Cisco Secure Endpoint Solution

Solution: Cisco Secure Endpoint

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.0
Author	Microsoft - support@microsoft.com
First Published	2021-10-28
Last Updated	2022-02-02
Solution Folder	Cisco Secure Endpoint
Marketplace	Azure Marketplace · Rating: ★★★★★ 5.0/5 (1 ratings) · Popularity: 🟡 Low (32%)

The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint audit logs and events into Microsoft Sentinel.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

• Microsoft Sentinel Codeless Connector Framework

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s) (plus 1 discovered⚠️):

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 3 table(s):

Table	Used By Connectors	Used By Content
`CiscoSecureEndpointAuditLogsV2_CL`	Cisco Secure Endpoint (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`CiscoSecureEndpointEventsV2_CL`	Cisco Secure Endpoint (via Codeless Connector Framework)	Analytics, Hunting, Workbooks
`CiscoSecureEndpoint_CL` 🔶	[DEPRECATED] Cisco Secure Endpoint (AMP)	Analytics, Hunting, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 23 content item(s):

Content Type	Count
Analytic Rules	11
Hunting Queries	10
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Cisco SE - Connection to known C2 server	High	CommandAndControl	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Dropper activity on host	High	Execution	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Generic IOC	High	Execution	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Malware execusion on host	High	Execution	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Malware outbreak	High	InitialAccess	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Multiple malware on host	High	InitialAccess	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Policy update failure	Medium	DefenseEvasion	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Possible webshell	High	CommandAndControl	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Ransomware Activity	High	Impact	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Unexpected binary file	Medium	InitialAccess	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE High Events Last Hour	High	Execution, InitialAccess	`CiscoSecureEndpoint_CL`

Hunting Queries

Name	Tactics	Tables Used
Cisco SE - Infected hosts	Execution	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Infected users	Execution	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Malicious files	Execution	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Modified agents on hosts	DefenseEvasion	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Rare scanned files	Execution	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Scanned files	Execution	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Suspicious powershel downloads	Execution	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Uncommon application behavior	Execution	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - User Logins	InitialAccess	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`
Cisco SE - Vulnerable applications	Execution	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`

Workbooks

Name	Tables Used
Cisco Secure Endpoint Overview	`CiscoSecureEndpointAuditLogsV2_CL` `CiscoSecureEndpointEventsV2_CL` `CiscoSecureEndpoint_CL`

Parsers

Name	Description	Tables Used
CiscoSecureEndpoint	-	`CiscoSecureEndpointAuditLogsV2_CL` (read) `CiscoSecureEndpointEventsV2_CL` (read) `CiscoSecureEndpoint_CL` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	ChangeHistory
3.0.2	14-08-2025	Cisco Secure Endpoint CCF Connector moving to GA.
3.0.1	23-06-2025	Adding a new CCF Data Connector - Cisco Secure Endpoint and updated the Parser to handle the newly introduced table.
3.0.0	28-08-2024	Updated the python runtime version to 3.11.