Cisco Secure Endpoint Playbook
This playbook is designed to provide you with use case education, customer requirements, and actions you'll need to take to help your customers navigate their Cisco product adoption.


How to coach for success with Cisco Secure Endpoint
Help your customers get started with Endpoint Protection journey and learn how to tap into advanced features to further configure, customize, and secure their network.
To help customers achieve success with Endpoint Protection, you should follow a structured deployment process. This includes logging into the Secure Endpoint Console frequently, verifying license and connector details, and conducting initial lab testing. Deploy connectors to a Gold group for tuning before the main deployment. Regularly log into the console, enable key features like CLI Capture, and monitor for Indications of Compromise. Incorporate advanced security features, enable and utilize console API, and transition connectors from audit to protect mode for enhanced security.
To help customers achieve success with Endpoint Detection and Response journey, you can help by planning and reviewing the recommended deployment steps, verifying license and connector details, and conducting initial lab testing. Encourage customers to deploy connectors to a Gold group for tuning before the main deployment. Regularly log into the console, enable key features like Orbital and CLI Capture, and monitor for Indications of Compromise. Incorporate advanced security features, create API credentials for integrations, and transition connectors from audit to protect mode for enhanced security.
Customers are eligible for the Endpoint Protection journey when they have purchased:
Eligibility Rule | Hierarchy Component | Rule Description |
---|---|---|
Rule 1 | Licence | Secure Endpoint Essentials Tier |
Rule 2 | Licence | Security EA Choice AMP4EP Bundle, Security EA Choice AMP4EP, Security EA 2.0 ESSENTIALS AMP4EP, Security ELA 2.0 Suite4 AMP4EP, Security ELA 1.0 THGRD, Security ELA 1.0 5 Yr Virtual Suite, Security ELA 1.0 5 Yr Virtual Suite, Security ELA 1.0 by Customer, Security ELA 1.0 V6, Security ELA V%, Security ELA 1.0 V4.1, Security ELA 1.0 V4 |
Eligibility Scenarios |
---|
If Rule 1 or Rule 2 is TRUE, then your customer is ELIGIBLE |
Customers are eligible for the Endpoint Detection and Response journey when they have purchased:
Eligibility Rule | Hierarchy Component | Rule Description |
---|---|---|
Rule 1 | Licence | Secure Endpoint Advantage Tier, Secure Endpoint Premium Tier |
Rule 2 | Licence | Breach Protection Essentials, Breach Protection Advantage, UPTESS-BPTESS, UPTADV-BPTESS, UPTPRE-BPTESS, UPTESS-BPTADV, UPTADV-BPTADV, UPTPRE-BPTADV |
Eligibility Scenarios |
---|
If Rule 1 or Rule 2 is TRUE, then your customer is ELIGIBLE |
Guidance on helping your customer adopt Endpoint Protection journey
In this stage, the customer will:
- Log into Secure Endpoint Console and accept the Terms of Service
- Verify license connector count
- Perform an initial lab deployment and endpoint functional testing
The customer will exit this stage when they have:
- Verified that the user has logged into the Secure Endpoint console and accepted the Terms of Service
- Verified telemetry to ensure it has begun to flow for the account
- Verified telemetry to ensure that this is not a private cloud customer
- Verified the licensed connector count, start and end date
- Deployed at least one connector for familiarzation and/or lab testing
Tips for Partner:
Ensure your customer is:
- Logging into the Secure Endpoint console. Telemetry begins to flow for the account. Telemetry is verified that this is not a private cloud customer.
- Verifying the license connector count, start and end date.
- Ensuring at least one connector should be deployed for familiarization and or lab testing.
Resources: Getting started
Preheader: Everything you need for a successful deployment.
Trigger: This email is sent to customers who have activated and are ready to use the product.
Goal: Provide customers with the resources needed to log in to console, utilize Ask the Experts sessions and guided resources on the Cisco Community.
Resources: Getting started
In this stage, the customer will:
- Deploy connectors to the gold group and prepare for main deployment
- Complete the gold group connector tuning
- Begin the main connector deployment
The customer will exit this stage when they have:
- Deployed a minimum of five connectors
- Updated policies with creation date and customer is tuning as they deploy
- Deployed more than 5% of licenced connectors
Tips for Partner:
Ensure your customer is:
- An early adopter and has the minimum of five connectors.
- Tuning as they deploy more connectors.
Best practices
Preheader: Implement with these best practices for success.
Trigger: This email is sent to customers one week after the Getting started email.
Goal: Provide customers with implementation best practices such as deploying gold group connectors and prepare for main group deployment.
