Cisco Secure Endpoint

Cisco Secure Endpoint is a cloud-delivered endpoint protection solution that helps businesses defend against advanced threats to their servers, desktops, and mobile devices. For detailed information refer to the Cisco Secure Endpoint’s official documentation.

Integration Method: API

Tables: Detection Finding (2004)

This integration supports the following event.

This integration supports the following version.

Note:

Cisco Secure Endpoint doesn’t follow a traditional versioning system. Instead, it is a continuously updated cloud service. As of this document preparation, latest release for windows 11 support was on 30-May-2024.

Prerequisites

• The user should have access to the Cisco secure endpoint portal.

• The user should have Cisco secure endpoint API Client ID and API Key.

• The user should have access to the DataBee console.

Configuration Overview

1. Get the API Client ID and API Key from Cisco Secure Endpoint portal.

2. Add the Cisco Secure Endpoint data feed in the DataBee console with the below parameters.

   DataBee Parameter	Cisco Secure Endpoint Parameter
   Username	API Client ID
   Password	API Key

Cisco Secure Endpoint Configuration

1. Log in to your AMP for Endpoints Console.

   

2. On the Cisco Secure Endpoint dashboard, navigate to Administration section and click API Credentials.

   

3. Click New API Credential to create a new API credential.

   

4. The “New API Credential” window appears. To create a new API Credential:

   1. Enter the ‘Application name’.

   2. Select the Read-only ‘Scope’.

   3. Click Create.

   

5. Copy the API Client ID and API Key. This will be used as username and password when we create a data source in DataBee.

   

   
   

   Note:

   API credentials will be visible only once. So, copy it and store it securely.

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.

   

2. Search for Cisco Secure Endpoint and click it as shown below.

   

3. Click on the API Ingest option for collection method.

   

4. Enter feed contact information and click Next.

   

5. In the configuration page, confirm the following:

   • Authorization Method: Basic

   • API Base URL: this is the base URL that DataBee will interact with.

     • Replace <server_id> with ID of your configured server.

     • There are the server ids available as shown below. Replace as per your server configuration.

       • North America: https://api.amp.cisco.com

       • Europe: https://api.eu.amp.cisco.com

       • Asia Pacific, Japan and China: https://api.apjc.amp.cisco.com

       • Consumer: https://api.consumer.amp.cisco.com

   • Username: paste the API Client ID.

   • Password: paste the API Key.

   • Event Types: preselected for all the event types that integration pulls.

   

6. Click Submit.

Troubleshooting Tips

• If you are facing unauthorized (401) error, this might be possibly due to incorrect API Credentials. Please refer to the API Credentials to retrieve the API details.