Identify Conditions to Trigger Automated Actions in Secure Endpoint

Available Languages

Download Options

  • PDF     (904.4 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (972.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (763.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 1, 2023
Document ID:220184

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes conditions that need to be met in order to trigger Automated Actions.

    Background Information

    Automated Actions get triggered upon a compromise (means an un-compromised machine becomes a compromised machine). If an already-compromised machine triggers a new detection, this detection is added to the compromise, but since this is not a new compromise, it does not trigger an automated action.

    One exception to this is the severity level. Automated actions get triggered based on criteria which is severity, nevertheless, compromises do not have severity by itself (onlyindividual detections do). If an Automated Action is configured to a severity level of high and a detection triggers as medium level, it does not trigger the action. If a subsequent event is added to the compromise that is high, the action triggers as this new detection is in the compromise that already exists.

    What is a compromised machine?

    A compromised machine is an endpoint that has an active compromise associated with it. A compromised machine can, by design, only have one compromise active at one time.

    Applicability 

    Windows, Mac

    Automated Actions Available

    1. Take a forensic snapshot upon Compromise: Takes a Forensic Snapshot of a computer when a compromise occurs. A compromise event is basically an event sent by a connector that notifies of something potentially malicious that happens.

      Conditions to trigger this automated action: Events that are the selected severity or higher, trigger the automated action.

      Automated Actions Available

      Conditions to Trigger Automated Action

      This is an example of a compromised machine:

      Example of a Compromised Machine

      This is the Log of the automated action (from Audit Log tab)

      Log of the Automated Action

    2. Isolate a computer upon compromise: Isolates computers when a compromise occurs.

      Conditions to trigger this automated action: Events that are the selected severity or higher, trigger the automated action. The Rate Limit protects you against false positive detections. The Rate Limit feature looks at the total number of isolations in a 24 hour rolling window. If the number of isolations is greater than the limit, no further isolations are triggered. Computers are isolated again once the number of compromise events falls to fewer than the limit in the 24 hour rolling window or you stop isolation on computers that were automatically isolated.

      Isolate a Computer upon Compromise - Take Forensic Snapshot

      Conditions to Trigger an Automated Action When a Compromise Occurs

      This is an example of a compromised machine:

      Example of a Compromised Machine

      This is the Log of the automated action (from Audit Log tab):

      Log of the Automated Action From Audit Log Tab



    3. Submit to Secure Malware Analytics upon Detection: Submit a file to Secure Malware Analytics for File Analysis when a detection occurs.

      Conditions to trigger this automated action: Events that are the selected severity or higher, trigger the automated action.

      Submit to Secure Malware upon Detection

      Conditions to Trigger Automated Action

      Example of a compromised machine:

      Example of Compromised Machine with Malware Detected

      In this case, the file was submitted to Secure Malware analytics previously, so the file analysis was already done. Example as follows:

      File Already Done as Malware Previously Submitted

      note-icon

      Note: This automated action is unaffiliated with compromises, and runs per-detection.

    4. Move Computer to group upon Compromise: Move computers from their current groups to another group when the action is triggered. This allows you to move compromised computers to a group with a policy that has more aggressive scanning and engine settings to remediate the compromise.

    Conditions to trigger this automated action: Events that are the selected severity or higher, trigger the automated action.

    Move Computer to Group upon Compromise

    Trigger the Automated Action

    This is the computer in the original group:

    Computer in the Original Group

    These are the events of compromise:

    Events of the Compromise

    This is the Log of the automated action (from Audit Log tab):

    Log of the Automated Action (from Audit Log Tab)

    The computer was moved to specified group in the Automated Action setting:

    Computer Moved to Specified Group in the Automated Action Setting

    Action Logs

    This is the full list of the Automated Action Logs from Automated Actions tab:

    Automated Action Logs

    Related Information

    Secure Endpoint User Guide

    Revision History

    Revision Publish Date Comments
    1.0
    01-Feb-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Isaac Cardenas
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products