Fortinet black logo

External Systems Configuration Guide

Cisco AMP Cloud V0

Cisco AMP Cloud V0

What is Discovered and Monitored

Protocol Logs Collected Used For
CloudAMP API End point malware activity Security Monitoring

Event Types

In ADMIN > Device Support > Event, search for "Cisco FireAMP Cloud" in the Search column to see the event types associated with this device.

Configuration

Configure Cisco AMP Cloud V0
  1. Login in https://auth.amp.cisco.com/.
  2. Click Accounts-> API Credentials.

  3. Click New API Credential.

  4. Input Application name and click Create.

  5. Record the API Client ID and API key. You will need them in a later step.

Create Credentials in FortiSIEM
  1. Log in to the FortiSIEM Supervisor node.
  2. Go to ADMIN> Setup > Credentials.
  3. Click Add to create a new credential.
  4. Set Device Type to Cisco FireAMP Cloud.
  5. Set Password config to Manual.
  6. Set Client ID to CiscoAMP Client ID.
  7. Set Client Secret to CiscoAMP API Key.
  8. Click Save.

Test Connectivity and Event Pulling
  1. Log in to the FortiSIEM Supervisor node.
  2. Go to ADMIN> Setup > IP to Credential Mapping.
  3. Click Add to create a new mapping.
  4. For Name/IP/IP Range, enter api.amp.cisco.com.
  5. For Credentials use the credentials you created in Create FireAMP credentials in FortiSIEM.
  6. Click Save

  7. Go to Admin > Credentials, select the credential, and run Test Connectivity.

    The result is a success.

  8. Go to Admin > Pull Events. An entry will appear in the Event Pulling table. That means events are being pulled.

  9. Go to the Analytics page to see the events.

Sample Events

[FireAMP_Cloud_Threat_Detected]:[eventSeverity]=PHL_CRITICAL, [connectorGUID]=12345,[date]=2015-11- 25T19:17:39+00:00,[detection]=W32.DFC.MalParent, [detectionId]=6159251516445163587,[eventId]=6159251516445163587, [eventType]=Threat Detected,[eventTypeId]=1090519054, [fileDispostion]=Malicious,[fileName]=rjtsbks.exe, [fileSHA256]=3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370,

Cisco AMP Cloud V0

Cisco AMP Cloud V0

What is Discovered and Monitored

Protocol Logs Collected Used For
CloudAMP API End point malware activity Security Monitoring

Event Types

In ADMIN > Device Support > Event, search for "Cisco FireAMP Cloud" in the Search column to see the event types associated with this device.

Configuration

Configure Cisco AMP Cloud V0
  1. Login in https://auth.amp.cisco.com/.
  2. Click Accounts-> API Credentials.

  3. Click New API Credential.

  4. Input Application name and click Create.

  5. Record the API Client ID and API key. You will need them in a later step.

Create Credentials in FortiSIEM
  1. Log in to the FortiSIEM Supervisor node.
  2. Go to ADMIN> Setup > Credentials.
  3. Click Add to create a new credential.
  4. Set Device Type to Cisco FireAMP Cloud.
  5. Set Password config to Manual.
  6. Set Client ID to CiscoAMP Client ID.
  7. Set Client Secret to CiscoAMP API Key.
  8. Click Save.

Test Connectivity and Event Pulling
  1. Log in to the FortiSIEM Supervisor node.
  2. Go to ADMIN> Setup > IP to Credential Mapping.
  3. Click Add to create a new mapping.
  4. For Name/IP/IP Range, enter api.amp.cisco.com.
  5. For Credentials use the credentials you created in Create FireAMP credentials in FortiSIEM.
  6. Click Save

  7. Go to Admin > Credentials, select the credential, and run Test Connectivity.

    The result is a success.

  8. Go to Admin > Pull Events. An entry will appear in the Event Pulling table. That means events are being pulled.

  9. Go to the Analytics page to see the events.

Sample Events

[FireAMP_Cloud_Threat_Detected]:[eventSeverity]=PHL_CRITICAL, [connectorGUID]=12345,[date]=2015-11- 25T19:17:39+00:00,[detection]=W32.DFC.MalParent, [detectionId]=6159251516445163587,[eventId]=6159251516445163587, [eventType]=Threat Detected,[eventTypeId]=1090519054, [fileDispostion]=Malicious,[fileName]=rjtsbks.exe, [fileSHA256]=3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370,