Export List of Windows Event IDs for Secure Endpoint

Available Languages

Download Options

  • PDF     (7.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (81.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (66.5 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 18, 2024
Document ID:222136

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes all event IDs for Cisco Secure Endpoint, aiding in effective monitoring and incident response.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Windows Event Logging
    • Cisco Secure Endpoint

    Components Used

    The information in this document is based on these software verisons:

    • Cisco Secure Endpoint 8.4.0.30201
    • Windows Server 2019

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Problem

    Windows Event IDs for Cisco Secure Endpoint are essential for effective monitoring and troubleshooting. Having access to these Event IDs is critical for diagnosing issues, ensuring operational efficiency, and enhancing overall security.

    Solution

    Open File Explorer, navigate to C:\Program Files\Cisco\AMP\<version_number>\AMPEvents.man file. You can open this file in Notepad to view all the infomation related to Windows events generated by Cisco Secure Endpoint.

    Exported list of Event IDs from the AMPEvents.man file:

    Event ID Event Engine/Task Level
    100 EXPREV_ATTACK_WITHOUT_SUSPICIOUS_FILES_V1/V2/V3/V4 ExploitPrevention Informational
    101 EXPREV_ATTACK_WITH_SUSPICIOUS_FILES_V1/V2/V3/V4 ExploitPrevention Informational
    102 EXPREV_ATTACK_WITHOUT_SUSPICIOUS_FILES_V3/V4_AUDIT ExploitPrevention Informational
    103 EXPREV_ATTACK_WITH_SUSPICIOUS_FILES_V3/V4_AUDIT ExploitPrevention Informational
    104 EXPREV_SCRIPT_CONTROL_ATTACK_V4 ExploitPrevention Informational
    105 EXPREV_SCRIPT_CONTROL_ATTACK_V4_AUDIT ExploitPrevention Informational
    200 MALICIOUS_ACTIVITY_PROTECTION_V1/V2 MaliciousActivityProtection Informational
    300 SD_BLOCK_PROCESS_ACTION_V1 SystemProcessProtection Informational
    400 CCMS_JOB_STARTED_V1 CCMS Informational
    401 JANUS_EVENT_V1   Informational
    500 ENDPOINT_ISOLATION_STARTED_V1 EndpointIsolation Informational
    501 ENDPOINT_ISOLATION_STOPPED_V1 EndpointIsolation Informational
    502 ENDPOINT_ISOLATION_STARTFAILED_V1 EndpointIsolation Error
    503 ENDPOINT_ISOLATION_STOPFAILED_V1 EndpointIsolation Error
    504 ENDPOINT_ISOLATION_UPDATED_V1 EndpointIsolation Informational
    505 ENDPOINT_ISOLATION_UPDATEFAILED_V1 EndpointIsolation Error
    600 ORBITAL_INSTALL_SUCCESS_V1 Orbital Informational
    601 ORBITAL_INSTALL_FAILED_V1 Orbital Error
    602 ORBITAL_UPDATE_SUCCESS_V1 Orbital Informational
    603 ORBITAL_UPDATE_FAILED_V1 Orbital Error
    700 ENDPOINT_ISOLATION_BRUTE_FORCE_ATTEMPT EndpointIsolation Warning
    800 SCRIPT_PROTECTION_DETECTION_V1 ScriptProtection Informational
    801 SCRIPT_PROTECTION_QUARANTINE_V1 ScriptProtection Informational
    900 ENGINE_DETECTION_HANDLED BehavioralProtection Informational
    901 ENGINE_DETECTION_NOT_HANDLED BehavioralProtection Error
    902 ENGINE_DETECTION_AUDIT BehavioralProtection Informational
    903 ENGINE_DETECTION_NO_ACTION BehavioralProtection Informational
    904 ENGINE_CLEANUP_REQUIRED BehavioralProtection Informational
    1248 SCAN_COMPLETED_CLEAN_V1 Scan Informational
    1249 SCAN_COMPLETED_DIRTY_V1 Scan Informational
    1250 SCAN_FAILED_V1 Scan Error
    1300 DETECTION_V1 Detection Informational
    1310 QUARANTINE_SUCCESS_V1 Quarantine Informational
    1311 QUARANTINE_FAILED_V1 Quarantine Error
    1320 EXECUTION_BLOCK_V1 ExecutionBlock Informational
    1321 EXECUTION_BLOCK_BAD_PARENT_V1 ExecutionBlock Informational
    1700 WMI_RECON_V1 WMIRecon Informational

    Revision History

    Revision Publish Date Comments
    1.0
    18-Jul-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Sourav Kukreja
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products