ControlAt least one asset involvedNo guest devicesBETABRKSEC-311675 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSelect one or multiple workflows to executeBETABRKSEC-311676 2023 Cis

61、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWorkflow Run invokes HTTP AdaptorXDR Reusing Integration Modules for AutomationUser integrates a new product into Cisco XDR.XDR Integration ModulesIntegration Module automatically creates a HTTP Target in XDR AutomationIROH Auth Prox

62、yXDR Automation(HTTP)TargetsXDR Automation Workflow RunIROH Auth Proxy makes API call to product via Integration ModuleAutomation Workflow Executes(manually or via Automation Rule)Create Automation Workflow that uses HTTP TargetHTTP Adaptor detects Integration Module Target and connects to IROH Auth

63、 ProxyBETABRKSEC-311677 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNew:Integration Module HTTP TargetsBETABRKSEC-311678 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNo extra steps needed to make API callsBETABRKSEC-311679 2023 Cisco and/o

64、r its affiliates.All rights reserved.Cisco Public#CiscoLiveSelect just like any other HTTP TargetBETABRKSEC-311680 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDetects Integration automatically during install!BETAIf 1 Integration Module of type is installed,drop-down me

65、nu is offeredBRKSEC-311681 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStart Start workflowworkflowXDR Manually responding to incidentsExecutes response task(Contain Assets)in XDR Incident Manager(Response tab)XDR Incidents Response tabCheck integrationsReturn integrat

66、ed EDR(s)ResultsInvoke Asset Containment Update StatusRun actions on integrated EDR(s)XDR Automation Workflow RunXDR Integration ModulesAny target,e.g.EDR integration(s)Results are shown to analyst/incident responder in the XDR Incidents-Worklog.Write to Write to WorklogWorklogBETAShows only Assets

67、involved with Incident.Many more EDR-agnostic Workflows available(e.g.Block File Hash)BRKSEC-311682 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveXDR Automatically responding to incidentsNew prioritized Incident matches Automation Rule based on specific criteria.XDR Inci

68、dents Incident PrioritizedAfter criteria match,execute configured Workflow(s)Return resultsResultsInvoke Asset Containment Create ServiceNow TicketXDR Automation Automation RuleXDR Automation Workflow RunAny target,e.g.XDR API and ServiceNowResults are shown to analyst/incident responder in the XDR

69、Incidents-Worklog.Write to Write to WorklogWorklogResultsUpdate incident(change status and assign to user)Return resultsBETAStart Start workflow(s)workflow(s)in parallelin parallelBRKSEC-311683#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaThreat Hunting,Incident R

70、esponse and AutomationThe Cisco XDR PlatformData ModelAnalytics,Correlation and PrioritizationIncident ResponseAutomation,Automation,AutomationConcrete Use Cases and DemosConclusion and Next StepsBRKSEC-311684Concrete Use CasesConcrete Use Case#1:Response Tab WorkflowsResponse Tab Workflows 2023 Cis

71、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat will I be showing you?1.Integrations Module page and automatically created HTTP Target2.Prioritized Incident queue3.Response tab of an Incident4.Create a ServiceNow ticket,with just 1 click!5.Isolate endpoint across EDRs,with ju

72、st 3 clicks!BETABRKSEC-311687 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311688 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311689 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311690 202

73、3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311691 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311692 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311693 2023 Cisco and/or its affiliates.All

74、 rights reserved.Cisco Public#CiscoLiveBRKSEC-311694 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311695Concrete Use Case#2:Build your own Incident Build your own Incident triggered Automation Rule with triggered Automation Rule with prepre-built Workflowsbuilt W

75、orkflows 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat will I be showing you?1.Automation Rules,and changes to Triggers2.New Incident Trigger3.Create new Automation Rule to assign Incident to me4.Generate Incident via API and show Automation Rule in actionBETABRKSEC

76、-311697 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311698 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-311699 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116100 2023 Cisco and/or its af

77、filiates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116101 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116102 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116103 2023 Cisco and/or its affiliates.All rights reserved.C

78、isco Public#CiscoLiveBRKSEC-3116104 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116105 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116106 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat did

79、we just do?New prioritized Incident matches Automation Rule based on specific criteria.XDR Incidents Incident PrioritizedAfter criteria match,execute configured Workflow(s)Return resultsXDR Automation Automation RuleXDR Automation Workflow RunAny targete.g.Cisco XDR APIResults are shown to analyst/i

80、ncident responder in the XDR Incidents-Worklog.Write to Write to WorklogWorklogResultsUpdate incident(assign to user)BETAStart Start workflow(s)workflow(s)in parallelin parallelBRKSEC-3116107 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDescribe incident type in more de

81、tailPhishingInitial AccessCommand&ControlAt least one asset involvedNo guest devicesBETABRKSEC-3116108Concrete Use Case#3:Build your own Incident Build your own Incident triggered Workflowtriggered Workflow 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat will I be sho

82、wing you?1.Create new Automation Workflow to send a Webex notification of the Incident2.Create new Automation Rule to execute new Automation Workflow3.Generate Incident via API and show Automation Rule in action4.Think of cool use casesBETABRKSEC-3116110 2023 Cisco and/or its affiliates.All rights r

83、eserved.Cisco Public#CiscoLiveBRKSEC-3116111 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116112 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116113 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive

84、BRKSEC-3116114 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116115 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116116 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116117 2023 Cisco and/

85、or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116118 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116119 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116120 2023 Cisco and/or its affiliates.All rights r

86、eserved.Cisco Public#CiscoLiveBRKSEC-3116121 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116122 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive

87、BRKSEC-3116124 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116125 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-3116126#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaThreat Hunting,Incident

88、Response and AutomationThe Cisco XDR PlatformData ModelAnalytics,Correlation and PrioritizationIncident ResponseAutomation,Automation,AutomationConcrete Use Cases and DemosConclusion and Next StepsBRKSEC-3116127Conclusion and Next Steps 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ

89、ic#CiscoLiveBuilt-In Automation Workflows not enough?BETABRKSEC-3116129 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTLDR:some conclusionsThreat Hunting is a continuous process and a loop.Incident Response is a sequential set of processes.For both tuning feedback is cru

90、cial.Both have great automation possibilities.Cisco XDR attempts to automate as much as possible out of the Cisco XDR attempts to automate as much as possible out of the box,AND offers rich customization possibilities!box,AND offers rich customization possibilities!BRKSEC-3116130 2023 Cisco and/or i

91、ts affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of

92、 winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKSEC-3116131 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with

93、 the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.1234132https:/ 2023 Cisco and/or

94、its affiliates.All rights reserved.Cisco PublicBRKSEC-3116132 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile Ap

95、pClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until infinity(or until infinity(or until someone closes the space)someone closes the space).1234133https:/ 2023 Cisco and/or

96、its affiliates.All rights reserved.Cisco PublicBRKSEC-3116133There are two ways to view automation:as a potential weak link that can fail,or as an enabler to streamline your security operations.Is your glass half full or half empty?#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisc

97、o PublicAgendaThreat Hunting,Incident Response and AutomationThe Cisco XDR PlatformData ModelAnalytics,Correlation and PrioritizationIncident ResponseAutomation,Automation,AutomationConcrete Use Cases and DemosConclusion and Next StepsBRKSEC-3116136Thank you#CiscoLChriscoDevNetChriscoDevNethttps:/ C

98、isco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:1234138 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-3116138#CiscoLive