Best practices
In this stage, the customer will:
- Log into the Endpoint Protection console at least one time a month
- Incorporate additional endpoint security detection and protection features to your deployment
- Enable and utilize console API
- Continue connector deployment to secure endpoints
- Convert from audit mode to protect mode for connectors
- Continue connector deployment to secure endpoints
- Convert from audit mode to protect mode for connectors
The customer will exit this stage when they have:
- Logged in to console at least once monthly
- Enabled base Endpoint protection features for applicable deployed connectors
- Verified that an API key is configured for at least one user account
- Deployed connectors based on customers license size and increases to a larger size
- Increased protection block and network protection block features to more than 1% deployed connector count
Tips for Partner:
Ensure your customer is:
- Continuing to integrate EPP with Cisco and third-party applications
Core features
Preheader: Start with these Endpoint Protection configurations.
Trigger: This email is sent to customers two weeks after resources email.
Goal: Provide customers with resources to get to know core features such as Tetra, Malicious Activity Protection (MAP) and Exploit Prevention.
Core features
In this stage, the customer will:
- Log into the product console at least one time a month
- Continue scaling the deployment
- Enable the CLI Capture feature
- Complete the main deployment
The customer will exit this stage when they have:
- Logged into console monthly
- Increased percentage of deployed connectors based on license count
- Enabled CLI capture feature within deployed policies
- Resolved compromises
- Continued to increase percentage of deployed connectors
- Converted more than 50% of deployed connectors from audit mode to protect mode
Tips for Partner:
Ensure your customer is:
- Enabling Command Line Visibility in all relevant policies, regularly reviewing activity for anomalies, and integrated with SIEM systems for advanced analysis. Focus on identifying and blocking suspicious behaviors while leveraging threat intelligence to detect known malicious commands effectively.
Enable these key features
Preheader: Scale and deploy with these best practices.
Trigger: This email is sent to customers 2 weeks after Key Features email.
Goal: Provide customers with the resources needed to continue connector deployment and enable CLI Capture feature, and has created a custom event filter.
Enable these key features
In this stage, the customer will:
- Log in to console monthly
- Increase percentage of deployed connectors based on license count
- Enable CLI capture feature within deployed policies
- Continue to increase percentage of deployed connectors
- Convert more than 50% of deployed connectors from audit mode to protect mode
The customer will exit this stage when they have:
- Logged into the product console at least one time a month
- Continued connector deployment to any remaining groups
- Completed the deployment
- Deployed at least 75% of connectors to protect mode
Tips for Partner:
Deployment Best Practices
- Group-based policies: Assign endpoints to appropriate groups and apply customized policies based on their roles, sensitivity, and risk level (e.g., different policies for servers, workstations, or high-risk users).
- Silent installation: Use silent installation options during mass deployment to reduce user disruptions and ensure a consistent configuration.
- Automated deployment tools: Leverage endpoint management tools like Microsoft SCCM, Intune, or scripts to deploy connectors across large environments efficiently.
- Connector updates: Always deploy the latest version of the connector to ensure access to new features, bug fixes, and up-to-date protection.
Top 3 recommendations
Preheader: Use these top 3 best practices.
Trigger: This email is sent to customers two weeks after enable key features email.
Goal: Provide customers with resources to convert connectors from audit mode to protect mode, configure exclusions, and enable tetra.
Top 3 recommendations
In this stage, the customer will:
- Log into console monthly
- Increase percentage of deployed connectors based on license count
- Complete connector conversion to protect mode for greater than 90% of deployed connectors
- Update policies to reflect security environment changes
- Schedule regular updates
Complete connector conversion to protect mode for greater than 90% of deployed connectors
The customer will exit this stage when they have:
- Logged into console monthly
- Increased the number of deployed connectors based on license count
- Deployed more than 90% of connectors from audit mode to protect mode
- Continued to maintain configurations consistent with threat levels
Tips for Partner:
Ensure your customer is:
Advanced features
Preheader: Mature your Endpoint Protection posture.
Trigger: This email is sent to customers two weeks after Top 3 recommendations.
Goal: Provided customers with resources to complete connector deployment and maintain the latest version of Secure Endpoint.
Advanced features
Guidance on helping your customer adopt Endpoint Detection and Response journey
In this stage, the customer will:
- Plan and review the Secure Endpoint recommended deployment process to document initial deployment configuration
- Log into Secure Endpoint Console and accept the Terms of Service
- Verify license connector count
- Set up the Secure Endpoint console and enable Two-factor authentication
- Perform initial lab deployment and endpoint functional testing
The customer will exit this stage when they have:
- Logged in to Secure Endpoint Console and accepted the Terms of Service.
- Verified license connector count is greater than zero.
