Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Cisco AMP Cloud V1

Cisco Advanced Malware Protection (AMP) for Endpoints is a lightweight connector that can use the public cloud or be deployed as a private cloud.

What is Discovered and Monitored

Protocol Information collected Used for
AMQP Global threat intelligence, advanced sand boxing, and real-time malware blocking. Intrusion protection system

 

Event Types

In RESOURCES > Event Types, enter "Cisco AMP" in the Search column to see the event types associated with this device.

Rules

No defined rules.

Reports

No defined reports.

Configure Cisco AMP Cloud V1

  1. Log in to the Cisco AMP for Endpoints Portal as an administrator.
  2. Click Accounts > API Credentials.

  3. In the API Credentials pane, click New API Credential.
  4. In the Application name field, enter a name, and then select Read & Write.

    Note: you must have Read & Write access to manage event streams on your Cisco AMP for Endpoints platform.

  5. Click Create.
  6. In the API Key Details section, make note of the values for the 3rd Party API Client ID and the API Key. You will need these values to manage queues.
  7. Click Management > Group
  8. In the Groups pane, click Create Group.
  9. Enter the group name and click Save.

  10. Enter the following curl command to get the group_guid of the group that is created in the previous step.

    curl -X GET -H 'accept: application/json' \

    -H 'content-type: application/json' --compressed \

    -H 'Accept-Encoding: gzip, deflate' \

    -u <CLIENTID:APIKEY>\

    'https://api.amp.cisco.com/v1/groups'

    where:

    • <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
    • If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
    • If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
  11. Enter the following curl command to create a Cisco AMP event stream:

    curl -X POST -H 'accept: application/json' \

    -H 'content-type: application/json' --compressed \

    -H 'Accept-Encoding: gzip, deflate' \

    -d '{"name":"<STREAM_NAME>", "group_guid":["<GUID>"]}' \

    -u <CLIENTID:APIKEY> \

    'https://api.amp.cisco.com/v1/event_streams'

    where:

    • < STREAM_NAME > is the name of your choice for the event stream.
    • < GUID > is the group GUID that you want to use to link to the event stream in Step 10.
    • <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
    • If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
    • If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
  12. Enter the following curl command to get a summary of the information you need to get a CloudAMP V1 credential in FortiSIEM:

    curl -X POST -H 'accept: application/json' \

    -H 'content-type: application/json' --compressed \

    -H 'Accept-Encoding: gzip, deflate' \

    -d '{"name":"meistream","group_guid":["34e483f4-85a8-412f-9997-07dd3f0c29ea"]}' \

    -u a54c0f4c589d72e0c73e:14713974-eb93-420b-ad76-6e13943f87d4 \

    'https://api.amp.cisco.com/v1/event_streams'

    {

    "version": "v1.2.0",

    "metadata": {

    "links": {

    "self": "https://api.amp.cisco.com/v1/event_streams"

    }

    },

    "data": {

    "id": 8849,

    "name": "meistream",

    "group_guids": [

    "34e483f4-85a8-412f-9997-07dd3f0c29ea"

    ],

    "amqp_credentials": {

    "user_name": "8849-a54c0f4c589d72e0c73e",

    "queue_name": "event_stream_8849",

    "password": "e3298163b3c57e5e4e11ea1b571e85cc2ac45b55",

    "host": "export-streaming.amp.cisco.com",

    "port": "443",

    "proto": "https"

    }

    }

    }

     

 

Configure ForitSIEM

  1. In Admin > Setup > Credentials, create a Cisco CloudAMP Credential.
  2. Click New and enter the following information:
    1. Set Device Type to Cisco AMP.
    2. Set Access Protocol to AMQP.
    3. Set Queue Name from queue-name in Step 12 in the previous section.
    4. Set User Name from user_name in Step 12 in the previous section.
    5. Set Password from password in Step 12 in the previous section.

  3. Click Save.
  4. Go to Admin > Setup > IP to Credential Mapping and create an association as follows.

    Click New and enter the following information:

    1. Set IP/Host Name to host in Step 12 in previous section.
    2. Choose Credential to the one created in Steps 1 to Step 3 in the previous section.
    3. Click Save.

  5. Go to Admin > Credentials, select the credential, and run Test Connectivity.
  6. If connectivity is successful, go to Admin > Pull Events. An entry will appear in the Event Pulling table. That means events are being pulled.

 

Sample Events

Events are in JSON format.

[CiscoAMP-Update-Policy-Failure]{"id":6723137944535695384,"timestamp":1565352535,"timestamp_nanoseconds":82000000,"date":"2019-08-09T12:08:55+00:00","event_type":"Policy Update Failure","event_type_id":2164260866,"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","group_guids":["3c025f05-a2c4-4613-9186-343365f53853"],"error":{"error_code":3242196993,"description":"Unknown Error"},"computer":{"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","hostname":"host1","external_ip":"1.2.3.4","active":true,"network_addresses":[{"ip":"1.2.3.5","mac":"00:21:97:1e:1c:05"}],"links":{"computer":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e","trajectory":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e/trajectory","group":"https://api.amp.cisco.com/v1/groups/3c025f05-a2c4-4613-9186-343365f53853"}}}

 

Cisco AMP Cloud V1

Cisco Advanced Malware Protection (AMP) for Endpoints is a lightweight connector that can use the public cloud or be deployed as a private cloud.

