Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.4.3 External Systems Configuration Guide
    6.4.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Cisco AMP Cloud V1

    Cisco AMP for Endpoints API V1 - Previously Cisco AMP Cloud V1

    Cisco Advanced Malware Protection (AMP) for Endpoints API V1 is a lightweight connector that can use the public cloud or be deployed as a private cloud, relying on AMQP Event Streams.

    What is Discovered and Monitored

    Protocol Information collected Used for
    AMQP Global threat intelligence, advanced sand boxing, and real-time malware blocking. Intrusion protection system

    Event Types

    In RESOURCES > Event Types, enter "Cisco AMP" in the Search field to see the event types associated with this device.

    Rules

    No defined rules.

    Reports

    No defined reports.

    Configuration

    Configure Cisco AMP Cloud V1
    1. Log in to the Cisco AMP for Endpoints Portal as an administrator.
    2. Click Accounts > API Credentials.

    3. In the API Credentials pane, click New API Credential.
    4. In the Application name field, enter a name, and then select Read & Write.

      Note: you must have Read & Write access to manage event streams on your Cisco AMP for Endpoints platform.

    5. Click Create.
    6. In the API Key Details section, make note of the values for the 3rd Party API Client ID and the API Key. You will need these values to manage queues.
    7. Click Management > Group.
    8. In the Groups pane, click Create Group.
    9. Enter the group name and click Save.

    10. Enter the following curl command to get the group_guid of the group that is created in the previous step.

      curl -X GET -H 'accept: application/json' \

      -H 'content-type: application/json' --compressed \

      -H 'Accept-Encoding: gzip, deflate' \

      -u <CLIENTID:APIKEY>\

      'https://api.amp.cisco.com/v1/groups'

      where:

      • <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
      • If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
      • If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
    11. Enter the following curl command to create a Cisco AMP event stream:

      curl -X POST -H 'accept: application/json' \

      -H 'content-type: application/json' --compressed \

      -H 'Accept-Encoding: gzip, deflate' \

      -d '{"name":"<STREAM_NAME>"}' \

      -u <CLIENTID:APIKEY> \

      'https://api.amp.cisco.com/v1/event_streams'

      where:

      • <STREAM_NAME> is the name of your choice for the event stream.
      • <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
      • If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
      • If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
        Note: Only the event stream name is required. In the absence of event_type or group_guid, the stream will collect events from all groups and all event types.
    12. Enter the following curl command to get a summary of the information you need to get a CloudAMP V1 credential in FortiSIEM:

      curl -X POST -H 'accept: application/json' \

      -H 'content-type: application/json' --compressed \

      -H 'Accept-Encoding: gzip, deflate' \

      -d '{"name":"meistream","group_guid":["34e483f4-85a8-412f-9997-07dd3f0c29ea"]}' \

      -u a54c0f4c589d72e0c73e:14713974-eb93-420b-ad76-6e13943f87d4 \

      'https://api.amp.cisco.com/v1/event_streams'

      {

      "version": "v1.2.0",

      "metadata": {

      "links": {

      "self": "https://api.amp.cisco.com/v1/event_streams"

      }

      },

      "data": {

      "id": 8849,

      "name": "meistream",

      "group_guids": [

      "34e483f4-85a8-412f-9997-07dd3f0c29ea"

      ],

      "amqp_credentials": {

      "user_name": "8849-a54c0f4c589d72e0c73e",

      "queue_name": "event_stream_8849",

      "password": "e3298163b3c57e5e4e11ea1b571e85cc2ac45b55",

      "host": "export-streaming.amp.cisco.com",

      "port": "443",

      "proto": "https"

      }

      }

      }

    Define Cisco CloudAMP Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New.
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:

    1. Settings Description
      Name Enter a name for the credential, for example, "AMQP".
      Device Type Cisco AMP
      Access Protocol AMQP
      Queue Name Use the queue-name in Step 12 of the previous section.
      User Name Use the user_name in Step 12 of the previous section.

      Password

      Use the password in Step 12 of the previous section.
      Description Description of the device.

    • Create IP Range to Credential Association, Test Connectivity, and Event Pulling Check

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create your mapping.
      1. Enter the host in Step 12 of previous section into the IP/Host Name field.
      2. Select the name of the credential created in Define Cisco CloudAMP Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.

    2. Select the entry just created, click the Test drop-down list, and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. If connectivity is successful, go to ADMIN > Setup > Pull Events. An entry will appear in the Event Pulling table. That means events are being pulled.

    Sample Events

    Events are in JSON format.

    [CiscoAMP-Update-Policy-Failure]{"id":6723137944535695384,"timestamp":1565352535,"timestamp_nanoseconds":82000000,"date":"2019-08-09T12:08:55+00:00","event_type":"Policy Update Failure","event_type_id":2164260866,"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","group_guids":["3c025f05-a2c4-4613-9186-343365f53853"],"error":{"error_code":3242196993,"description":"Unknown Error"},"computer":{"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","hostname":"host1","external_ip":"1.2.3.4","active":true,"network_addresses":[{"ip":"1.2.3.5","mac":"00:21:97:1e:1c:05"}],"links":{"computer":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e","trajectory":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e/trajectory","group":"https://api.amp.cisco.com/v1/groups/3c025f05-a2c4-4613-9186-343365f53853"}}}

    Previous
    Next

    Cisco AMP Cloud V1

    Cisco AMP for Endpoints API V1 - Previously Cisco AMP Cloud V1

    Cisco Advanced Malware Protection (AMP) for Endpoints API V1 is a lightweight connector that can use the public cloud or be deployed as a private cloud, relying on AMQP Event Streams.

    What is Discovered and Monitored

    Protocol Information collected Used for
    AMQP Global threat intelligence, advanced sand boxing, and real-time malware blocking. Intrusion protection system

    Event Types

    In RESOURCES > Event Types, enter "Cisco AMP" in the Search field to see the event types associated with this device.

    Rules

    No defined rules.

    Reports

    No defined reports.

    Configuration

    Configure Cisco AMP Cloud V1
    1. Log in to the Cisco AMP for Endpoints Portal as an administrator.
    2. Click Accounts > API Credentials.

    3. In the API Credentials pane, click New API Credential.
    4. In the Application name field, enter a name, and then select Read & Write.

      Note: you must have Read & Write access to manage event streams on your Cisco AMP for Endpoints platform.

    5. Click Create.
    6. In the API Key Details section, make note of the values for the 3rd Party API Client ID and the API Key. You will need these values to manage queues.
    7. Click Management > Group.
    8. In the Groups pane, click Create Group.
    9. Enter the group name and click Save.

    10. Enter the following curl command to get the group_guid of the group that is created in the previous step.

      curl -X GET -H 'accept: application/json' \

      -H 'content-type: application/json' --compressed \

      -H 'Accept-Encoding: gzip, deflate' \

      -u <CLIENTID:APIKEY>\

      'https://api.amp.cisco.com/v1/groups'

      where:

      • <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
      • If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
      • If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
    11. Enter the following curl command to create a Cisco AMP event stream:

      curl -X POST -H 'accept: application/json' \

      -H 'content-type: application/json' --compressed \

      -H 'Accept-Encoding: gzip, deflate' \

      -d '{"name":"<STREAM_NAME>"}' \

      -u <CLIENTID:APIKEY> \

      'https://api.amp.cisco.com/v1/event_streams'

      where:

      • <STREAM_NAME> is the name of your choice for the event stream.
      • <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
      • If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
      • If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
        Note: Only the event stream name is required. In the absence of event_type or group_guid, the stream will collect events from all groups and all event types.
    12. Enter the following curl command to get a summary of the information you need to get a CloudAMP V1 credential in FortiSIEM:

      curl -X POST -H 'accept: application/json' \

      -H 'content-type: application/json' --compressed \

      -H 'Accept-Encoding: gzip, deflate' \

      -d '{"name":"meistream","group_guid":["34e483f4-85a8-412f-9997-07dd3f0c29ea"]}' \

      -u a54c0f4c589d72e0c73e:14713974-eb93-420b-ad76-6e13943f87d4 \

      'https://api.amp.cisco.com/v1/event_streams'

      {

      "version": "v1.2.0",

      "metadata": {

      "links": {

      "self": "https://api.amp.cisco.com/v1/event_streams"

      }

      },

      "data": {

      "id": 8849,

      "name": "meistream",

      "group_guids": [

      "34e483f4-85a8-412f-9997-07dd3f0c29ea"

      ],

      "amqp_credentials": {

      "user_name": "8849-a54c0f4c589d72e0c73e",

      "queue_name": "event_stream_8849",

      "password": "e3298163b3c57e5e4e11ea1b571e85cc2ac45b55",

      "host": "export-streaming.amp.cisco.com",

      "port": "443",

      "proto": "https"

      }

      }

      }

    Define Cisco CloudAMP Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New.
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:

    1. Settings Description
      Name Enter a name for the credential, for example, "AMQP".
      Device Type Cisco AMP
      Access Protocol AMQP
      Queue Name Use the queue-name in Step 12 of the previous section.
      User Name Use the user_name in Step 12 of the previous section.

      Password

      Use the password in Step 12 of the previous section.
      Description Description of the device.

    • Create IP Range to Credential Association, Test Connectivity, and Event Pulling Check

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create your mapping.
      1. Enter the host in Step 12 of previous section into the IP/Host Name field.
      2. Select the name of the credential created in Define Cisco CloudAMP Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.

    2. Select the entry just created, click the Test drop-down list, and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. If connectivity is successful, go to ADMIN > Setup > Pull Events. An entry will appear in the Event Pulling table. That means events are being pulled.

    Sample Events

    Events are in JSON format.

    [CiscoAMP-Update-Policy-Failure]{"id":6723137944535695384,"timestamp":1565352535,"timestamp_nanoseconds":82000000,"date":"2019-08-09T12:08:55+00:00","event_type":"Policy Update Failure","event_type_id":2164260866,"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","group_guids":["3c025f05-a2c4-4613-9186-343365f53853"],"error":{"error_code":3242196993,"description":"Unknown Error"},"computer":{"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","hostname":"host1","external_ip":"1.2.3.4","active":true,"network_addresses":[{"ip":"1.2.3.5","mac":"00:21:97:1e:1c:05"}],"links":{"computer":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e","trajectory":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e/trajectory","group":"https://api.amp.cisco.com/v1/groups/3c025f05-a2c4-4613-9186-343365f53853"}}}

    Previous
    Next