SOCFortress Integrations — Cisco Secure EndPoint

Intro

SOCFortress integration and visualization tools allow security analysts the visualization and triage of Cisco Secure EndPoint security events using a single pane of glass.

About Cisco Secure EndPoint

Cisco Secure Endpoint (formerly Cisco Advanced Malware Protection or Cisco AMP for Endpoints) is a security solution provided by Cisco that focuses on protecting endpoints (desktops, laptops, servers, and mobile devices) from advanced malware, viruses, and other security threats. It is part of the Cisco SecureX platform, which integrates various Cisco security products to provide a comprehensive and cohesive security solution.

Cisco Secure Endpoint includes:

• Malware Protection: The solution employs machine learning algorithms to detect and block known and unknown malware in real-time.
• Behavioral Analysis: It analyzes the behavior of files and processes on endpoints to identify and block suspicious activities that may indicate the presence of malware or other threats.
• Endpoint Isolation: In case of a confirmed threat, the solution can isolate the affected endpoint from the network to prevent further spread of the malware.
• Integration with Cisco SecureX: Cisco Secure Endpoint is part of the Cisco SecureX platform, allowing for seamless integration with other Cisco security products, providing a unified security experience and centralized management.
• Cloud-Based Management: Cisco Secure Endpoint can be managed from a centralized cloud-based console, making it easier to deploy, configure, and monitor security policies across all endpoints.

Ingesting Cisco Secure EndPoint Events

Cisco Secure EndPoint will log alerts and events into its own WinEvtChannel (under “Applications and Services Logs):

The Wazuh agent can be configured to read entries in this channel and stream the data to the Wazuh manager:

Agent configuration (ossec.conf):

<localfile>
  <location>CiscoSecureEndpoint/Events</location>
  <log_format>eventchannel</log_format>
</localfile>

Detection rules (Wazuh manager):

<group name="windows,">
  <rule id="300100" level="3">
    <if_sid>60009</if_sid>
    <field name="win.system.providerName">^CiscoSecureEndpoint$</field>
    <options>no_full_log</options>
    <group>cisco_secure_endpoint,</group>
    <description>Cisco Secure Endpoint - Notification</description>
  </rule>
  <rule id="300101" level="12">
    <if_sid>300100</if_sid>
    <field name="win.system.message" type="pcre2">(?i)^"Quarantine</field>
    <options>no_full_log</options>
    <group>cisco_secure_endpoint,</group>
    <description>Cisco Secure Endpoint - Quarantine Event</description>
  </rule>
  <rule id="300102" level="12">
    <if_sid>300100</if_sid>
    <field name="win.system.message" type="pcre2">(?i)^"Malicious</field>
    <options>no_full_log</options>
    <group>cisco_secure_endpoint,</group>
    <description>Cisco Secure Endpoint - Malicious Event</description>
  </rule>
</group>

Visualizations

Alerts:

Events Histogram:

Events Table:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html