Note: This tutorial is adapted from the SCAZT course on Cisco U. If you find this helpful, consider taking the full course.
The cyber threat landscape is constantly evolving as new threats emerge. As the Internet of Things (IoT), clouds, and hybrid work have become more widespread, attack surfaces have expanded, offering threat actors more opportunities to evade more environments. Also, security operations centers (SOCs) rely on multiple technologies to detect and respond to threats, but the lack of integration forces SOC analysts to waste time switching between interfaces. Nevertheless, organizations that still use old detection and response approaches that are built upon self-contained point security solutions cannot keep pace with the sophistication and diversity of modern attacks.
Organizations need a solution that fills the void with an open and unified approach to prevent, detect, and respond to threats quickly and efficiently—a solution like extended detection and response (XDR).
Cisco XDR simplifies security operations, accelerates responses, and empowers SOC teams with artificial intelligence (AI)-driven and proactive threat detection and response. It is designed to address the challenges that are faced by security analysts and offers a cloud-native, extensible solution that brings data from multiple security tools and applies machine learning and analytics to arrive at correlated detections.
In an intelligence-driven incident response, a piece of disseminated information may be the starting point for a security team to investigate the impact of a known piece of malware. Indicators of compromise (IOCs) are clues that a network or endpoint has been breached. The Cisco XDR Investigate feature is used to investigate suspicious IOCs or observables, such as emails, log messages, domains, URLs, and IPs. Cisco XDR reaches out to all the configured sources and finds the disposition (verdict) for each IOC or observable, then displays the details in the investigation results.
An asset is a generic object, which can be a device, person, network, data, or application. For example, an asset could be a device laptop, or it could be the application used to store specific intellectual property data. Once an asset has been identified by Cisco Investigate, you can immediately direct attention to it to gain contextual knowledge of exactly which IOCs or observables that the asset has communicated with.
What You’ll Learn
- How to use the Cisco XDR Investigate feature to investigate an IOC
What You’ll Need
Note: The lab environment is not available for this tutorial. However, the configuration steps are provided for your reference. Feel free to follow along with the provided outputs.
Note: The lab environment is not available for this tutorial. However, the configuration steps are provided for your reference. Feel free to follow along with the provided outputs.
Once logged in to Cisco XDR, you will see the Cisco XDR Control Center. The Control Center provides visibility and aggregate, actionable intelligence across your organization. The Control Center lets you view metrics and data across your entire security environment and accelerate threat response.
To start your investigation, from the Cisco XDR Control Center Overview dashboard, click Investigate in the left navigation menu.
Cisco XDR Investigate simplifies threat hunting and incident response by accelerating detection, investigation, and remediation of threats. XDR Investigate provides the security investigations with context and enrichment by collecting and displaying all the related security events across the Cisco security solutions (endpoint, network, and cloud) and third-party tools, all in a single console.
Enter the IOCs into the New Investigation panel, and then click Investigate to begin. You can enter text, or copy and paste directly into the New Investigation panel (up to 2000 characters).
In this tutorial, https://drinkfoodapp.com is the suspicious URL to investigate.
By using the latest threat intelligence information such as from Cisco Talos, cybersecurity professionals can get information about the latest threats and their associated IOCs.
Cisco XDR reaches out to all the configured sources, finds the disposition for each observable, then displays the details in the investigation results.
The results of the investigation are displayed in the Relations Graph (at the top of the page), with the observable sightings shown on the sightings Timeline. Additional details are available in the Events, Assets and Observables, and Indicators panels.
In this tutorial, we will begin the investigation by examining the Relations Graph. The Relations Graph shows a graph of all the connections between the different observables in the investigation. Nodes in the Relations Graph are shown with different colors so that you can quickly differentiate them. The different color representations are shown below the Relations Graph. For example, the red color indicates a malicious verdict, while the purple color represents an asset.
Find the drinkfoodapp.com domain in the Relations Graph.
In this example, the drinkfoodapp.com domain is malicious as indicated by the red color, and it is associated with various malicious files as indicated by the red Malicious MD5s, Malicious SHA-1s, and Malicious SHA-256s. The drinkfoodapp.com domain also has a connection to an asset named dcloud vpod.
Analyze the drinkfoodapp.com domain by clicking the drinkfoodapp.com red globe icon. On the right, you can see that this domain received a disposition of being malicious based on the network-opendns-malicious indicator.
To see more details, click the blue arrow icon to the right of drinkfoodapp.com. There are two verdicts that indicate that this domain is malicious, and the verdict source is Umbrella.
Click the arrow icon next to 2 Verdicts to see more details. You can see that both Umbrella and Talos Intelligence have the same malicious disposition for this domain with the expiration date and time. In this case, Umbrella has the highest priority disposition, as indicated by the purple icon.
Click the View events button at the bottom to examine the security events that are associated with the drinkfoodapp.com malicious domain.
In this example, the associated security event was sourced from the Cisco Umbrella Reporting API.
By default, Cisco XDR shows the associated events only for your environment. You can choose to also see the global events by deselecting the My environment events only option.
Click the associated security event to see more details.
On the right panel, you can see the details about this security event. In this example, in the Long description, you can see that dCloud vPod made a DNS request for this malicious domain.
From the Relations Graph, double-click the SHA-256s icon to expand it, then click one of the SHA-256 options.
From the right panel, click the blue arrow icon next to the SHA to see more details about this malicious SHA-256.
This SHA-256 has two malicious verdicts. One is from Cisco Secure Malware Analytics, and the other is from Cisco AMP File Reputation.
In this investigation, you know that the drinkfoodapp.com domain was found to be malicious, and a file hosted on this website was also analyzed as a malicious file. Both are indications that you should block access to this malicious domain which can be done using Cisco XDR Automation.
Cisco XDR allows SOC teams to use a single platform with a single interface to investigate threats that are detected across the entire organization and eliminate the unnecessary burden of going back and forth across multiple platform interfaces. Cisco XDR can easily integrate with existing security solutions, whether Cisco or third party, improving the overall security posture and making it more robust.
Not shown in this tutorial: Cisco XDR also is designed with built-in automation workflows to scale response actions and significantly decrease remediation time.
You’ve completed this tutorial, advancing in your learning journey. To continue building your networking skills, check out our additional tutorials, courses, and learning paths.
Why Create a Free Cisco U. Account?
A Cisco U. account helps you:
Personalize training: Set your learning goals and pace.
Track progress: Monitor your achievements and learning milestones.
Resume anytime: Continue your learning exactly where you stopped.
Further Learning Resources
Inside Cisco U.: Step-by-Step Guide to Learning Paths, Courses, Labs, and Tutorials
Explore More on Cisco U.:
Need Help or Want to Engage?
To ask questions and share ideas, join our Cisco Learning Community.
For technical issues, feedback, or more resources, visit our Cisco U. Support page.
Finishing Up
Don’t forget to click Exit Tutorial to log your completed content.