Showing results for 
Search instead for 
Did you mean: 
E.L. Howard
Cisco Employee
Cisco Employee


About this Document

Cisco Secure Endpoint (formerly AMP for Endpoints) is a comprehensive Endpoint Security solution designed to function both as a stand-alone tool, and as a part of the architecture of natively integrated Cisco and 3rd party solutions through the Cisco SecureX platform. This Guide gives you an easy to use Step-by-Step Guide to start your Secure Endpoint experience. For more in-depth detailed information on specific product features or integrations, please see the other official Secure Endpoint documentation:

Cloud Infrastructure Requirement

The Secure Endpoint Cloud Infrastructure provides alerting, eventing, data retention, and other necessary services for the Secure Endpoint connector. For full functionality the Endpoint Connector must be able to communicate with the Secure Endpoint cloud services. For more information please see the Helpful Notes section of this guide.

STEP 1: Account Activation and Pre-work

  • Activate your account and login to the Secure Endpoint portal.

  • To access sensitive data, configure Two-Factor-Authentication.

  • Prepare your Infrastructure: Prepare your network, so the Connector is able to communicate with the Cloud Services.


Activate your Secure Endpoint account 

Screenshot QUICK Registration e-mail.png

Account Activation:

Click on the link included in the e-mail. This opens the Secure Endpoint console. Type your password and click activate. The account has full access to any areas of the console.

Click the question mark on the top right corner to open a help page.


Enable Two-Factor Authentication

Step 1: On the Top right corner in the Secure Endpoint UI click your Username and select My Account in the Drop Down Menu

Screenshot QUICK MyAccount DropDown.png

Step 2: Scroll down to the Settings Area of your account details. Click on the Manage Button to start the 2FA Activation Steps.

Screenshot QUICK Enable 2FA.png

Step 3: Install a 2FA-Application on your Mobile Phone. Cisco recommends DUO, but you can also use any RFC 6238-compatible app - like Google Authenticator.

Screenshot QUICK Install 2FA.png


STEP 2: Configuration and Installation

Prepare your environment
Secure Endpoint needs access to Cloud Services for proper functionality. For normal operations, the endpoint queries the cloud based on the heartbeat interval configured in the policy, in addition to realtime queries, based on file and network monitoring inside the connector. Required connection details for systems that do not have outbound Internet access can be found at the end of this document.

Prepare Groups, Policies and Exclusions

Secure Endpoint comes with predefined Groups, Exclusion Lists and Policies which can be directly used to deploy Secure Endpoint.

  • Cisco Maintained Exclusions are already assigned to the policies

  • Default Outbreak Control lists are assigned to the policies

  • Predefined Policies are already assigned to the groups


Audit: All Engines are default set to Audit Mode. Secure Endpoint Connector Scans and Monitors, but does not take any action.

Server: This is a lightweight policy for high availability computers and servers that require maximum performance and uptime. System Protection is enabled, File activity is monitored, network protection is disabled. 

Domain Controller: All Engines are set to Audit Mode. In addition, Device Flow Correlation (Network) and System Process Protection Engine are disabled.

Protect: All Engines are set to protect/quarantine except Malicious Activity Protection, which is disabled. 

Triage: All Engines are enabled and set to protect/quarantine.

Secure Endpoint Support Documentation

Maintained Exclusion List Changes

Download and Install the Secure Endpoint Connector

Step 1: To start the Download select
Management → Download Connector
in the Secure Endpoint Menu Bar.


Step 2: Select the Group where the connector should be added to. Choose the Install Package for the Operating System as needed.

Step 3: Install the Connector by executing the downloaded File. Follow the the Instructions shown by the installer.

NOTE: If installing on multiple computers in a group, click the Show URL button to use a direct download link that can be shared.


Step 4: Check the Status in the Client UI.It shows the Status and the assigned Policy.



Generate Detection Data

Running the following Powershell command after install, to test that data is being reported as expected, and events will be generated in the Secure Endpoint cloud console.

  1. Open a command prompt with Administrator Privileges
    1. In the Windows Start menu, type 'cmd'
    2. Select "Run as administrator"
  2. At the prompt, copy and run the following command [on a single line]
wmic /node: process call create "powershell -noP -sta -w 1 -enc bmV0IHVzZSBzOiBcXDEwLjAuMC4yOVxhZG1pbiQ="

You may safely close the command prompt window, and a successful detection using our Cloud IOC (Indicator of Compromise) engine will trigger an event in the cloud console in a matter of moments

Command Window Admin Screenshot.png 


STEP 3: Start your Threat Hunting Experience


Activate Threat Response

The Secure Endpoint is part of a built-in security platform called Cisco SecureX. The Secure Endpoint license includes Cisco SecureX dashboards, integrations, orchestration, threat response, useful pivot menus that help drive action in response to security events, and more. Take a look at the Threat Response website for more details.

Step 1: Connect to the Threat Response UI using the right area.



Step 2: The first time you connect to Threat Response, you are asked to link the Secure Endpoint account with Threat Response.

Step 3: Read info in the Threat Response First Investigation walk-through to gain insight into the threat investigation process and threat response capabilities.

Screen Shot 2021-02-15 at 4.32.08 PM.png


Learn with Investigation Scenarios

Secure Endpoint provides several predefined Investigation scenarios. They are well described and help you to learn how to use Secure Endpoint as a Threat Hunting Tool. Learn about the Heat Map, Events, Indications of Compromise - IOCs, File Trajectory and more.

Step 1: Activate the Demo Data. Select Accounts → Demo data and click the Enable Demo Data button. Wait a few minutes until all demo data is enabled for you. This is important to ensure you are able to see more data in the Secure Endpoint console, if you are only installing the connector on a limited number of sytems.

