The Cisco Stealthwatch Security (SSO) v7.1 course focuses on using Cisco Stealthwatch Enterprise from the perspective of a security analyst. The overarching goal of the course is to use Stealthwatch to investigate potential security issues and make initial determinations of whether to proceed with a more thorough investigation or to move on to the next potential threat.

The price in Cisco Learning Credits (CLC) for the SSO course is 36 CLCs per person.

This course will help you:
  • Develop workflows for security investigations.
  • Understand how events and alarms are produced in the system.

Course duration
  • Instructor-led classroom training (ILT): 2 days
  • Virtual instructor-led classroom training (VILT): 2 days

Important note: This course is available only to qualified Cisco Stealthwatch customers.


After taking this course, you should be able to:
  • Describe how the Stealthwatch System provides network visibility through monitoring and detection.
  • Describe the goals of using Stealthwatch in the proactive and operational modes.
  • Define basic concepts of investigation and detection of potential security issues using the Stealthwatch System.
  • Complete workflows to identify indicators of compromise in your network.
  • Describe alarm types and alarm notification within Stealthwatch.
  • Explain the utility of maps in the Stealthwatch System.
  • Describe how the Stealthwatch System contributes to successful incident handling.


The course contains the following components:
  • Day One
    • Course Introduction
    • Cisco Stealthwatch Security Course Overview
    • Introduction to Security
    • Using Stealthwatch in the Proactive Mode
    • Pattern Recognition
    • Investigation and Detection Using Stealthwatch
    • Lab: Using Top Reports and Flow Tables for Detection
    • Lab: Creating and Using Dashboards for Detection
    • Lab: Creating Custom Security Events
    • Lab: Proactive Investigation Practice
  • Day Two
    • Day One Review
    • Using Stealthwatch in the Operational Mode
    • Alarms and Alarm Response
    • Maps
    • Lab: Responding to Alarms
    • Lab: Using Maps for Incident Response
    • Host Identification
    • Lab: Identify Hosts Using Host Snapshot and Host Report
    • Culminating Scenario: Using Stealthwatch for Insider Threats
    • Security Best Practices in Stealthwatch
    • Cisco Stealthwatch Security Course Outcomes
    • Course Conclusion

Prerequisite Knowledge

It is strongly recommended to complete the Stealthwatch Foundations training prior to taking this course.