Sandbox Lab

Solution overview

                                                          "XDR is a Security Operations Productivity Tool." 
                                                                                                                           -Aaron Woland  

XDR won't replace a SIEM for an analyst or incident responder utilizing deep queries and playbook capabilities inside a SIEM. This is not a highly intricate lab on threat queries and intelligence coordination.  What XDR does do is enable folks that are newer to incident response to act in a more impactful way. Empowering security teams to act on threats to their environment, without the skills of a seasoned analyst at their disposal. 

WWT's ATC Cisco XDR Sandbox Lab exists to provide a unified solution built around relevant use cases. It seeks to showcase the Cisco XDR platform's web UI and ability to alert on, and prevent, breaches using cloud data and machine learning.

This lab consists of several servers running common enterprise applications that include Nessus, Splunk, Crowdstrike and Active Directory (w/DNS). Corwdstrike and Splunk are integrated to emulate normal application communication. Several workstations with Windows 10 and Windows Server operating systems exist across two distinct network locations (Headquarters and Operations). Some of these machines are randomly conducting various attacks that will generate alerts within the XDR console for exploration and visibility into how the product and solution operate. 

You will access the environment using a Windows-based jumphost, from which you can browse web consoles, open RDP/SSH sessions, etc. (see Lab Topology). 

Lab diagram

Labs are secured to WWT customers and partners. Login to access.