Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Cisco AMP for Endpoints API V1 - Previously Cisco AMP Cloud V1

Cisco Advanced Malware Protection (AMP) for Endpoints API V1 is a lightweight connector that can use the public cloud or be deployed as a private cloud, relying on AMQP Event Streams.

What is Discovered and Monitored

Protocol Information collected Used for
AMQP Global threat intelligence, advanced sand boxing, and real-time malware blocking. Intrusion protection system

 

Event Types

In RESOURCES > Event Types, enter "Cisco AMP" in the Search field to see the event types associated with this device.

Rules

No defined rules.

Reports

No defined reports.

Configuration

Configure Cisco AMP Cloud V1
  1. Log in to the Cisco AMP for Endpoints Portal as an administrator.
  2. Click Accounts > API Credentials.

  3. In the API Credentials pane, click New API Credential.
  4. In the Application name field, enter a name, and then select Read & Write.

    Note: you must have Read & Write access to manage event streams on your Cisco AMP for Endpoints platform.

  5. Click Create.
  6. In the API Key Details section, make note of the values for the 3rd Party API Client ID and the API Key. You will need these values to manage queues.
  7. Click Management > Group.
  8. In the Groups pane, click Create Group.
  9. Enter the group name and click Save.

  10. Enter the following curl command to get the group_guid of the group that is created in the previous step.

    curl -X GET -H 'accept: application/json' \

    -H 'content-type: application/json' --compressed \

    -H 'Accept-Encoding: gzip, deflate' \

    -u <CLIENTID:APIKEY>\

    'https://api.amp.cisco.com/v1/groups'

    where:

    • <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
    • If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
    • If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
  11. Enter the following curl command to create a Cisco AMP event stream:

    curl -X POST -H 'accept: application/json' \

    -H 'content-type: application/json' --compressed \

    -H 'Accept-Encoding: gzip, deflate' \

    -d '{"name":"<STREAM_NAME>"}' \

    -u <CLIENTID:APIKEY> \

    'https://api.amp.cisco.com/v1/event_streams'

    where:

    • <STREAM_NAME> is the name of your choice for the event stream.
    • <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
    • If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
    • If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
      Note: Only the event stream name is required. In the absence of event_type or group_guid, the stream will collect events from all groups and all event types.
  12. Enter the following curl command to get a summary of the information you need to get a CloudAMP V1 credential in FortiSIEM:

    curl -X POST -H 'accept: application/json' \

    -H 'content-type: application/json' --compressed \

    -H 'Accept-Encoding: gzip, deflate' \

    -d '{"name":"meistream","group_guid":["34e483f4-85a8-412f-9997-07dd3f0c29ea"]}' \

    -u a54c0f4c589d72e0c73e:14713974-eb93-420b-ad76-6e13943f87d4 \

    'https://api.amp.cisco.com/v1/event_streams'

    {

    "version": "v1.2.0",

    "metadata": {

    "links": {

    "self": "https://api.amp.cisco.com/v1/event_streams"

    }

    },

    "data": {

    "id": 8849,

    "name": "meistream",

    "group_guids": [

    "34e483f4-85a8-412f-9997-07dd3f0c29ea"

    ],

    "amqp_credentials": {

    "user_name": "8849-a54c0f4c589d72e0c73e",

    "queue_name": "event_stream_8849",

    "password": "e3298163b3c57e5e4e11ea1b571e85cc2ac45b55",

    "host": "export-streaming.amp.cisco.com",

    "port": "443",

    "proto": "https"

    }

    }

    }

     

Define Cisco CloudAMP Credential in FortiSIEM

Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential, for example, "AMQP".
      Device Type Cisco AMP
      Access Protocol AMQP
      Queue Name Use the queue-name in Step 12 of the previous section.
      User Name Use the user_name in Step 12 of the previous section.

      Password

      Use the password in Step 12 of the previous section.

      Description Description of the device.
  • Create IP Range to Credential Association, Test Connectivity, and Event Pulling Check

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create your mapping.
      1. Enter the host in Step 12 of previous section into the IP/Host Name field.
      2. Select the name of the credential created in Define Cisco CloudAMP Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.

    2. Select the entry just created, click the Test drop-down list, and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. If connectivity is successful, go to ADMIN > Setup > Pull Events. An entry will appear in the Event Pulling table. That means events are being pulled.

     

    Sample Events

    Events are in JSON format.

    [CiscoAMP-Update-Policy-Failure]{"id":6723137944535695384,"timestamp":1565352535,"timestamp_nanoseconds":82000000,"date":"2019-08-09T12:08:55+00:00","event_type":"Policy Update Failure","event_type_id":2164260866,"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","group_guids":["3c025f05-a2c4-4613-9186-343365f53853"],"error":{"error_code":3242196993,"description":"Unknown Error"},"computer":{"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","hostname":"host1","external_ip":"1.2.3.4","active":true,"network_addresses":[{"ip":"1.2.3.5","mac":"00:21:97:1e:1c:05"}],"links":{"computer":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e","trajectory":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e/trajectory","group":"https://api.amp.cisco.com/v1/groups/3c025f05-a2c4-4613-9186-343365f53853"}}}

     

    Cisco AMP for Endpoints API V1 - Previously Cisco AMP Cloud V1

    Cisco Advanced Malware Protection (AMP) for Endpoints API V1 is a lightweight connector that can use the public cloud or be deployed as a private cloud, relying on AMQP Event Streams.

