Cisco AMP for Endpoints

Cisco Advanced Malware Protection (AMP) for Endpoints is a malware and virus protection platform that you can use to protect your environment from intrusion, infected files, and malicious behavior. When you connect Cisco AMP to InsightIDR, your logs will parse out Advanced Malware and Virus infection events.

To connect Cisco AMP to InsightIDR:

  1. Generate a Cisco AMP Client ID and API Key
  2. Configure an InsightIDR Event Source

Generate a Client ID and API Key

You must generate an API key for third party access to connect with InsightIDR.

To do so:

  1. In your Cisco AMP for Endpoints console, navigate to Accounts > API Credentials.
  2. Click the New API Credential button.
  1. Provide a name for your third party application, such as “InsightIDR.”
  2. Select the Read-only option for the scope of the API key.
  3. Click the Create button.
  1. You will then see the 3rd Party API Client ID, and the API key. Copy these for later use in InsightIDR.

Regenerate an API Key

If you already have an API key, or you lose your existing API key, you can generate a new key to use for InsightIDR.

To do so:

  1. In your Cisco AMP for Endpoints console, select Accounts > Business.
  1. On the “Business” page, click the Edit button.
  2. Next to the “3rd Party API Access” option, click the Regenerate button for an API key. You will see the following message:
  1. Click the Confirm button.
  2. You will then see the API Client ID and the API Key. Copy these for later use in InsightIDR.

To learn more, you can read about the Cisco AMP API from the following links:

Configure an Event Source

You can now configure a Cloud Service event source in InsightIDR with the API credentials from Cisco AMP.

To do so:

  1. From your dashboard, select Data Collection on the left menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Cloud Service icon. The “Add Event Source” panel appears.
  4. Choose your collector and select Cisco AMP as your event source. You can also name your event source if you want.
  5. Optionally choose to send unfiltered logs.
  6. Select an existing credential that contains your Client ID and API key, or optionally create a new credential.
  7. Configure your default domain and any advanced settings.
  8. Click the Save button.