Integrate Cisco AMP EventTracker v9.x and above
Publication Date: June 8, 2018
1
Integrate Cisco AMP
Abstract This guide provides instructions to configure a Cisco AMP to send its logs to EventTracker Enterprise
Scope
The configurations detailed in this guide are consistent with EventTracker Enterprise version v9.x or above
and Cisco AMP for End points.
Audience Administrators who are assigned the task to monitor Cisco AMP events using EventTracker.
The information contained in this document represents the current view of EventTracker. on the
issues discussed as of the date of publication. Because EventTracker must respond to changing
market conditions, it should not be interpreted to be a commitment on the part of EventTracker,
and EventTracker cannot guarantee the accuracy of any information presented after the date of
publication.
This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,
EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, this paper may be freely distributed without permission from
EventTracker, if its content is unaltered, nothing is added to the content and credit to
EventTracker is provided.
EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from EventTracker, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious.
No association with any real company, organization, product, person or event is intended or
should be inferred.
© 2018 EventTracker Security LLC. All rights reserved. The names of actual companies and
products mentioned herein may be the trademarks of their respective owners.
2
Integrate Cisco AMP
Table of Contents Abstract ............................................................................................................................................................. 1
Scope ................................................................................................................................................................. 1
Audience ............................................................................................................................................................ 1
Overview ................................................................................................................................................................ 3
Prerequisites .......................................................................................................................................................... 3
Integration of Cisco AMP with EventTracker manager ......................................................................................... 3
Configuring Log Delivery ................................................................................................................................... 3
EventTracker Knowledge Pack .............................................................................................................................. 6
Alerts ............................................................................................................................................................. 7
Flex Reports ................................................................................................................................................... 7
Categories .................................................................................................................................................... 13
Knowledge Objects ...................................................................................................................................... 14
Import Cisco AMP knowledge pack into EventTracker ....................................................................................... 14
Alerts ............................................................................................................................................................... 15
Category .......................................................................................................................................................... 16
Knowledge Objects .......................................................................................................................................... 18
Flex Reports ..................................................................................................................................................... 19
Verify Cisco AMP knowledge pack in EventTracker ............................................................................................ 21
Alerts ............................................................................................................................................................... 21
Categories ........................................................................................................................................................ 22
Knowledge Objects .......................................................................................................................................... 22
Flex Reports ..................................................................................................................................................... 23
3
Integrate Cisco AMP
Overview Cisco Advanced Malware Protection (AMP) for Endpoints is a cloud-managed endpoint security solution that
provides the visibility, context and control to prevent cyber-attacks, also rapidly detect, contain, and
remediate advanced threats.
EventTracker helps to monitor events from Cisco AMP. Its knowledge objects and flex reports will help you to
analyze Scanning details, Threat detection and quarantine details, vulnerable application details, Suspicious
and System activities.
Prerequisites EventTracker v9.x or above should be installed.
Cisco AMP for Endpoints should be configured for forwarding logs.
Integration of Cisco AMP with EventTracker manager
Configuring Log Delivery To configure a Cisco AMP,
Generating Client ID and API Key:
1. Log into https://console.amp.sourcefire.com (N.A.) or https://console.eu.amp.sourcefire.com (E.U.)
2. Go to the Business Page from the Accounts dropdown menu.
3. Click on the 'Edit' button.
4. Under features, click on "Regenerate..." button beside "3rd Party API Access" to generate the Client
ID and secure API Key
5. Once you have the API client ID and API key, you can get the logs as follows:
To configure a log collector for Cisco AMP:
1. Run “amp integration.ps1 ” with admin privileges
2. Fill the form with API client ID and API key which we got from the previous steps.
4
Integrate Cisco AMP
Figure 1
3. Provide System Admin User Name and Password and click OK.
Figure 2
Figure 3
5
Integrate Cisco AMP
4. Once script is executed successfully it will show the message box
5. On the Task Scheduler window, check if Cisco AMP task has been created under Task Scheduler Library.
Figure 4
To verify Direct Log Archiver (DLA) configuration
Go to Manager under Admin dropdown menu from EventTracker Web console
6
Integrate Cisco AMP
Figure 5
Under Direct Log Archiver Tab, check for Configuration Name “Cisco AMP” and click “Save” button to
save the configuration.
Figure 6
EventTracker Knowledge Pack Once logs are received by EventTracker manager, knowledge packs can be configured into EventTracker.
The following Knowledge Packs are available in EventTracker Enterprise to support Cisco AMP
7
Integrate Cisco AMP
Alerts
Cisco AMP- Scan Completed with Detections– This alert generates when any threat is detected while
scanning.
Cisco AMP- Suspicious Activity Detected – This alert generates when any suspicious activity like
application launched a shell, suspicious connection detected, etc occurs.
Cisco AMP- Threat Detected - This alert generates when any threat is detected or malware is
executed.
Flex Reports
Cisco AMP - Scan detail – This report gives information about all the scan details such as scan started,
scan completed along with threat detections and scan failures.
Figure 7
8
Integrate Cisco AMP
Sample logs:
Figure 8
Cisco AMP - Threat detected and quarantine details – This report gives information about all the
threats detected, quarantine threats, quarantine failed and malwares executed.
Figure 9
9
Integrate Cisco AMP
Sample logs
Figure 10
Cisco AMP - Vulnerable application and fault detected – This report gives the information about all
the vulnerable application that is detected at the endpoints along with the critical faults raised or
cleared details.