    What is Discovered and Monitored

    Protocol Information collected Used for
    AMQP Global threat intelligence, advanced sand boxing, and real-time malware blocking. Intrusion protection system

     

    Event Types

    In RESOURCES > Event Types, enter "Cisco AMP" in the Search field to see the event types associated with this device.

    Rules

    No defined rules.

    Reports

    No defined reports.

    Configuration

    Configure Cisco AMP Cloud V1
    1. Log in to the Cisco AMP for Endpoints Portal as an administrator.
    2. Click Accounts > API Credentials.

    3. In the API Credentials pane, click New API Credential.
    4. In the Application name field, enter a name, and then select Read & Write.

      Note: you must have Read & Write access to manage event streams on your Cisco AMP for Endpoints platform.

    5. Click Create.
    6. In the API Key Details section, make note of the values for the 3rd Party API Client ID and the API Key. You will need these values to manage queues.
    7. Click Management > Group.
    8. In the Groups pane, click Create Group.
    9. Enter the group name and click Save.

    10. Enter the following curl command to get the group_guid of the group that is created in the previous step.

      curl -X GET -H 'accept: application/json' \

      -H 'content-type: application/json' --compressed \

      -H 'Accept-Encoding: gzip, deflate' \

      -u <CLIENTID:APIKEY>\

      'https://api.amp.cisco.com/v1/groups'

      where:

      • <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
      • If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
      • If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
    11. Enter the following curl command to create a Cisco AMP event stream:

      curl -X POST -H 'accept: application/json' \

      -H 'content-type: application/json' --compressed \

      -H 'Accept-Encoding: gzip, deflate' \

      -d '{"name":"<STREAM_NAME>"}' \

      -u <CLIENTID:APIKEY> \

      'https://api.amp.cisco.com/v1/event_streams'

      where:

      • <STREAM_NAME> is the name of your choice for the event stream.
      • <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
      • If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
      • If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
        Note: Only the event stream name is required. In the absence of event_type or group_guid, the stream will collect events from all groups and all event types.
    12. Enter the following curl command to get a summary of the information you need to get a CloudAMP V1 credential in FortiSIEM:

      curl -X POST -H 'accept: application/json' \

      -H 'content-type: application/json' --compressed \

      -H 'Accept-Encoding: gzip, deflate' \

      -d '{"name":"meistream","group_guid":["34e483f4-85a8-412f-9997-07dd3f0c29ea"]}' \

      -u a54c0f4c589d72e0c73e:14713974-eb93-420b-ad76-6e13943f87d4 \

      'https://api.amp.cisco.com/v1/event_streams'

      {

      "version": "v1.2.0",

      "metadata": {

      "links": {

      "self": "https://api.amp.cisco.com/v1/event_streams"

      }

      },

      "data": {

      "id": 8849,

      "name": "meistream",

      "group_guids": [

      "34e483f4-85a8-412f-9997-07dd3f0c29ea"

      ],

      "amqp_credentials": {

      "user_name": "8849-a54c0f4c589d72e0c73e",

      "queue_name": "event_stream_8849",

      "password": "e3298163b3c57e5e4e11ea1b571e85cc2ac45b55",

      "host": "export-streaming.amp.cisco.com",

      "port": "443",

      "proto": "https"

      }

      }

      }

       

    Define Cisco CloudAMP Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New.
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential, for example, "AMQP".
      Device Type Cisco AMP
      Access Protocol AMQP
      Queue Name Use the queue-name in Step 12 of the previous section.
      User Name Use the user_name in Step 12 of the previous section.

      Password

      Use the password in Step 12 of the previous section.

      Description Description of the device.
  • Create IP Range to Credential Association, Test Connectivity, and Event Pulling Check

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create your mapping.
      1. Enter the host in Step 12 of previous section into the IP/Host Name field.
      2. Select the name of the credential created in Define Cisco CloudAMP Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.

    2. Select the entry just created, click the Test drop-down list, and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. If connectivity is successful, go to ADMIN > Setup > Pull Events. An entry will appear in the Event Pulling table. That means events are being pulled.

     

    Sample Events

    Events are in JSON format.

    [CiscoAMP-Update-Policy-Failure]{"id":6723137944535695384,"timestamp":1565352535,"timestamp_nanoseconds":82000000,"date":"2019-08-09T12:08:55+00:00","event_type":"Policy Update Failure","event_type_id":2164260866,"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","group_guids":["3c025f05-a2c4-4613-9186-343365f53853"],"error":{"error_code":3242196993,"description":"Unknown Error"},"computer":{"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","hostname":"host1","external_ip":"1.2.3.4","active":true,"network_addresses":[{"ip":"1.2.3.5","mac":"00:21:97:1e:1c:05"}],"links":{"computer":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e","trajectory":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e/trajectory","group":"https://api.amp.cisco.com/v1/groups/3c025f05-a2c4-4613-9186-343365f53853"}}}