Cisco Secure Endpoint: Inbox and Events

8 Views
Published
Secure Endpoint comes with a convenient way to group the critical events into an easy workflow. You can view the cases that require your attention. The cases listed in the Inbox tab are the unattended cases. To start working on them you need to click on the checkbox and click on begin work; then this event will move to the “In progress” tab; where you can start working on them.

As you see, in the Inbox the events are grouped by devices. Devices can generate multiple events, to see all events you can go to the events tab.

The events tab shows the most recent events in your AMP for Endpoints deployment. There are multiple reasons why an event is generated, among the popular events types are:

- Detected Threats
- Indications of Compromise
- Quarantine Status
- Product updates
- Endpoint Isolation events

AMP also comes with a powerful filter, you can filter based on event types, groups, and time ranges. You can save the filters as well to reuse them later.

It is a good practice to enable the "detected threats" category notification via email where you can get notified immediately after the event is created, in an hourly, daily, weekly or monthly basis.

Remember, AMP provides you access to the events via two mechanisms: Inbox and Events tab. Having knowledge of the most important ones is key to have a quicker time to respond.

Visit the following resources for more information:

- Security ATXs/ACCs:

https://learningnetwork.cisco.com/s/atx-integrated-secure-operations

- Endpoint Protection self-guided journey page:

https://www.cisco.com/c/m/en_us/products/security/advanced-malware-protection/setup-guide.html

- Cisco Video:

https://video.cisco.com/video/6241050391001
Category
Cisco
Be the first to comment