Cisco AMP for Endpoints

Cisco Advanced Malware Protection (AMP) for Endpoints is a malware and virus protection platform that you can use to protect your environment from intrusion, infected files, and malicious behavior. When you connect Cisco AMP to InsightIDR, your logs will parse out Advanced Malware and Virus infection events.

To connect Cisco AMP to InsightIDR:

  1. Generate a Cisco AMP Client ID and API Key
  2. Configure an InsightIDR Event Source

Generate a Client ID and API Key

You must generate an API key for third party access to connect with InsightIDR.

To do so:

  1. In your Cisco AMP for Endpoints console, navigate to Accounts > API Credentials.
  2. Click the New API Credential button.
  1. Provide a name for your third party application, such as “InsightIDR.”
  2. Select the Read-only option for the scope of the API key.
  3. Click the Create button.
  1. You will then see the 3rd Party API Client ID, and the API key. Copy these for later use in InsightIDR.

Regenerate an API Key

If you already have an API key, or you lose your existing API key, you can generate a new key to use for InsightIDR.

To do so:

  1. In your Cisco AMP for Endpoints console, select Accounts > Business.
  1. On the “Business” page, click the Edit button.
  2. Next to the “3rd Party API Access” option, click the Regenerate button for an API key. You will see the following message:
  1. Click the Confirm button.
  2. You will then see the API Client ID and the API Key. Copy these for later use in InsightIDR.

To learn more, you can read about the Cisco AMP API from the following links:

Configure InsightIDR to collect data from the event source

You can now configure a Cloud Service event source in InsightIDR with the API credentials from Cisco AMP.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Cisco AMP in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the Cisco AMP event source tile.
  4. Select your collector and select Cisco AMP from the event source dropdown menu.
  5. Enter the name of your event source.
  6. Optionally choose to send unparsed logs.
  7. Select your Account Attribution preference:
    • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
    • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
  8. Select your API.
  9. Select your Cisco AMP credentials, that contains your Client ID and API key, or optionally create a new credential.
  10. Click Save.