Secure Endpoint Integration

Cisco Secure Endpoint is a holistic, cloud-based endpoint protection suite that safeguards against cyber threats and provides visibility and control over endpoint file, behavior, and network activity via connectors that are installed on an endpoint (for example, Mac, Windows, Linux).

Integration with Secure Endpoint allows you to investigate and identify multiple files with context from other integrated security products. It provides detailed information on affected endpoints and devices, including IP addresses, OS, Secure Endpoint GUID, and network traffic destinations. Additionally, it allows you to reactively or proactively block harmful files and immediately isolate infected devices.

The telemetry sources for Cisco Secure Endpoint integrated with Cisco XDR are shown below:

Integration with Secure Endpoint allows you to incorporate Cisco Secure Endpoint detections into XDR's overall incident detection and correlation capabilities. It gives incident responders and security analysts the ability to hunt, detect, and respond to file hashes and other endpoint observables alongside their other security tools.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Secure Endpoint integration.

  3. Click Enable. The Secure Endpoint Dashboard is displayed in a new tab.

  4. In the Secure Endpoint, activate Cisco XDR to integrate your Secure Endpoint organization with your Cisco XDR account. For details on how to activate Cisco XDR in Secure Endpoint, see Integrate with Cisco XDR in the Secure Endpoint help. Once enabled, some of your Secure Endpoint data is shared with Cisco XDR.

    The Secure Endpoint integration is listed in the My Integrations area on the Cisco XDR Integrations page.

Incidents are groups of correlated events generated using data ingested from your integrated products. By correlating events which could be part of a larger threat into an incident, it reduces the time typically required to investigate individual security alerts or detections. For more information about Cisco XDR Incidents feature, see Incidents.

When you enable the Secure Endpoint integration, Cisco XDR ingests the events that are sent by Secure Endpoint and uses them for incident correlation. For details, see Cisco XDR or Client Cloud Management Integration in the Secure Endpoint help.

To view incidents with Secure Endpoint data:

  1. In the Cisco XDR navigation menu, choose Incidents.

  2. Look for Secure Endpoint in the Source column to find incidents generated with Secure Endpoint data.

  3. Select an incident and open the Incident Detail page.

  4. Click on the Detection page to see events from Secure Endpoint and other sources.

If you do not have any incidents with Secure Endpoint data, you can verify that Cisco XDR is receiving data from Secure Endpoint using the Detection Ingest Status card on the Dashboards page. For more information about Cisco XDR Dashboards, see Dashboards.

To create a new dashboard that includes Detection Ingest Status card:

  1. In the Cisco XDR navigation menu, choose Control Center > Dashboards and click Customize in the upper right corner of the Dashboards page.

  2. In the My Dashboards area, click Create new dashboard and enter a unique dashboard name in the Dashboard Name field.

  3. In the list of integrations, find the Secure Cloud Analytics integration and click the (Expand) icon.

  4. Check the Detection Ingest Status check box to add the card to the dashboard.

  5. Click Save.

    The new customized dashboard is displayed on the Dashboards page. If no data is displayed in the Detection Ingest Status card for Secure Endpoint, check your integration configuration.

You can perform the following tasks after you integrate Secure Endpoint with Cisco XDR:

  • Investigations - Start a new investigation into any combination of Secure Endpoint and the results will include any records of them found in your Secure Endpoint. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Secure Endpoint has recent information. For details, see Investigate.

  • Secure Client Deployments - Once the Secure Endpoint integration is configured, you can create deployments that use the Secure Endpoint connector. For details, see Create Deployment.

  • Dashboard - Add Secure Endpoint cards to a dashboard in Control Center to view data, such as top endpoint compromises. For details, see Configure Dashboards and Cards. For a list of available Secure Endpoint tiles, see Integration Cards.

  • Pivot Menu - Use the Pivot menu to access response and research actions from the integrations enabled for your Cisco XDR organization, such as blocking a domain in an XDR-connected DNS security product or blocking an IP in an XDR-connected firewall. You can also install workflows from the Automation Exchange to add more actions to the Pivot menu.

  • Assets - View devices as reported by Secure Endpoint. For more information, including how to filter the view to only the reports from Secure Endpoint, see Devices.

  • Automation: