Cisco Secure Endpoint Integration

edit

Cisco Secure Endpoint Integration

edit

Version

2.28.0 (View all)

Compatible Kibana version(s)

8.13.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Elastic

This integration is for Cisco Secure Endpoint logs. It includes the following datasets for receiving logs over syslog or read from a file:

  • event dataset: supports Cisco Secure Endpoint Event logs.

Logs

edit
Secure Endpoint
edit

The event dataset collects Cisco Secure Endpoint logs.

Example

An example event for event looks as following:

{
    "@timestamp": "2021-01-13T10:13:08.000Z",
    "agent": {
        "ephemeral_id": "5402117c-8965-4c2d-9404-2a1fb6c47431",
        "id": "49007565-f0ac-4df0-9672-50a3e25920e8",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.0.0"
    },
    "cisco": {
        "secure_endpoint": {
            "cloud_ioc": {
                "description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.",
                "short_description": "W32.WinWord.Powershell"
            },
            "computer": {
                "active": true,
                "connector_guid": "test_connector_guid",
                "external_ip": "8.8.8.8",
                "network_addresses": [
                    {
                        "ip": "10.10.10.10",
                        "mac": "38:1e:eb:ba:2c:15"
                    }
                ]
            },
            "connector_guid": "test_connector_guid",
            "event_type_id": 1107296274,
            "file": {
                "disposition": "Clean",
                "parent": {
                    "disposition": "Clean"
                }
            },
            "group_guids": [
                "test_group_guid"
            ],
            "related": {
                "mac": [
                    "38-1E-EB-BA-2C-15"
                ]
            }
        }
    },
    "data_stream": {
        "dataset": "cisco_secure_endpoint.event",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "49007565-f0ac-4df0-9672-50a3e25920e8",
        "snapshot": false,
        "version": "8.0.0"
    },
    "event": {
        "action": "Cloud IOC",
        "agent_id_status": "verified",
        "category": [
            "file"
        ],
        "code": "1107296274",
        "created": "2023-06-01T09:45:22.836Z",
        "dataset": "cisco_secure_endpoint.event",
        "id": "1515298355162029000",
        "ingested": "2023-06-01T09:45:23Z",
        "kind": "alert",
        "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://47c9519daa08:8080/v1/events?start_date=2023-05-31T09:45:22+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}",
        "severity": 2,
        "start": "2021-01-13T10:13:08.000Z"
    },
    "file": {
        "hash": {
            "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
        },
        "name": "PowerShell.exe",
        "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe"
    },
    "host": {
        "hostname": "Demo_AMP",
        "name": "demo_amp"
    },
    "input": {
        "type": "httpjson"
    },
    "process": {
        "hash": {
            "sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"
        }
    },
    "related": {
        "hash": [
            "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
        ],
        "hosts": [
            "demo_amp"
        ],
        "ip": [
            "8.8.8.8",
            "10.10.10.10"
        ]
    },
    "tags": [
        "cisco-secure_endpoint",
        "forwarded",
        "preserve_original_event"
    ]
}
Exported fields
Field Description Type

@timestamp

Event timestamp.

date

cisco.secure_endpoint.bp_data

Endpoint isolation information

flattened

cisco.secure_endpoint.cloud_ioc.description

Description of the related IOC for specific IOC events from AMP.

keyword

cisco.secure_endpoint.cloud_ioc.short_description

Short description of the related IOC for specific IOC events from AMP.

keyword

cisco.secure_endpoint.command_line.arguments

The CLI arguments related to the Cloud Threat IOC reported by Cisco.

keyword

cisco.secure_endpoint.computer.active

If the current endpoint is active or not.

boolean

cisco.secure_endpoint.computer.connector_guid

The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved.

keyword

cisco.secure_endpoint.computer.external_ip

The external IP of the related host.

ip

cisco.secure_endpoint.computer.network_addresses

All network interface information on the related host.

flattened

cisco.secure_endpoint.connector_guid

The GUID of the connector sending information to AMP.

keyword

cisco.secure_endpoint.detection

The name of the malware detected.

keyword

cisco.secure_endpoint.detection_id

The ID of the detection.

keyword

cisco.secure_endpoint.error.description

Description of an endpoint error event.

keyword

cisco.secure_endpoint.error.error_code

The error code describing the related error event.

long

cisco.secure_endpoint.event_type_id

A sub ID of the event, depending on event type.

long

cisco.secure_endpoint.file.archived_file.disposition

Categorization of a file archive related to a file, for example "Malicious" or "Clean".

keyword

cisco.secure_endpoint.file.archived_file.identity.md5

MD5 hash of the archived file related to the malicious event.

keyword

cisco.secure_endpoint.file.archived_file.identity.sha1

SHA1 hash of the archived file related to the malicious event.

keyword

cisco.secure_endpoint.file.archived_file.identity.sha256

SHA256 hash of the archived file related to the malicious event.

keyword

cisco.secure_endpoint.file.attack_details.application

The application name related to Exploit Prevention events.

keyword

cisco.secure_endpoint.file.attack_details.attacked_module

Path to the executable or dll that was attacked and detected by Exploit Prevention.

keyword

cisco.secure_endpoint.file.attack_details.base_address

The base memory address related to the exploit detected.

keyword

cisco.secure_endpoint.file.attack_details.indicators

Different indicator types that matches the exploit detected, for example different MITRE tactics.

flattened

cisco.secure_endpoint.file.attack_details.suspicious_files

An array of related files when an attack is detected by Exploit Prevention.

keyword

cisco.secure_endpoint.file.disposition

Categorization of file, for example "Malicious" or "Clean".

keyword

cisco.secure_endpoint.file.parent.disposition

Categorization of parrent, for example "Malicious" or "Clean".

keyword

cisco.secure_endpoint.group_guids

An array of group GUIDS related to the connector sending information to AMP.

keyword

cisco.secure_endpoint.network_info.disposition

Categorization of a network event related to a file, for example "Malicious" or "Clean".

keyword

cisco.secure_endpoint.network_info.nfm.direction

The current direction based on source and destination IP.

keyword

cisco.secure_endpoint.network_info.parent.disposition

Categorization of a IOC for example "Malicious" or "Clean".

keyword

cisco.secure_endpoint.network_info.parent.identify.sha256

SHA256 hash of the related IOC.

keyword

cisco.secure_endpoint.network_info.parent.identity.md5

MD5 hash of the related IOC.

keyword

cisco.secure_endpoint.network_info.parent.identity.sha1

SHA1 hash of the related IOC.

keyword

cisco.secure_endpoint.related.cve

An array of all related CVEs

keyword

cisco.secure_endpoint.related.mac

An array of all related MAC addresses.

keyword

cisco.secure_endpoint.scan.clean

Boolean value if a scanned file was clean or not.

boolean

cisco.secure_endpoint.scan.description

Description of an event related to a scan being initiated, for example the specific directory name.

keyword

cisco.secure_endpoint.scan.malicious_detections

Count of malicious files or documents detected related to a single scan event.

long

cisco.secure_endpoint.scan.scanned_files

Count of files scanned in a directory.

long

cisco.secure_endpoint.scan.scanned_paths

Count of different directories scanned related to a single scan event.

long

cisco.secure_endpoint.scan.scanned_processes

Count of processes scanned related to a single scan event.

long

cisco.secure_endpoint.tactics

List of all MITRE tactics related to the incident found.

flattened

cisco.secure_endpoint.techniques

List of all MITRE techniques related to the incident found.

flattened

cisco.secure_endpoint.threat_hunting.incident_end_time

When the threat hunt finalized or closed.

date

cisco.secure_endpoint.threat_hunting.incident_hunt_guid

The GUID of the related investigation tracking issue.

keyword

cisco.secure_endpoint.threat_hunting.incident_id

The id of the related incident for the threat hunting activity.

long

cisco.secure_endpoint.threat_hunting.incident_remediation

Recommendations to resolve the vulnerability or exploited host.

keyword

cisco.secure_endpoint.threat_hunting.incident_report_guid

The GUID of the related threat hunting report.

keyword

cisco.secure_endpoint.threat_hunting.incident_start_time

When the threat hunt was initiated.

date

cisco.secure_endpoint.threat_hunting.incident_summary

Summary of the outcome on the threat hunting activity.

keyword

cisco.secure_endpoint.threat_hunting.incident_title

Title of the incident related to the threat hunting activity.

keyword

cisco.secure_endpoint.threat_hunting.severity

Severity result of the threat hunt registered to the malicious event. Can be Low-Critical.

keyword

cisco.secure_endpoint.threat_hunting.tactics

List of all MITRE tactics related to the incident found.

flattened

cisco.secure_endpoint.threat_hunting.techniques

List of all MITRE techniques related to the incident found.

flattened

cisco.secure_endpoint.timestamp_nanoseconds

The timestamp in Epoch nanoseconds.

date

cisco.secure_endpoint.vulnerabilities

An array of related vulnerabilities to the malicious event.

flattened

cloud.image.id

Image ID for the cloud instance.

keyword

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset

constant_keyword

event.module

Event module

constant_keyword

host.containerized

If the host is a container.

boolean

host.os.build

OS build information.

keyword

host.os.codename

OS codename, if any.

keyword

input.type

Type of Filebeat input.

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

2.28.0

Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error".

2.27.1

Bug fix (View pull request)
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.13.0 or higher

2.27.0

Enhancement (View pull request)
Allow @custom pipeline access to event.original without setting preserve_original_event.

8.13.0 or higher

2.26.0

Enhancement (View pull request)
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

2.25.0

Enhancement (View pull request)
Set sensitive values as secret.

8.12.0 or higher

2.24.2

Bug fix (View pull request)
Fix ingest pipeline conditional field handling.

8.7.1 or higher

2.24.1

Enhancement (View pull request)
Changed owners

8.7.1 or higher

2.24.0

Enhancement (View pull request)
Limit request tracer log count to five.

8.7.1 or higher

2.23.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

8.7.1 or higher

2.22.0

Enhancement (View pull request)
Improve event.original check to avoid errors if set.

8.7.1 or higher

2.21.0

Enhancement (View pull request)
ECS version updated to 8.10.0.

8.7.1 or higher

2.20.0

Enhancement (View pull request)
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.

8.7.1 or higher

2.19.0

Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.7.1 or higher

2.18.0

Enhancement (View pull request)
Update package to ECS 8.9.0.

8.7.1 or higher

2.17.0

Enhancement (View pull request)
Document duration units.

8.7.1 or higher

2.16.0

Enhancement (View pull request)
Document valid duration units.

8.7.1 or higher

2.15.0

Enhancement (View pull request)
Ensure event.kind is correctly set for pipeline errors.

8.7.1 or higher

2.14.0

Enhancement (View pull request)
Parse out additional fields to ECS.

8.7.1 or higher

2.13.1

Enhancement (View pull request)
Remove empty fields and user.name field when Not Available.

8.7.1 or higher

2.13.0

Enhancement (View pull request)
Update package to ECS 8.8.0.

8.7.1 or higher

2.12.0

Enhancement (View pull request)
Lowercase host.name field

8.7.1 or higher

2.11.0

Enhancement (View pull request)
Update package-spec version to 2.7.0.

8.7.1 or higher

2.10.0

Enhancement (View pull request)
Add a new flag to enable request tracing

8.7.1 or higher

2.9.0

Enhancement (View pull request)
Update package to ECS 8.7.0.

7.17.0 or higher
8.0.0 or higher

2.8.1

Enhancement (View pull request)
Added categories and/or subcategories.

7.17.0 or higher
8.0.0 or higher

2.8.0

Enhancement (View pull request)
Update package to ECS 8.6.0.

7.17.0 or higher
8.0.0 or higher

2.7.1

Bug fix (View pull request)
Added processor to drop empty documents when there are no events

7.17.0 or higher
8.0.0 or higher

2.7.0

Enhancement (View pull request)
Update package to ECS 8.5.0.

7.17.0 or higher
8.0.0 or higher

2.6.2

Bug fix (View pull request)
Remove duplicate fields.

7.17.0 or higher
8.0.0 or higher

2.6.1

Enhancement (View pull request)
Use ECS geo.location definition.

7.17.0 or higher
8.0.0 or higher

2.6.0

Enhancement (View pull request)
Update package to ECS 8.4.0

7.17.0 or higher
8.0.0 or higher

2.5.2

Enhancement (View pull request)
Update package name and description to align with standard wording

7.17.0 or higher
8.0.0 or higher

2.5.1

Bug fix (View pull request)
Fix rate limit reset time.

7.17.0 or higher
8.0.0 or higher

2.5.0

Enhancement (View pull request)
Update package to ECS 8.3.0.

7.17.0 or higher
8.0.0 or higher

2.4.1

Enhancement (View pull request)
update read me with link to vendor documentation

7.17.0 or higher
8.0.0 or higher

2.4.0

Enhancement (View pull request)
Update to ECS 8.2

7.17.0 or higher
8.0.0 or higher

2.3.1

Bug fix (View pull request)
Fix typo in config template for ignoring host enrichment

7.17.0 or higher
8.0.0 or higher

2.3.0

Enhancement (View pull request)
Ensure pagination exits correctly and remove possible host fields

2.2.0

Enhancement (View pull request)
Fix propagation of information from host.name.

7.17.0 or higher
8.0.0 or higher

2.1.1

Enhancement (View pull request)
Add documentation for multi-fields

7.17.0 or higher
8.0.0 or higher

2.1.0

Enhancement (View pull request)
Adding possibility to extract host and user data if possible.

7.17.0 or higher
8.0.0 or higher

2.0.0

Enhancement (View pull request)
Update to ECS 8.0

Breaking change (View pull request)
Normalize MAC address; replace host.user.name with user.name

7.17.0 or higher
8.0.0 or higher

1.0.0

Enhancement (View pull request)
GA integration

7.16.0 or higher
8.0.0 or higher

0.2.2

Bug fix (View pull request)
Regenerate test files using the new GeoIP database

0.2.1

Bug fix (View pull request)
Change test public IPs to the supported subset

0.2.0

Enhancement (View pull request)
Add 8.0.0 version constraint

0.1.1

Enhancement (View pull request)
Update Title and Description.

0.1.0

Enhancement (View pull request)
Initial migration from Filebeat Module