Cisco eXtended Detection and Response (XDR) Playbook
This playbook is designed to provide you with use case education, customer requirements, and actions you'll need to take to help your customers navigate their Cisco product adoption.
You will be guided through the specific objectives of each stage of adoption and how they relate to the aligning automated digital experience.
As we learn more about what it takes for customers to be successful with their adoption, new resources and updated information can be added to this playbook, including if a customer becomes Stalled in Stage or requires additional troubleshooting aid.
Refer to the last page of this playbook for definitions, descriptions, and all associated resources to help your customer through their adoption.
How to coach for success with Cisco XDR
Each of the following journeys are designed to guide customers along the corresponding steps of their Cisco XDR onboarding experience. From getting started, to tapping into advanced features to further integrate, automate, and monitor their security, learn how to best coach for success.
This journey offers expert guidance and support assessing customers' IT infrastructure and activation.
Provide training for effective usage of the Cisco XDR Dashboard, Cisco XDR incidents, and offer ongoing support for troubleshooting. Your coaching will ensure a smooth and successful activation of Cisco XDR for customers.
This journey helps customers add users and assign roles as a Cisco XDR Administrator.
Support their integration of Cisco security products and third-party solutions, specifically their Endpoint Solution and Security Cloud Analytics solution, to detect and respond to threats effectively. Help them access instructional videos, guides, and resources for setup, integration, and adoption assistance.
This journey helps customers use advanced features to quickly manage security events.
Help customers prioritize incidents, access detailed information, and utilize response tasks for diagnosis, containment, and remediation to restore system functionality with the Incidents feature. Support their creation of Custom Playbooks in Cisco XDR for structured incident management, aiding in threat identification, containment, eradication, and recovery. Support their use of Cisco's Network Visibility Module in Cisco XDR for enhanced network insights by collecting endpoint flow data. Help them create and deploy a custom NVM configuration.
Refer to the last page of this playbook for definitions, descriptions, and all associated resources to help your customer through their adoption.
Customers enter each journey when they meet the following corresponding entry criteria:
Customer's tenant_id is NULL
Customer has a product_tenant_id
Customer's number_of_integrations equal zero or is NULL
Customer's number_of_integrations equal zero or is NULL
Customer's number_of_integrations are greater than or equal to one
Customers are eligible for these journeys when they have purchased:
| Eligibility Rule | Hierarchy Component | Rule Description |
|---|---|---|
| Rule 1 | License | Must have at least one license (Cisco SWATCH Cloud, Security EA Choice SWATCHC, Security EA 2.0 POLICY SWATCHC, Cisco XDR Subscription) |
| Eligibility Scenarios |
|---|
| If Rule 1 is TRUE, then your customer is ELIGIBLE |
Refer to the last page of this playbook for definitions, descriptions, and all associated resources to help your customer through their adoption.
Guidance on helping your customer adopt Cisco XDR
In this stage, the customer will:
- Become familiar with Cisco XDR Platform
- Log into the Cisco XDR Portal and activate their enterprise
- Prepare intelligence sources for integration with Cisco XDR
- Integrate EDR modules and SCA with Cisco XDR
- Configure Cisco XDR dashboards
- Provision additional admin or incident responder accounts
The customer will exit this stage when they have:
- Successfully claimed their Cisco XDR subscription, logged into the Cisco XDR Portal, and activated their enterprise
- Integrated Endpoint Solution modules and Security Cloud Analytics with Cisco XDR
- Provisioned additional admin or incident responder accounts
Tips for Partner
Ensure your customer is:
- Logging into Cisco XDR Portal successfully
- Set up within their correct region under "My Account" within the platform
- Exploring modular content associated with onboarding the Cisco XDR Platform
- Familiar with Cisco and third-party integrations and validate that individual integrations are adopted individually. A customer won't receive incidents in the dashboard until their product integration is adopted.
Provisioning
Subject Line: Welcome to Cisco eXtended Detection and Response
Preheader: Provision Cisco XDR today!
Trigger: Customer enters the journey but has not provisioned Cisco XDR
Goal: Encourage customer to provision Cisco XDR
Preheader: Provision Cisco XDR today!
