BRKATO-1557: Automating Detection & Response Outcomes using Cisco XDR
.. and how CX Automation Services can help!
About Cisco Live | Link to Session Presentation | Link to Session Recording
Scenario: Your organization has several remote employees who are using their personal devices to access sensitive company data. One of the employee's laptops gets infected with ransomware that attempts to establish command & control communication before initiating data encryption.
Cisco XDR gathers the event information generated by Cisco Umbrella, including the nature of the threat (C&C, High Severity), the associated domain/s (ex: monsteradds.at), and details about the affected employee's device. A response workflow in XDR Automate is automatically triggered.
In this repository:
- XDR - Create Critical Incident: Simulates a mock Command & Control detection incident created by Umbrella. This is for non-production use only. Inspired by the work of Christopher Van Der Made.
- XDR - Command & Control Response: This workflow is triggered automatically in response to a Command & Control event picked up by Cisco Umbrella that creates an incident in Cisco XDR. This is for non-production use only.
Please note that workflow content in this repository will not be kept up to date with new code releases/patches. If you're a Cisco Live attendee, you may create an issue on this repository or reach out to us via email for queries and/or feedback.
Oh and, while you're here, you may want to check out some of our other content as well 🚀
Contributors:
- Aman Sardana (amasarda@cisco.com)
- Scott Dozier (scdozier@cisco.com)
Cisco CX Automation, June 2023