Secure Endpoint Integration

Cisco Secure Endpoint is a holistic, cloud-based endpoint protection suite that safeguards against cyber threats and provides visibility and control over endpoint file, behavior, and network activity via connectors that are installed on an endpoint (for example, Mac, Windows, Linux).

Integration with Secure Endpoint allows you to investigate and identify multiple files with context from other integrated security products. It provides detailed information on affected endpoints and devices, including IP addresses, OS, Secure Endpoint GUID, and network traffic destinations. Additionally, it allows you to reactively or proactively block harmful files and immediately isolate infected devices.

Integration with Secure Endpoint allows you to incorporate Cisco Secure Endpoint detections into XDR's overall incident detection and correlation capabilities. It gives incident responders and security analysts the ability to hunt, detect, and respond to file hashes and other endpoint observables alongside their other security tools.

Note:

If Cisco Secure Endpoint does not provide network interfaces, device correlation is impacted and these Secure Endpoint detections may not be part of an incident. To resolve this issue, we recommend that you upgrade Secure Endpoint to the following agent versions that report detailed device information for detections originating on the endpoint:

  • Windows: 8.4.4 or later

  • Mac: 1.26.0.1010 or later

  • Linux: 1.26.0.1177 or later

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Secure Endpoint integration.

  3. Click Enable. The Secure Endpoint Dashboard is displayed in a new tab.

  4. In the Secure Endpoint, activate Cisco XDR to integrate your Secure Endpoint organization with your Cisco XDR account. For details on how to activate Cisco XDR in Secure Endpoint, see Integrate with Cisco XDR in the Secure Endpoint help. Once enabled, some of your Secure Endpoint data is shared with Cisco XDR.

    The Secure Endpoint integration is listed in the My Integrations area on the Cisco XDR Integrations page.

Incidents are groups of correlated events generated using data ingested from your integrated products. By correlating events which could be part of a larger threat into an incident, it reduces the time typically required to investigate individual security alerts or detections. For more information about Cisco XDR Incidents feature, see Incidents.

When you enable the Secure Endpoint integration, Cisco XDR ingests the events that are sent by Secure Endpoint and uses them for incident correlation. For details, see Cisco XDR or Client Cloud Management Integration in the Secure Endpoint help.

To view incidents with Secure Endpoint data:

  1. In the Cisco XDR navigation menu, choose Incidents.

  2. Look for Secure Endpoint in the Source column to find incidents generated with Secure Endpoint data.

  3. Select an incident and open the Incident Detail page.

  4. Click on the Detection page to see events from Secure Endpoint and other sources.

To verify that Cisco XDR is receiving Secure Endpoint data when no incidents are present, go to the Incidents > Detections page and filter the table by Secure Endpoint using the Source drop-down list. For more information, see the Detections help topic.

You can perform the following tasks after you integrate Secure Endpoint with Cisco XDR:

  • Investigations - Start a new investigation into any combination of Secure Endpoint and the results will include any records of them found in your Secure Endpoint. To verify that this integration is working, and to see what kind of data is returned, investigate one or more observables about which you know Secure Endpoint has recent information. For details, see Investigate.

  • Detections - View the security events generated by Secure Endpoint to validate the data that is ingested by Cisco XDR for incident generation. For details, see Detections.

  • Secure Client Deployments - Once the Secure Endpoint integration is configured, you can create deployments that use the Secure Endpoint connector. For details, see Create Deployment.

  • Dashboard - Add Secure Endpoint cards to a dashboard in Control Center to view data, such as top endpoint compromises. For details, see Configure Dashboards and Cards. For a list of available Secure Endpoint tiles, see Integration Cards.

  • Pivot Menu - Use the Pivot menu to access response and research actions from the integrations enabled for your Cisco XDR organization, such as blocking a domain in an XDR-connected DNS security product or blocking an IP in an XDR-connected firewall. You can also install workflows from the Automation Exchange to add more actions to the Pivot menu.

  • Assets - View devices as reported by Secure Endpoint. For more information, including how to filter the view to only the reports from Secure Endpoint, see Devices.

  • Automation: