Award-winning live online course
Experienced Instructors
Virtual Labs Access
Video Recordings
The “Cortex XSOAR Automation and Orchestration” (EDU-380) course covers the following content:
Course Overview
- Welcome and introductions
- Intended audience and course focus
- Course objectives, modules, and exam
- Certification information and Beacon tasks
- Lab topology
Core Functionality and Feature Sets
Extended security orchestration, automation, and response
- Product pillars
- High-level flow logic
- Use case development
Cortex XSOAR Initial Discovery Lab
- Log in to the lab environment.
- Create two new user accounts.
- Explore the War Room.
- Explore the Marketplace and install content packs.
- Explore the web interface of Cortex XSOAR.
XSOAR Integrations
Event sources, investigation resources, and response targets
- Integration concepts
- Types of integrations
- Installation and configuration
- Integration controls
Integrations Lab
- Configure the basic integrations
- Configure the urlscan.io integration
- Configure the VirusTotal integration
- Configure custom integrations
- Test the integrations
- Review the indicators
- Prepare for the next lab
Playbooks
Point-and-click scripting . . . and beyond
- Engineer resources
- Playbook functions
- Indicator extraction
Incidents Investigation Lab
- Select an incident
- Case Info tab
- Investigation tab
- War Room tab
- Work Plan tab
- Mark as Evidence
- Collaboration
- Evidence Board tab
Classification & Mapping
Apply an Incident Type.
Write event data to XSOAR fields.
- Process flow
- Integration configuration and generation
- Classification
- Mapping
Classification and Mapping Lab
- Create an Incident Classifier
- Create a new Incident Mapper
- Map data to the Detected IPs field
- Map data to the Detected User field
- Map data to the File MD5 field
- Test the Mapping Rule
Layout Builder
Display data that analysts want to see in a format that’s easy to use.
- Layouts and system logic
- Access to the Layout Builder
- Using the Layout Builder
- Best practices
Incidents Layout Configuration Lab
- Create a new incident type
- Create a new field
- Define the Incident Layout
- Update the new Incident Layout
- Test the layout
Solution Architecture
Multiserver configurations for cloud hosting, dev‑prod, and high availability
- Basic topologies
- Scalability
- Dev-prod
- Log files
Docker
How XSOAR uses it and how you can customize its use
- Docker basics
- System use of Docker
- Hardening and use of custom images
Pre-Process Rules Lab
- Create the pre-processing rule
- Verify the results
Automation Development & Debugging
Automation scripts perform narrowly defined, focused tasks
- Automation concepts
- Writing automations
Build a Playbook Lab
- Create a new incident
- Create a custom playbook
- Test the playbook in the Work Plan
- Continue the playbook creation
The Marketplace and Content Management
Content packs, what is inside them, and what may be outside . . .
- Platform content and the Marketplace
- Custom content
Indicators and Threat Intelligence Management
Take command of observable indicators and threat intel feeds
- Indicator management
- Auto extraction
- Threat Intelligence Management
Add SaaS Applications to a Firewall Allow List Lab
- Configure the Office 365 feed
- Configure the Instance Execute External setting
- Configuration of Palo Alto Networks firewall integration
- Populate and test the PANW EDL Service integration
- (Optional) Configure the firewall to get the EDL
Block and/or Alert on Observable Known Threats Lab
- Configure threat-feed integrations
- Create a job for indicator analysis
- Business-partner and internal lists
- Test the functionality of the list
- Configure the PANW EDL Service to get configured Threat Feeds
- Verify that the EDL operates as expected
- Configure the firewall to get the EDL (Optional)
Jobs and Job Scheduling
A job is a scheduled one-time or recurring incident
- Job concepts
- Create and edit jobs
- Monitor and manage jobs
Lists Lab
- Set up the webserver
- Create a list
- Create a playbook
- Test your playbook
Jobs Lab
- Create a new job
Users and Role-Based Access Controls (RBAC)
Use RBAC settings to limit access to system functions
- Local User Accounts
- Network User Accounts
- RBAC Settings
- Troubleshooting
Users and RBAC Lab
- Create roles
- Assign roles
- Create a playbook to assign roles
- Assign a default playbook to incident types
- Review your classification and pre-processing rules
- Test your role assignment
Users and RBAC Lab
- Create roles
- Assign roles
- Create a playbook to assign roles
- Assign a default playbook to incident types
- Review your classification and pre-processing rules
- Test your role assignment
Custom Widgets and Shifts Lab
- Create some new users
- Create shift roles
- Create an automation script for a widget
- Create a new dashboard and add a widget
Integration Development
Bring your own integration! (BYOI)
- BYOI concepts
- Best practices
Experience & Passion
The difference is made by our instructors who have many years of field experience which they bring with them into the classroom
“All of my guys enjoyed and valued this course to the maximum.
You will simply love it”
Kamil Golombek
NIS Cyber Defence Security Perimeter EMEA