Trigger: Customer enters the journey but has not provisioned Cisco XDR
Goal: Encourage customer to provision Cisco XDR
Provisioning
In this stage, the customer will:
- Log into Cisco XDR and verify their role under "My Accounts"
- Add users by going to "Administration" and "Manage Users"
- Enable integrations by selecting "Get Started" followed by "Enable"
- Complete the form in the "Add Integration" area by clicking "Add Integration"
The customer will exit this stage when they have:
- Enabled at least one integration to allow incidents to flow
- Logged into Cisco XDR Platform (at least five times every 30 days)
- Reviewed the Cisco XDR Incidents List (at least five times in the last 30 days)
Tips for Partner
Ensure your customer is:
- Aware that only users with an Administrator role can add integrations
- Adding additional admins to prevent lockout
- Aware that to begin seeing incidents and respond to key events within Cisco XDR, at least one integration must be added
- Starting with the Endpoint Solution
- Planning to integrate Secure Cloud Analytics (SCA) by following the SCA integration guide
- Logging into Cisco XDR Platform five or more times every 30 days
- Logging into the "Incidents" page five times or more in the last 30 days
Welcome Integrations
Subject Line: Start leveraging Cisco XDR
Preheader: Everything you need for a successful deployment
Trigger: Customer has provisioned Cisco XDR and is ready to add integrations
Goal: Encourage customer to log into Cisco XDR, add users, and assign at least one or more admin roles. Customer should also add at least one integration to Cisco XDR
Preheader: Everything you need for a successful deployment
Trigger: Customer has provisioned Cisco XDR and is ready to add integrations
Goal: Encourage customer to log into Cisco XDR, add users, and assign at least one or more admin roles. Customer should also add at least one integration to Cisco XDR
Welcome Integrations
In this stage, the customer will:
- Log into Cisco XDR Platform (at least five times every 30 days)
- Review incidents that have been promoted by Cisco XDR
- Review incident details within the "Detection" page and use the response tasks to identify, contain, and restore systems post-threat
- Prioritize specific incidents, assets, and establish baselines
- Review correlated incidents within the "Incidents" menu (at least five times in the last 30 days)
- Continue to add integrations with Cisco XDR (three or more)
The customer will exit this stage when they have:
- Reviewed incidents five or more times in the last 30 days
- Run investigations on five or more days in the last 30 days
- Continued to integrate
Tips for Partner
Ensure your customer is:
- Exploring the "Incidents" modular video associated with adopting the Cisco XDR platform
- Reviewing correlated incidents within the "Incidents" menu (at least five times in the last 30 days)
- Running investigations on five or more days in the last 30 days
- Continuing to add new integrations into Cisco XDR
Incidents
Subject Line: Minimize time detecting threats with the Incidents of Cisco XDR
Preheader: Focus on critical incidents to protect your environment
Trigger: Customer has added at least one integration and does not have incidents flowing to XDR
Goal: Encourage customer to manage incidents by adding multiple integrations
Preheader: Focus on critical incidents to protect your environment
Trigger: Customer has added at least one integration and does not have incidents flowing to XDR
Goal: Encourage customer to manage incidents by adding multiple integrations
Incidents
In this stage, the customer will:
- Actively engage with incidents within the Cisco XDR Dashboard
- Demonstrate how to remediate and respond to incidents as well as identify potential product gaps in the security infrastructure
- Expand their knowledge around playbooks with the Cisco XDR Dashboard
- Create custom playbooks that align to their specific business needs
The customer will exit this stage when they have:
- Created a custom playbook and assigned it to a specific incident
- Viewed the "Incident Response" page to expand incidents feature usage OR launched an investigation from any individual incident (on five or more days in the last 30 days)
- Run investigations on five or more days in the last 30 days
- Integrated an additional two or more modules with Cisco XDR
Tips for Partner
Ensure your customer is:
- Understanding the value of Custom Playbooks
- Using the custom playbooks to guide incident response to effectively identify, contain, and eradicate the threat, and then restore systems to recover from the threat
- Aware that the custom playbooks include a collection of tasks for all phases of incident response
- Aware that until a custom playbook is created, the default Cisco-managed playbook will be assigned to all new incidents
Custom Playbooks
Subject Line: Create your custom playbooks with Cisco XDR
Preheader: Discover how to effectively manage incidents with custom playbooks in Cisco XDR.
Trigger: Customer has at least one instance flowing to Cisco XDR
Goal: Encourage customer to manage incidents by creating a custom playbook for a specific incident
Preheader: Discover how to effectively manage incidents with custom playbooks in Cisco XDR.
Trigger: Customer has at least one instance flowing to Cisco XDR
Goal: Encourage customer to manage incidents by creating a custom playbook for a specific incident
Custom Playbooks
In this stage, the customer will:
- Deploy a Cisco NVM Profile from the Cisco XDR Secure Client Cloud Connector
- Run investigations on five or more days in the last 30 days
- Integrate an additional two or more modules with Cisco XDR
- Expand incidents feature usage by viewing the "Incident Response" page OR launching an investigation from any individual incident (on five or more days in the last 30 days)
- Attempt to run at least one automation workflow in the last 30 days
- Visit the "Assets" page
The customer will exit this stage when they have:
- Effectively deployed a Cisco NVM Profile
- Viewed the "Incident Response" page to expand incidents feature usage OR launched an investigation from any individual incident (on five or more days in the last 30 days)
- Run investigations on five or more days in the last 30 days
- Added at least two or more new modules to integrate with Cisco XDR
Tips for Partner
Ensure your customer is:
- Deploying a Secure Client Profile with NVM - this allows the customer to know which incidents should be prioritized over other incidents based on the risk score of each incident.
- Visiting the "Incident Response" page within an individual incident OR launching investigations from an individual incident (on five days in the last 30 days)
- Running investigations on five or more days in the last 30 days
- Integrating an additional two or more modules into Cisco XDR, in addition to the Endpoint Detection and Response module(s) that generate incidents (Secure Endpoint, CrowdStrike, Microsoft Defender for Endpoint, and SCA)
Network Visibility Module
Subject Line: Enhance your network visibility with Cisco XDR
Preheader: Learn how to customize and deploy your network visibility module profile with Cisco Secure Client.
Trigger: Customer has opened the Custom Playbook email or two weeks have passed
Goal: Encourage customer to manage incidents by creating a custom NVM deployment
Preheader: Learn how to customize and deploy your network visibility module profile with Cisco Secure Client.
Trigger: Customer has opened the Custom Playbook email or two weeks have passed
Goal: Encourage customer to manage incidents by creating a custom NVM deployment
Network Visibility Module
Refer to the last page of this playbook for definitions, descriptions, and all associated resources to help your customer through their adoption.
To further support your customers along their digital journey, you can provide them with key resources:
Refer to the last page of this playbook for definitions, descriptions and all
associated resources to help your customer through their adoption.