This document describes all event IDs for Cisco Secure Endpoint, aiding in effective monitoring and incident response.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Windows Event Logging
- Cisco Secure Endpoint
Components Used
The information in this document is based on these software verisons:
- Cisco Secure Endpoint 8.4.0.30201
- Windows Server 2019
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Problem
Windows Event IDs for Cisco Secure Endpoint are essential for effective monitoring and troubleshooting. Having access to these Event IDs is critical for diagnosing issues, ensuring operational efficiency, and enhancing overall security.
Solution
Open File Explorer, navigate to C:\Program Files\Cisco\AMP\<version_number>\AMPEvents.man file. You can open this file in Notepad to view all the infomation related to Windows events generated by Cisco Secure Endpoint.
Exported list of Event IDs from the AMPEvents.man file:
Event ID |
Event |
Engine/Task |
Level |
100 |
EXPREV_ATTACK_WITHOUT_SUSPICIOUS_FILES_V1/V2/V3/V4 |
ExploitPrevention |
Informational |
101 |
EXPREV_ATTACK_WITH_SUSPICIOUS_FILES_V1/V2/V3/V4 |
ExploitPrevention |
Informational |
102 |
EXPREV_ATTACK_WITHOUT_SUSPICIOUS_FILES_V3/V4_AUDIT |
ExploitPrevention |
Informational |
103 |
EXPREV_ATTACK_WITH_SUSPICIOUS_FILES_V3/V4_AUDIT |
ExploitPrevention |
Informational |
104 |
EXPREV_SCRIPT_CONTROL_ATTACK_V4 |
ExploitPrevention |
Informational |
105 |
EXPREV_SCRIPT_CONTROL_ATTACK_V4_AUDIT |
ExploitPrevention |
Informational |
200 |
MALICIOUS_ACTIVITY_PROTECTION_V1/V2 |
MaliciousActivityProtection |
Informational |
300 |
SD_BLOCK_PROCESS_ACTION_V1 |
SystemProcessProtection |
Informational |
400 |
CCMS_JOB_STARTED_V1 |
CCMS |
Informational |
401 |
JANUS_EVENT_V1 |
|
Informational |
500 |
ENDPOINT_ISOLATION_STARTED_V1 |
EndpointIsolation |
Informational |
501 |
ENDPOINT_ISOLATION_STOPPED_V1 |
EndpointIsolation |
Informational |
502 |
ENDPOINT_ISOLATION_STARTFAILED_V1 |
EndpointIsolation |
Error |
503 |
ENDPOINT_ISOLATION_STOPFAILED_V1 |
EndpointIsolation |
Error |
504 |
ENDPOINT_ISOLATION_UPDATED_V1 |
EndpointIsolation |
Informational |
505 |
ENDPOINT_ISOLATION_UPDATEFAILED_V1 |
EndpointIsolation |
Error |
600 |
ORBITAL_INSTALL_SUCCESS_V1 |
Orbital |
Informational |
601 |
ORBITAL_INSTALL_FAILED_V1 |
Orbital |
Error |
602 |
ORBITAL_UPDATE_SUCCESS_V1 |
Orbital |
Informational |
603 |
ORBITAL_UPDATE_FAILED_V1 |
Orbital |
Error |
700 |
ENDPOINT_ISOLATION_BRUTE_FORCE_ATTEMPT |
EndpointIsolation |
Warning |
800 |
SCRIPT_PROTECTION_DETECTION_V1 |
ScriptProtection |
Informational |
801 |
SCRIPT_PROTECTION_QUARANTINE_V1 |
ScriptProtection |
Informational |
900 |
ENGINE_DETECTION_HANDLED |
BehavioralProtection |
Informational |
901 |
ENGINE_DETECTION_NOT_HANDLED |
BehavioralProtection |
Error |
902 |
ENGINE_DETECTION_AUDIT |
BehavioralProtection |
Informational |
903 |
ENGINE_DETECTION_NO_ACTION |
BehavioralProtection |
Informational |
904 |
ENGINE_CLEANUP_REQUIRED |
BehavioralProtection |
Informational |
1248 |
SCAN_COMPLETED_CLEAN_V1 |
Scan |
Informational |
1249 |
SCAN_COMPLETED_DIRTY_V1 |
Scan |
Informational |
1250 |
SCAN_FAILED_V1 |
Scan |
Error |
1300 |
DETECTION_V1 |
Detection |
Informational |
1310 |
QUARANTINE_SUCCESS_V1 |
Quarantine |
Informational |
1311 |
QUARANTINE_FAILED_V1 |
Quarantine |
Error |
1320 |
EXECUTION_BLOCK_V1 |
ExecutionBlock |
Informational |
1321 |
EXECUTION_BLOCK_BAD_PARENT_V1 |
ExecutionBlock |
Informational |
1700 |
WMI_RECON_V1 |
WMIRecon |
Informational |