Cisco AMP for Endpoints
Copy link

Cisco Advanced Malware Protection (AMP) for Endpoints is a malware and virus protection platform that you can use to protect your environment from intrusion, infected files, and malicious behavior. When you connect Cisco AMP to SIEM (InsightIDR), your logs will parse out Advanced Malware and Virus infection events.

To connect Cisco AMP to SIEM (InsightIDR):

  1. Generate a Cisco AMP Client ID and API Key
  2. Configure an SIEM (InsightIDR) Event Source

Generate a Client ID and API Key
Copy link

You must generate an API key for third party access to connect with SIEM (InsightIDR).

To generate an API key:

  1. In your Cisco AMP for Endpoints console, navigate to Accounts > API Credentials.
  2. Click New API Credential.
  3. Provide a name for your third party application, such as “SIEM (InsightIDR)”.
  4. Select the Read-only option for the scope of the API key.
  5. Click Create.
  6. Securely record the API Client ID and the API key that appear after you have clicked Confirm. You will need these values to configure SIEM (InsightIDR) to collect data from the event source.

Regenerate an API Key
Copy link

If you already have an API key, or you lose your existing API key, you can generate a new key to use for SIEM (InsightIDR).

To regenerate an API key:

  1. In your Cisco AMP for Endpoints console, select Accounts > Business.
  2. Click Edit.
  3. Next to the 3rd Party API Access option, click Regenerate for an API key.
  4. Click Confirm on the review message that appears.
  5. Securely record the API Client ID and the API key that appear after you have clicked Create. You will need these values to configure SIEM (InsightIDR) to collect data from the event source.

To learn more about the Cisco AMP API, you can read the Cisco documentation on secure endpoint APIs  and the Cisco AMP for Endpoints API .

Configure SIEM (InsightIDR) to collect data from the event source
Copy link

You can now configure a Cloud Service event source in SIEM (InsightIDR) with the API credentials from Cisco AMP.

To configure the new event source in SIEM (InsightIDR):

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Cisco AMP in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the Cisco AMP event source tile.
  4. Enter the name of your event source.
  5. Select your collector and select Cisco AMP from the event source dropdown menu.
  6. Under Connectivity Details, select the appropriate API endpoint domain from the dropdown depending on your region:
    • North America: api.amp.cisco.com
    • Asia Pacific, Japan and China: api.apjc.amp.cisco.com
    • Europe: api.eu.amp.cisco.com
  7. Select the Cisco AMP credentials that contain your Client ID and API key, or optionally create a new credential .
  8. Optionally, choose to send unparsed logs.
  9. Select your Account Attribution preference:
    • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
    • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
  10. Click Save.