CLOUD CONNECTOR

Cisco AMP for Endpoints

Cisco AMP for Endpoints provides next-generation endpoint protection, scanning files using a variety of antimalware technologies, including the Cisco antivirus engine.

Securonix integrates with the Cisco AMP for Endpoints API, ingesting detected threat events such as malware, ransomware, phishing, and account compromise and correlating them with events across the rest of the enterprise security infrastructure.

Cisco AMP API Event Service/Module Major Log/Event Types Related Threats Use Cases/Threat Packages Details
Policy/Configuration Updates Policy Updated/Success/Failure, Endpoint IOC Definition Update Success/Failure, Endpoint IOC Configuration Update/Failure, Update: Reboot Advised/Required, Endpoint Isolation Start/Stop Success/Failure, Orbital Install Success/Failure, Endpoint Isolation Unlock Limit Reached Account Misuse/Compromise Account Misuse/Compromise AMP Policy/Configuration updates, Signatures/Definitions Updates and other configuration linked events
OS and Application Events/Threats Application Execution Block, Application Deregistered, Application Authorized/Deauthorized, Reboot Pending/Completed, File Fetch Success/Failure, Exploit Prevention, Critical/Major/Minor Fault Raised/Cleared, iOS Network Detection, Malicious Activity Block, System Process Protection Malware, Ransomware, Phishing Cyber Threat OS and Application Linked Threat Alerts
Scan and Quarantine Events Scan Started/Completed/Failed, Detection, Quarantine Failure, Quarantine Restore Request/Success/Failure,Cloud Quarantine Requests, Restore False Positive, Manual Malicious File Detection, Endpoint IOC Scan Success/Failure (with/Without Detections) Malware, Ransomware, Phishing Cyber Threat Scan and Quarantine events
App Specific Alerts Compromise Alerts, Shell Launch (Adobe Reader, Microsoft Word/Excel/Powerpoint, Apple QuickTime), Compromised Applications (Notepad, Calculator, Microsoft CHM, Vulnerable Application Detected Malware, Ransomware, Phishing Cyber Threat Application Specific Threat Alerts
Critical Threat Alerts Threat Detected, Threat Quarantined, APK/Custom APK Threat Detection, DFC (Device Flow Correlation - Unusual Network Activity) Threat Detection, Multiple Infections, Potential Dropper Infection, Malware Execution, Suspected Botnet connections, Connection to Suspicious Domain, Threat in Low Prevalence Executable, Suspicious Download, Suspicious CScript Launch (Windows Shell and CScript launch through IE), Potential Ransomware/Webshell, Rootkit Detection, Malicious Activity Detection Malware, Ransomware, Phishing Cyber Threat Critical threat alerts, indicating an urgent/imminent threat to systems security to be investigated immediately. High Priority.
Product Alerts Install Started/Failed, Uninstall Success/Failure, Email Confirmation (Account Creation), Password Reset, Product Update Started/Failed/Completed Account Misuse/Compromise Account Misuse/Compromise AMP Product Alerts