CiscoAMP
CiscoAMP, now Cisco Secure Endpoint, enables you to fetch event logs from a Cisco Advanced Malware Protection (AMP) for Endpoints deployment using the Cisco AMP for Endpoints API - Version 1.
Package Details
CiscoAMP Components:- Fetcher
- CiscoAMPFetcher
- Modularized Compiled Normalizer
- CiscoAMPNormalizer
- Log Source Template
- CiscoAMP
- Dashboard
- LP_CISCO AMP Overview
Enhancements
|
Description |
Issue ID |
Reference ID |
|---|---|---|
|
You can now configure CiscoAMP from Log Sources, which provides a centralized user interface for all the configurations of log collection.
Compatibility is available with Director v2.6.0, currently available as Priority Access. Contact Support for its access. |
PLUG-11801 |
- |
| Added the LP_CISCO AMP Overview dashboard. To learn more, go to LP_CISCO AMP Overview. |
KB-24039 |
- |
Bug Fix
The following issue is fixed:
|
Description |
Issue ID |
Reference ID |
|---|---|---|
| The fields event_type, detection, app_path, hostname and external_ip were not correctly normalized by CiscoAMPNormalizer when a custom normalization package was used. | KB-16451 | 64882 |
CiscoAMP v5.2.0
Important Notice
If a CiscoAMP log has multiple values of the source_address and vulnerability fields, the application splits the log into multiple events. All the split events have normalized fields but only one of them has the raw log. You can use log_id to search for all the split events.
For example, the following log has two different source_address: 10.0.1.193 and 192.168.192.237. So, the application has split the log into two different events. To find all the split events, you can use the search query: "log_id" = 8655583428776078746.
Package Details
The application package consists of the following components:
-
Fetcher
- Cisco AMP Fetcher
-
Compiled Normalizer
- CiscoAMPNormalizer
Bug Fix
The following issue has been resolved:
- Users could not edit or delete the CiscoAMP fetcher configuration if the URL field had an ampersand (&) symbol.
Installation
LogPoint
Follow these steps to install the CiscoAMP v5.2.0 application in LogPoint:
- Download the CiscoAMP_5.2.0.zip file provided in the Download section above.
- Extract the zip file to obtain the CiscoAMP_5.2.0.pak file.
- Install the application by importing the pak file to LogPoint under Settings >> System >> Applications.
For more details, refer to the CiscoAMP Manual for LogPoint.
Director Console UI
Follow these steps to install the CiscoAMP v5.2.0 application in the Director Console UI:
- Download the CiscoAMP_5.2.0.zip file provided in the Download section above.
- Extract the zip file to obtain the CiscoAMP_5.2.0.pak file.
- Upload the CiscoAMP pak file to the Director Console from the Assets page.
- Select the LogPoints from the Install page.
- Review your changes on the Confirmation page and click Install.
For more details, refer to the CiscoAMP Manual for Director Console UI.
Director Console API
Follow these steps to install the CiscoAMP v5.2.0 application in the Director Console API:
- Download the CiscoAMP_5.2.0.zip file provided in the Download section above.
- Extract the zip file to obtain the CiscoAMP_5.2.0.pak file.
- Upload the CiscoAMP_5.2.0.pak file to the Fabric Storage by selecting Upload API.
- Install the plugin in the Fabric-enabled LogPoint by selecting Install API.
For more details, refer to the CiscoAMP Manual for Director Console API.
Verification
Use the following search query in LogPoint to access the logs fetched by the CiscoAMP application:
col_type = ciscoamp
Documentation
You can obtain the following CiscoAMP manuals from the LogPoint Documentation Portal:
Support
If you have any questions or require assistance, create a support ticket.
Comments
Article is closed for comments.