Cisco AMP for Endpoints

Cisco Advanced Malware Protection (AMP) for Endpoints is a malware and virus protection platform that you can use to protect your environment from intrusion, infected files, and malicious behavior. When you connect Cisco AMP to InsightIDR, your logs will parse out Advanced Malware and Virus infection events.

To connect Cisco AMP to InsightIDR:

1. Generate a Cisco AMP Client ID and API Key
2. Configure an InsightIDR Event Source

Generate a Client ID and API Key

You must generate an API key for third party access to connect with InsightIDR.

To do so:

1. In your Cisco AMP for Endpoints console, navigate to Accounts > API Credentials.
2. Click the New API Credential button.

3. Provide a name for your third party application, such as “InsightIDR.”
4. Select the Read-only option for the scope of the API key.
5. Click the Create button.

6. You will then see the 3rd Party API Client ID, and the API key. Copy these for later use in InsightIDR.

Regenerate an API Key

If you already have an API key, or you lose your existing API key, you can generate a new key to use for InsightIDR.

To do so:

1. In your Cisco AMP for Endpoints console, select Accounts > Business.

3. On the “Business” page, click the Edit button.
4. Next to the “3rd Party API Access” option, click the Regenerate button for an API key. You will see the following message:

5. Click the Confirm button.
6. You will then see the API Client ID and the API Key. Copy these for later use in InsightIDR.

To learn more, you can read about the Cisco AMP API from the following links:

• https://api-docs.amp.cisco.com/api_resources?api_host=api.amp.cisco.com&api_version=v1
• https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/201121-Overview-of-the-Cisco-AMP-for-Endpoints.html

Configure an Event Source

You can now configure a Cloud Service event source in InsightIDR with the API credentials from Cisco AMP.

To set up this event source in InsightIDR:

1. From your dashboard, select Data Collection on the left-hand menu.
2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
3. From the “Security Data” section, click the Cloud Services icon. The “Add Event Source” panel appears.
4. Select your collector and select Cisco AMP from the event source dropdown menu.
5. Enter the name of your event source.
6. Optionally choose to send unparsed logs.
7. Select your LDAP account attribution preference.
8. Select your API.
9. Select your Cisco AMP credentials, that contains your Client ID and API key, or optionally create a new credential.
10. Click Save.