Figure 11
10
Integrate Cisco AMP
Sample logs
Figure 12
Cisco AMP - Suspicious activity detected– This report gives information about all the suspicious
activities like application launched a shell, suspicious connection detected, etc.
Figure 13
11
Integrate Cisco AMP
Sample Log
Figure 14
Cisco AMP - File activity – This report gives information about all the file activity details such as
remote file fetching requested and request failed activity details.
Figure 15
12
Integrate Cisco AMP
Sample Log
Figure 16
Cisco AMP - System activity – This report gives information about all the system and policy update,
create and delete details.
Figure 17
13
Integrate Cisco AMP
Sample Logs
Figure 18
Categories
Cisco AMP- Scan Detail - This category provides information about all the scan details such as scan
started, scan completed along with threat detections and scan failures.
Cisco AMP- Threat Detected and Quarantine Details - This category provides information about all the
threats detected, quarantine threats, quarantine failed and malwares executed.
Cisco AMP- Vulnerable Application and Fault Detected - This category provides information about all
the vulnerable application that is detected at the endpoints along with the critical faults raised or cleared
details.
Cisco AMP- Suspicious Activity Detected - This category provides information about all the suspicious
activities like application launched a shell, suspicious connection detected, etc.
Cisco AMP- System Activity – This category provides information about all the system and policy update,
create and delete details.
14
Integrate Cisco AMP
Cisco AMP- File Activity - This category provides information about all the file activity details such as
remote file fetching requested and request failed activity details.
Knowledge Objects
Cisco AMP- Scan Detail - This knowledge object will help us to analyze logs related to scan started, scan
completed along with threat detections and scan failures.
Cisco AMP- Threat Detected and Quarantine Details - This knowledge object will help us to analyze logs
related to threats detected, quarantine threats, quarantine failed and malware executed details.
Cisco AMP- Vulnerable Application and Fault Detected - This knowledge object will help us to analyze
logs related to vulnerable applications that are detected at the endpoints and critical faults raised or
cleared details.
Cisco AMP- Suspicious Activity Detected - This knowledge object will help us to analyze logs related to
suspicious activities like application launched a shell, suspicious connection detected, etc.
Cisco AMP- System Activity - This knowledge object will help us to analyze logs related to the system
and policy update, create and delete details.
Cisco AMP- File Activity - This knowledge object will help us to analyze logs related to remote file
fetching requested and request failed activity details.
Import Cisco AMP knowledge pack into EventTracker NOTE: Import knowledge pack items in the following sequence:
Alerts
Categories
Knowledge Objects
Parsing Rules
Flex Reports
1. Launch EventTracker Control Panel.
2. Double click Export Import Utility.
15
Integrate Cisco AMP
Figure 19
3. Click the Import tab.
Alerts
1. Click Category option, and then click the browse button.
16
Integrate Cisco AMP
Figure 20
2. Locate Alert_Cisco AMP. Isalt file, and then click the Open button.
3. To import categories, click the Import button.
EventTracker displays success message.
Category
1. Click Category option, and then click the browse button.
17
Integrate Cisco AMP
Figure 21
2. Locate Category_Cisco AMP. iscat file, and then click the Open button.
3. To import categories, click the Import button.
EventTracker displays success message.
Figure 22
4. Click OK, and then click the Close button.
18
Integrate Cisco AMP
Knowledge Objects 1. Click Knowledge objects under Admin option in the EventTracker manager page.
2. Locate the file named KO_Cisco AMP etko.
Figure 23
3. Now select all the check box and then click on ‘Import’ option.
Figure 24
4. Knowledge objects are now imported successfully.
19
Integrate Cisco AMP
Figure 25
Flex Reports On EventTracker Control Panel,
1. Click Reports option, and select new(etcrx) from the option.
Figure 26
2. Locate the file named Reports_ Cisco AMP etcrx, and select all the check box.
20
Integrate Cisco AMP
Figure 27
3. Click the Import button to import the reports. EventTracker displays success message.
Figure 28
21
Integrate Cisco AMP
Verify Cisco AMP knowledge pack in EventTracker
Alerts 1. Logon to EventTracker Enterprise.
2. Click the Admin menu, and then click Alerts.
Figure 29
3. In the Search box, type Cisco AMP, and then click the Go button.
Alert Management page will display all the imported alerts.
Figure 30
4. To activate the imported alerts, select the respective checkbox in the Active column.
EventTracker displays message box.
22
Integrate Cisco AMP
Figure 31
5. Click OK, and then click the Activate Now button.
NOTE: Please specify appropriate systems in alert configuration for better performance.
Categories 1. Logon to EventTracker Enterprise.
2. Click Admin dropdown, and then click Categories.
3. In Category Tree to view imported categories, scroll down and expand Cisco AMP group folder to
view the imported categories.
Figure 32
Knowledge Objects 1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click Knowledge
Objects.
23
Integrate Cisco AMP
2. In the Knowledge Object tree, expand Cisco AMP group folder to view the imported Knowledge
objects.
Figure 33
Flex Reports 1. In the EventTracker Enterprise web interface, click the Reports icon, and then select Report
Configuration.
Figure 34
2. In Reports Configuration pane, select Defined option.
3. Click on the Cisco AMP group folder to view the imported Cisco AMP reports.
24
Integrate Cisco AMP
Figure 35