Secure Endpoint Integration

Cisco Secure Endpoint is a holistic, cloud-based endpoint protection suite that safeguards against cyber threats and provides visibility and control over endpoint file, behavior, and network activity via connectors that are installed on an endpoint (for example, Mac, Windows, Linux).

Integration with Secure Endpoint allows you to investigate and identify multiple files with context from other integrated security products. It provides detailed information on affected endpoints and devices, including IP addresses, OS, Secure Endpoint GUID, and network traffic destinations. Additionally, it allows you to reactively or proactively block harmful files and immediately isolate infected devices.

Integration with Secure Endpoint allows you to incorporate Cisco Secure Endpoint detections into XDR's overall incident detection and correlation capabilities. It gives incident responders and security analysts the ability to hunt, detect, and respond to file hashes and other endpoint observables alongside their other security tools.

Cisco XDR ingests from Cisco Secure Endpoint:

  • Security events: Referred to as Detections in the Secure Endpoint console.

  • Supporting evidence: Endpoint activities that contributed to the security event, such as file system activities, process activities, and so on.

Cisco XDR does not ingest Secure Endpoint remediation actions. These include actions such as endpoint isolation, forensic snapshots, and group changes. If you require visibility into these actions, configure them through XDR Automation.

Cisco XDR ingests only the following 3 types of security events from Cisco Secure Endpoint:

  • Advanced Pattern Detection Engine: Behavioral Protection (APDE-BP)

  • Cloud Indicators of Compromise (Cloud IOC)

  • Exploit Prevention (ExPrev)

Advanced Pattern Detection Engine, Behavioral Protection (APDE-BP): Detects and blocks threats based on behavior. It improves detection of living-off-the-land attacks and adapts quickly to new threats through signature updates. For more information, see Behavioral Protection.

Ingestion details:

  • Operating system: Windows only. Linux and Mac OS events are not ingested.

  • Severity levels: Critical, High, Medium, and Low. Informational events are not ingested.

Cloud Indicators of Compromise (Cloud IOC): Analyzes malware and threat activity to detect emerging threats. It processes endpoint telemetry, enriches it with threat intelligence, and generates detection events that identify compromised systems. For more information, see Indicators.

Ingestion details:

  • Severity levels: Critical, High, Medium, and Low. Informational events are not ingested.

Exploit Prevention (ExPrev): Protects endpoints from exploits that target application and operating system vulnerabilities, including zero-day and fileless attacks. It randomizes memory locations and uses decoys to detect and block exploit attempts. For more information, see Exploit Prevention.

Ingestion details:

  • Operating system: Windows. Secure Endpoint supports Windows only.

  • Severity levels: Critical, High, Medium, Low, Informational, and Unknown.

Note: Antivirus or File Scanning, including retrospective detections from Secure Endpoint are not ingested by Cisco XDR. Only the detection types listed above are supported.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Secure Endpoint integration.

  3. Click Enable. The Secure Endpoint Dashboard is displayed in a new tab.

  4. In the Secure Endpoint, activate Cisco XDR to integrate your Secure Endpoint organization with your Cisco XDR account. For details on how to activate Cisco XDR in Secure Endpoint, see Integrate with Cisco XDR in the Secure Endpoint help. Once enabled, some of your Secure Endpoint data is shared with Cisco XDR.

    The Secure Endpoint integration is listed in the My Integrations area on the Cisco XDR Integrations page.

Incidents are groups of correlated events generated using data ingested from your integrated products. By correlating events which could be part of a larger threat into an incident, it reduces the time typically required to investigate individual security alerts or detections. For more information about Cisco XDR Incidents feature, see Incidents.

When you enable the Secure Endpoint integration, Cisco XDR ingests the events that are sent by Secure Endpoint and uses them for incident correlation. For details, see Cisco XDR or Client Cloud Management Integration in the Secure Endpoint help.

To view incidents with Secure Endpoint data:

  1. In the Cisco XDR navigation menu, choose Incidents.

  2. Look for Secure Endpoint in the Source column to find incidents generated with Secure Endpoint data.

  3. Select an incident and open the Incident Detail page.

  4. Click on the Detection page to see events from Secure Endpoint and other sources.

To verify that Cisco XDR is receiving Secure Endpoint data when no incidents are present, go to the Investigate > Detection findings page and filter the table by Secure Endpoint using the Source drop-down list. For more information, see the Detection Findings help topic.

You can perform the following tasks after you integrate Secure Endpoint with Cisco XDR:

  • Investigations - Start a new investigation into any combination of Secure Endpoint and the results will include any records of them found in your Secure Endpoint. To verify that this integration is working, and to see what kind of data is returned, investigate one or more observables about which you know Secure Endpoint has recent information. For details, see Investigate.

  • Detection findings - View the security events generated by Secure Endpoint to validate the data that is ingested by Cisco XDR for incident generation. For details, see Detection Findings.

  • Secure Client Deployments - Once the Secure Endpoint integration is configured, you can create deployments that use the Secure Endpoint connector. For details, see Create Deployment.

  • Dashboard - Add Secure Endpoint cards to a dashboard in Control Center to view data, such as top endpoint compromises. For details, see Configure Dashboards and Cards. For a list of available Secure Endpoint tiles, see Integration Cards.

  • Pivot Menu - Use the Pivot menu to access response and research actions from the integrations enabled for your Cisco XDR organization, such as blocking a domain in an XDR-connected DNS security product or blocking an IP in an XDR-connected firewall. You can also install workflows from the Automation Exchange to add more actions to the Pivot menu.

  • Assets - View devices as reported by Secure Endpoint. For more information, including how to filter the view to only the reports from Secure Endpoint, see Devices.

  • Automation: