The Cisco Stealthwatch Security (SSO) v7.1 is a 2-day instructor-led or virtual instructor-led course, which focuses on using Cisco Stealthwatch Enterprise from the perspective of a security analyst. The overarching goal of the course is to use Stealthwatch to investigate potential security issues and make initial determinations of whether to proceed with a more thorough investigation or to move on to the next potential threat.

This course will help you:
  • Develop workflows for security investigations.
  • Understand how events and alarms are produced in the system.

Important note: This course is available only to qualified Cisco Stealthwatch customers.


After taking this course, you should be able to:
  • Describe how the Stealthwatch System provides network visibility through monitoring and detection.
  • Describe the goals of using Stealthwatch in the proactive and operational modes.
  • Define basic concepts of investigation and detection of potential security issues using the Stealthwatch System.
  • Complete workflows to identify indicators of compromise in your network.
  • Describe alarm types and alarm notification within Stealthwatch.
  • Explain the utility of maps in the Stealthwatch System.
  • Describe how the Stealthwatch System contributes to successful incident handling.


The course contains the following components:
  • Day One
    • Course Introduction
    • Cisco Stealthwatch Security Course Overview
    • Introduction to Security
    • Using Stealthwatch in the Proactive Mode
    • Pattern Recognition
    • Investigation and Detection Using Stealthwatch
    • Lab: Using Top Reports and Flow Tables for Detection
    • Lab: Creating and Using Dashboards for Detection
    • Lab: Creating Custom Security Events
    • Lab: Proactive Investigation Practice
  • Day Two
    • Day One Review
    • Using Stealthwatch in the Operational Mode
    • Alarms and Alarm Response
    • Maps
    • Lab: Responding to Alarms
    • Lab: Using Maps for Incident Response
    • Host Identification
    • Lab: Identify Hosts Using Host Snapshot and Host Report
    • Culminating Scenario: Using Stealthwatch for Insider Threats
    • Security Best Practices in Stealthwatch
    • Cisco Stealthwatch Security Course Outcomes
    • Course Conclusion

Prerequisite Knowledge

It is strongly recommended to complete the Stealthwatch Foundations training prior to taking this course.