Step 2: Select your favorite Scenario. The PDF is designed to guide you through the investigation process, and understanding the data.



Use SecureX threat response to begin and manage investigations

The Cisco SecureX Ribbon is a powerful tool to quickly inspect observables derived from web content directly from your Chrome or Firefox browser. Casebook Investigations are shared over Secure Endpoint Console, Cisco Malware Analytics (former Threat Grid), Cisco SecureX threat response or Cisco Secure Network Analytics (formerly Stealthwatch).

Step 1: Read the Information in the SecureX Ribbon page.

Step 2: Enable SecureX and connect Secure Endpoint to your SecureX instance as outlined here.

Step 3: From the SecureX dashboard page, install the SecureX Ribbon Extension and configure the settings. While the in-console Ribbon shows up in Cisco Secure products, the Ribbon browser extension enables you to quickly pivot from observables to investigation mode while in any product, or viewing any website.

Step 4:

If not already done - enable the demo data as described above. Our use case (Olympic Destroyer) is part of the demo data set, so you can test our investigation functionality.
Open the Olympic Destroyer IOCs blog post on the Talos Intel Site. Select the SecureX Ribbon extension in your browser toolbar. After the extension opens, just click the search icon.

This will search the page and load all Indicator of Compromise (IOC) related information [IP addresses, domains, file hashes, etc) from the page you are viewing and provides a disposition lookup via SecureX Cloud services. Click Investigate in Threat Response to start investigating presence, file transfers, traffic flow and other pertinent details.



SecureX Ribbon - in the Secure Endpoint consoleScreen Shot 2021-02-15 at 4.51.17 PM.png


SecureX Ribbon browser extension install linkScreen Shot 2021-02-15 at 4.44.29 PM.png


Secure your environment with Automated Actions

The Automated Actions Page lets you set actions that automatically trigger when compromise events at your specified severity level occur on a computer, in your selected computer groups. You can access the page from Outbreak Control → Automated Actions - here you can enable a policy to automatically retrieve Forensic Snapshots from compromised hosts, place systems under Isolation so that they can only be managed by your preferred systems, submit files for sandboxed analysis, and more.
Automated Actions Screenshot.png


Use Indicators to understand a Threat

Secure Endpoint determines Cloud Indications of Compromise (IOCs) based on multiple events or sequences of events observed on an endpoint within a certain time period. The purpose of a Cloud IOC is to act as a notification of suspicious or malicious activity on an endpoint. A Cloud IOC trigger on a host needs to be investigated further to determine the exact nature and source of suspicious activity outlined in the IOC description.

The Indicators page lets you search for Cloud IOCs. You can access the page from Analysis → Indicators on the main menu. Each indicator includes a brief description along with information about the tactics and techniques employed based on the MITRE ATT&CK knowledge base. Tactics represent the objective of an attack, such as executing malware or exfiltrating confidential information. Techniques are the methods attackers use to achieve the objectives or what they gain. For more information, see Getting Started with ATT&CKYou can search for specific indicators by name, or filter the list based on tactics, techniques, and severity. The number of compromises in your business that are associated with an indicator are also shown and you can filter the list to only display these.

  • Click on an indicator to expand the description and display the full list of tactics and techniques.
  • Click on any tactic or technique for a detailed description.
  • Click a compromise badge to see a filtered view of the Inbox Tab of all endpoints that have observed the indicator.
  • Click the Dashboard, Events, or Inbox links to see a filtered view of those pages showing only the computers that observed the indicator.

Indicators Screenshot.png

What's Next

Secure Endpoint Integrations

Secure Endpoint and Secure Access by Duo

Secure Endpoint has native cloud-to-cloud integration with Duo to extend protection to users and trusted assets based on risk profile and posture. Secure Endpoint and Duo are key components to building your Zero-Trust architecture and benefit each other via native, out-of-the-box integration. Watch the video to learn more!

Secure Endpoint and Umbrella

SecureX pivots enable Umbrella users to quick question the assets they are tasked with securing, to ensure if additional actions beyond the network-based block might be needed. Secure Endpoint enables system snapshots, host isolation, and more containment and quarantine actions with just a click of the SecureX Pivot menu.
Related Topics


Helpful Notes

Secure Endpoint Communication Addresses, Protocols, and Ports

Purpose Server Port
Cloud Server

TCP/443 Outbound
AMP Console TCP/443 Outbound
Management Server TCP/443 Outbound
Event Server TCP/443 Outbound
Policies TCP/443 Outbound
Connector Downloads and Updates TCP/80 OutboundTCP/443 Outbound
Error Reporting TCP/443 Outbound
Endpoint IOCs TCP/443 Outbound
A/V Update Server TCP/80 OutboundTCP/443 Outbound
Remote File Fetch

TCP/443 Outbound
Behavior Protection TCP/443 Outbound
Screenshot QUICK AMP Cloud Architecture.png

Endpoint Connector

  • The Secure Endpoint connector queries the cloud for new Policies or Products Updates/Upgrades. Events generated on the endpoint are uploaded to Secure Endpoint Cloud. For threat hunting capabilities Secure Endpoint monitors file, network, process and command line activity. This information is sent to the cloud for further processing and analysis.

Secure Endpoint Cloud

  • The Secure Endpoint Cloud stores the information and does a fully automated analysis. Any available information monitored by the endpoint is analyzed for seven days. Any Information provided by the Connector is retrospectively fully automated processed and analyzed for the last 7 days.
  • Cloud IOCs, which are continuously updated and maintained by Cisco, are generated by analysing the endpoint information.
  • Talos: Cisco Threat Intelligence Group generates much Threat Information. Talos already includes many Threat Feeds from more than 100 Threat Intelligence Partners, e.g. Threat Information is correlated with all the behaviour monitored by the Secure Endpoint Connector.
Other Useful Links
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: