# NG SIEM - CISCO Secure Endpoint Integration

##### **<span style="color: rgb(53, 152, 219);">Introduction</span>**

<span style="color: rgb(0, 0, 0);">Cisco **Secure Endpoint** is a cloud-delivered, advanced **endpoint detection and response (EDR)** solution. It provides visibility and protection across multiple control points, enabling organizations to rapidly detect, contain, and remediate advanced threats.</span>

---

##### <span style="color: rgb(53, 152, 219);">**Assumptions**</span>

<span style="color: rgb(0, 0, 0);">The procedures in this guide assume that a **Log Collector** has already been set up.</span>

---

##### <span style="color: rgb(53, 152, 219);">**Requirements**</span>

<span style="color: rgb(0, 0, 0);">This integration is designed for collecting **Cisco Secure Endpoint logs**.</span>

##### <span style="color: rgb(53, 152, 219);">**Supported Dataset**</span>

- <span style="color: rgb(0, 0, 0);">**event dataset** → Supports Cisco Secure Endpoint **event logs**, either:</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Received over **syslog**</span>
    - <span style="color: rgb(0, 0, 0);">Read from a **file**</span>

---

##### **<span style="color: rgb(53, 152, 219);">Generating Client ID and API Key</span>**

<span style="color: rgb(0, 0, 0);">To collect logs via the **Secure Endpoint API**, you must first generate API credentials:</span>

1. <span style="color: rgb(0, 0, 0);">Log in to your **AMP for Endpoints Console**.</span>
2. <span style="color: rgb(0, 0, 0);">Navigate to **Accounts &gt; Organization Settings**.</span>
3. <span style="color: rgb(0, 0, 0);">Under **Features**, click **Configure API Credentials**.</span>
4. <span style="color: rgb(0, 0, 0);">Generate and copy the **Client ID** and **Secure API Key**.</span>

<p class="callout warning"><span style="color: rgb(0, 0, 0);"> **Important:** You can only copy your **API Key** at the time of creation. It cannot be retrieved later. Store it securely.</span></p>

---

##### <span style="color: rgb(53, 152, 219);">**Secure Endpoint Logs**</span>

- <span style="color: rgb(0, 0, 0);">The **event dataset** collects Cisco Secure Endpoint event logs.</span>

---

##### <span style="color: rgb(53, 152, 219);">**Secure Endpoint API Capabilities**</span>

<span style="color: rgb(0, 0, 0);">The **Secure Endpoint API** can be used to retrieve and manage detailed information, including:</span>

- <span style="color: rgb(0, 0, 0);">Generate a list of **organizations** a user has access to.</span>
- <span style="color: rgb(0, 0, 0);">Generate a list of **policies** for a specified organization.</span>
- <span style="color: rgb(0, 0, 0);">Retrieve detailed information about a specific policy, such as:</span>
    
    
    - <span style="color: rgb(0, 0, 0);">General policy data</span>
    - <span style="color: rgb(0, 0, 0);">Associated network control lists</span>
    - <span style="color: rgb(0, 0, 0);">Associated computers</span>
    - <span style="color: rgb(0, 0, 0);">Associated groups</span>
    - <span style="color: rgb(0, 0, 0);">Proxy settings</span>
    - <span style="color: rgb(0, 0, 0);">Policy XML</span>
- <span style="color: rgb(0, 0, 0);">Generate a list of all **policy types** and supported **operating systems** for an organization.</span>

---

##### **<span style="color: rgb(53, 152, 219);">Top Use Cases</span>**

- <span style="color: rgb(0, 0, 0);">**Reporting:** Generate reports on policy settings across an organization.</span>
- <span style="color: rgb(0, 0, 0);">**Inspection:** Review a particular policy’s detailed settings.</span>
- <span style="color: rgb(0, 0, 0);">**Policy Auditing:** Query for policies that match specific criteria to determine which should be updated.</span>

---

##### **<span style="color: rgb(53, 152, 219);">API Response Format</span>**

<span style="color: rgb(0, 0, 0);">The Secure Endpoint API provides responses in three key objects:</span>

- <span style="color: rgb(0, 0, 0);">**Data** → Requested content.</span>
- <span style="color: rgb(0, 0, 0);">**Meta** → Metadata describing the request/response.</span>
- <span style="color: rgb(0, 0, 0);">**Errors** → Error details if the request fails.</span>

---

<p class="callout warning"><span style="color: rgb(0, 0, 0);">To enable log collection from the Cisco Secure Endpoint API, provide the following information to **CyTech Support**:</span></p>

- <span style="color: rgb(0, 0, 0);">**Client ID** → Cisco Secure Endpoint Client ID</span>
- <span style="color: rgb(0, 0, 0);">**API Key** → Cisco Secure Endpoint API Key</span>

<span style="color: rgb(0, 0, 0);">*<span class="TextRun SCXW71272603 BCX0" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW71272603 BCX0">If you need further </span><span class="NormalTextRun SCXW71272603 BCX0">assistance</span><span class="NormalTextRun SCXW71272603 BCX0">, kindly contact </span></span><span style="color: rgb(53, 152, 219);">**<span class="TextRun SCXW71272603 BCX0" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW71272603 BCX0">support@cytechint.com</span></span>**</span><span class="TextRun SCXW71272603 BCX0" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW71272603 BCX0"> for prompt </span><span class="NormalTextRun SCXW71272603 BCX0">assistance</span><span class="NormalTextRun SCXW71272603 BCX0"> and guidance.</span></span><span class="EOP SCXW71272603 BCX0" data-ccp-props="{}"></span>*</span>