Identify Detection Engine in Secure Endpoint Console

Available Languages

Download Options

  • PDF     (354.1 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (446.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (299.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 18, 2025
Document ID:222850

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to identify the engine responsible for a specific detection in the Secure Endpoint console.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Secure Endpoint console

    Components Used

    The information in this document is based on these software versions:

    • Secure Endpoint Console v5.4.2025030619

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Problem

    Identifying the correct engine responsible for a specific detection is one of the initial steps in understanding the nature of the event and effectively triaging it.

    Solution

    1. Navigate to the Events page in your AMP console to find the event you wish to investigate further.
    2. Click the highlighted icon to open Device Trajectory.Device Trajectory IconDevice Trajectory Icon
    3. You can view the event details to the right under Activity Details.Event Details in Device TrajectoryEvent Details in Device Trajectory
    4. Scroll to the bottom to locate the Detected by section.Detected By SectionDetected By Section
    tip-icon

    Tip: Understanding this information is essential for assessing the nature of the threat and swiftly determining the appropriate exclusion to configure. Additionally, providing these details when submitting a case to TAC for False Positive investigations can help expedite the process.

    If you are unable to view the Detected By section or for any further assistance, contact TAC.

    Revision History

    Revision Publish Date Comments
    1.0
    18-Mar-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Aishwarya G
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products