What is Discovered and Monitored

Protocol Information collected Used for
AMQP Global threat intelligence, advanced sand boxing, and real-time malware blocking. Intrusion protection system

 

Event Types

In RESOURCES > Event Types, enter "Cisco AMP" in the Search column to see the event types associated with this device.

Rules

No defined rules.

Reports

No defined reports.

Configure Cisco AMP Cloud V1

  1. Log in to the Cisco AMP for Endpoints Portal as an administrator.
  2. Click Accounts > API Credentials.

  3. In the API Credentials pane, click New API Credential.
  4. In the Application name field, enter a name, and then select Read & Write.

    Note: you must have Read & Write access to manage event streams on your Cisco AMP for Endpoints platform.

  5. Click Create.
  6. In the API Key Details section, make note of the values for the 3rd Party API Client ID and the API Key. You will need these values to manage queues.
  7. Click Management > Group
  8. In the Groups pane, click Create Group.
  9. Enter the group name and click Save.

  10. Enter the following curl command to get the group_guid of the group that is created in the previous step.

    curl -X GET -H 'accept: application/json' \

    -H 'content-type: application/json' --compressed \

    -H 'Accept-Encoding: gzip, deflate' \

    -u <CLIENTID:APIKEY>\

    'https://api.amp.cisco.com/v1/groups'

    where:

    • <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
    • If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
    • If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
  11. Enter the following curl command to create a Cisco AMP event stream:

    curl -X POST -H 'accept: application/json' \

    -H 'content-type: application/json' --compressed \

    -H 'Accept-Encoding: gzip, deflate' \

    -d '{"name":"<STREAM_NAME>", "group_guid":["<GUID>"]}' \

    -u <CLIENTID:APIKEY> \

    'https://api.amp.cisco.com/v1/event_streams'

    where:

    • < STREAM_NAME > is the name of your choice for the event stream.
    • < GUID > is the group GUID that you want to use to link to the event stream in Step 10.
    • <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
    • If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
    • If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
  12. Enter the following curl command to get a summary of the information you need to get a CloudAMP V1 credential in FortiSIEM:

    curl -X POST -H 'accept: application/json' \

    -H 'content-type: application/json' --compressed \

    -H 'Accept-Encoding: gzip, deflate' \

    -d '{"name":"meistream","group_guid":["34e483f4-85a8-412f-9997-07dd3f0c29ea"]}' \

    -u a54c0f4c589d72e0c73e:14713974-eb93-420b-ad76-6e13943f87d4 \

    'https://api.amp.cisco.com/v1/event_streams'

    {

    "version": "v1.2.0",

    "metadata": {

    "links": {

    "self": "https://api.amp.cisco.com/v1/event_streams"

    }

    },

    "data": {

    "id": 8849,

    "name": "meistream",

    "group_guids": [

    "34e483f4-85a8-412f-9997-07dd3f0c29ea"

    ],

    "amqp_credentials": {

    "user_name": "8849-a54c0f4c589d72e0c73e",

    "queue_name": "event_stream_8849",

    "password": "e3298163b3c57e5e4e11ea1b571e85cc2ac45b55",

    "host": "export-streaming.amp.cisco.com",

    "port": "443",

    "proto": "https"

    }

    }

    }

     

 

Configure ForitSIEM

  1. In Admin > Setup > Credentials, create a Cisco CloudAMP Credential.
  2. Click New and enter the following information:
    1. Set Device Type to Cisco AMP.
    2. Set Access Protocol to AMQP.
    3. Set Queue Name from queue-name in Step 12 in the previous section.
    4. Set User Name from user_name in Step 12 in the previous section.
    5. Set Password from password in Step 12 in the previous section.

  3. Click Save.
  4. Go to Admin > Setup > IP to Credential Mapping and create an association as follows.

    Click New and enter the following information:

    1. Set IP/Host Name to host in Step 12 in previous section.
    2. Choose Credential to the one created in Steps 1 to Step 3 in the previous section.
    3. Click Save.

  5. Go to Admin > Credentials, select the credential, and run Test Connectivity.
  6. If connectivity is successful, go to Admin > Pull Events. An entry will appear in the Event Pulling table. That means events are being pulled.

 

Sample Events

Events are in JSON format.

[CiscoAMP-Update-Policy-Failure]{"id":6723137944535695384,"timestamp":1565352535,"timestamp_nanoseconds":82000000,"date":"2019-08-09T12:08:55+00:00","event_type":"Policy Update Failure","event_type_id":2164260866,"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","group_guids":["3c025f05-a2c4-4613-9186-343365f53853"],"error":{"error_code":3242196993,"description":"Unknown Error"},"computer":{"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","hostname":"host1","external_ip":"1.2.3.4","active":true,"network_addresses":[{"ip":"1.2.3.5","mac":"00:21:97:1e:1c:05"}],"links":{"computer":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e","trajectory":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e/trajectory","group":"https://api.amp.cisco.com/v1/groups/3c025f05-a2c4-4613-9186-343365f53853"}}}