- Performed initial lab deployment and endpoint functional testing.
Tips for Partner:
Ensure your customer is:
- Logging into the Secure Endpoint console. Telemetry begins to flow for the account. Telemetry is verified that this is not a private cloud customer.
- Verify the licensed connector count, start and end date.
- At least one connector should be deployed for familiarization and or lab testing.
Welcome resources
Preheader: Everything you need for a successful deployment.
Trigger: Customer receives this email when a customers' lifecycle stage = Onboard or Implement
Goal: Provide customers with initial getting started resources to bookmark for their adoption
Welcome resources
In this stage, the customer will:
- Determine Gold group policies by setting initial policies for File and Network Protection in Audit mode or better, and configuring a scheduled scan.
- Complete initial outbreak control, policy and group configurations for the Gold and Main deployments
- Deploy connectors to the Gold group and prepare for the main deployment
- Complete the Gold group connector tuning and begin the main connector deployment
The customer will exit this stage when they have:
- Deployed connectors to the gold group with Orbital enabled
- Completed the Gold group connector tuning
- Finished the main connector deployment
Tips for Partner:
Ensure your customer is:
- An early adopter and has the minimum of five connectors.
- Tuning as they deploy more connectors.
Best practices
Preheader: Implement these best practices.
Trigger: A customer will receive this email one week after the welcome resources email and if their lifecycle stage = Onboard or Implement.
Goal: Ensure a customer has deployed connectors to the gold group with Orbital enabled and completed the gold group connect tuning.
Best practices
In this stage, the customer will:
- Log into the product console at least once a month
- Incorporate additional endpoint security detection and protection features to your deployment
- Enable the Orbital feature
The customer will exit this stage when they have:
- Incorporated additional endpoint security detection and protection features to their deployment.
- Enabled and utilized console API.
- Continued deployment of connectors to secure endpoints.
- Converted from audit to protect mode for connectors.
Tips for Partner:
Ensure your customer is:
- Enabling the Orbital feature. This is a key feature within Endpoint Detection and Response and is a business differentiator.
Core features
Preheader: Start with these Endpoint Detection and Response configurations.
Trigger: A customer will receive this email if their lifecycle stage = Use, Engage, Adopt or Optimize.
Goal: Provide customers with initial getting started resources to bookmark for their adoption.
Core features
In this stage, the customer will:
- Enable the CLI Capture feature within endpoint policies to support stronger detection.
- Update and deploy Outbreak Control policy configurations to include simple and advanced custom detections, applications allowed/blocked, network IP block, and allow Isolation List.
- Create a custom event filter that provides security and performance indicators for all or specific groups.
The customer will exit this stage when they have:
- Enabled the Orbital feature.
- Enabled the CLI Capture feature.
- Monitored Indications of Compromise within the console dashboard.
Tips for Partner:
Ensure your customer is:
- Enabling the Orbital feature. This is a key feature within Endpoint Detection and Response and is a business differentiator.
- Review the Secure Endpoint Orbital Cyber Capsule
Feature Focus
Preheader: Plan and deploy with these best practices.
Trigger: Customer will receive this email two weeks after the Core Features email.
Goal: Customer has enabled the CLI capture feature and continues to scale the deployment of their Endpoint Detection and Response.
Feature Focus
In this stage, the customer will:
- Continue connector deployment to any remaining groups
- Review and then use the Threat Grid API for file analysis
- Number of deployed connectors increases to a larger percentage based on license count.
- Convert at least 75% of connectors to protect mode
The customer will exit this stage when they have:
- Verified that 75% of the deployed connectors are running in protect mode vs audit mode.
- Deployed connectors increases to a larger percentage based on license count.
- Logged into the console at least monthly or API used to interact with console.
Top 3 Recommendations
Preheader: Use these top 3 best practices.
Trigger: Customer will receive this email two weeks after the Feature Focus email.
Goal: Customer has reviewed and then use the Threat Grid API for file analysis and converted connectors to protect mode.
Top 3 Recommendations
In this stage, the customer will:
- Complete connector deployment if not completed earlier.
- Complete connector conversion to protect mode.
- Update policies to reflect security environment changes.
The customer will exit this stage when they have:
- Reviewed and then used the Threat Grid API for file analysis.
- Continued connector deployment to any remaining groups.
- Completed connector conversion to protect mode for greater than 90% of deployed connectors.
Tips for Partner:
Ensure your customer is:
Advanced Features
Preheader: Mature your Endpoint Detection and Response posture
Trigger: Customer will receive this email four weeks after the Top 3 Recommendations email.
Goal: Customer has reviewed and used the Threat Grid API and has continued connector deployments.