Logo
Sign in
  1. Logpoint Service Desk
  2. Products Hub
  3. Marketplace
default.png

CiscoAMP 

CiscoAMP, now Cisco Secure Endpoint, enables you to fetch event logs from a Cisco Advanced Malware Protection (AMP) for Endpoints deployment using the Cisco AMP for Endpoints API - Version 1.

 

Release Details
Version: 6.1.0
Release date: 30th October, 2024
Supported On: Logpoint v7.2.0 and later, Director Fabric v2.6.0, Director Console v2.6.0
Documentation:
CiscoAMP for Logpoint
CiscoAMP for Director Console UI
CiscoAMP for Director Console API
SHA 256: 71b3724ed0d49f40c20da5191a4b5ce15e5a008c465382e1fca71b9eaac6db26
Download

 

Package Details

CiscoAMP Components:
  1. Fetcher
    • CiscoAMPFetcher
  2. Modularized Compiled Normalizer
    • CiscoAMPNormalizer
  3. Log Source Template
    • CiscoAMP
  4. Dashboard
    • LP_CISCO AMP Overview

Enhancements

Description

Issue ID

Reference ID

You can now configure CiscoAMP from Log Sources, which provides a centralized user interface for all the configurations of log collection.

 

Compatibility is available with Director v2.6.0, currently available as Priority Access. Contact Support for its access.

PLUG-11801

-
Added the LP_CISCO AMP Overview dashboard. To learn more, go to LP_CISCO AMP Overview.

KB-24039

-

Bug Fix

The following issue is fixed:

Description

Issue ID

Reference ID

The fields event_type, detection, app_path, hostname and external_ip were not correctly normalized by CiscoAMPNormalizer when a custom normalization package was used. KB-16451 64882

 

CiscoAMP v5.2.0

Version: 5.2.0
Release date:2021-01-20
SHA 256:134023a13eb89321233bab519635a5455a1206e3324f334d50012ae95ed52daa
Supported on: Logpoint v7.0.0 and later
Download: CiscoAMP_5.2.0.pak

Important Notice

If a CiscoAMP log has multiple values of the source_address and vulnerability fields, the application splits the log into multiple events. All the split events have normalized fields but only one of them has the raw log. You can use log_id to search for all the split events.

For example, the following log has two different source_address: 10.0.1.193 and 192.168.192.237. So, the application has split the log into two different events. To find all the split events, you can use the search query: "log_id" = 8655583428776078746.

ciscoAMPlogs__1___1_.png

 

Package Details

 The application package consists of the following components:

  1. Fetcher
    • Cisco AMP Fetcher 
  2. Compiled Normalizer
    • CiscoAMPNormalizer 

Bug Fix

The following issue has been resolved:

  • Users could not edit or delete the CiscoAMP fetcher configuration if the URL field had an ampersand (&) symbol. 

Installation

LogPoint

Follow these steps to install the CiscoAMP v5.2.0 application in LogPoint:

  1. Download the CiscoAMP_5.2.0.zip file provided in the Download section above. 
  2. Extract the zip file to obtain the CiscoAMP_5.2.0.pak file.  
  3. Install the application by importing the pak file to LogPoint under Settings >> System >> Applications.

For more details, refer to the CiscoAMP Manual for LogPoint.

Director Console UI

Follow these steps to install the CiscoAMP v5.2.0 application in the Director Console UI:

  1. Download the CiscoAMP_5.2.0.zip file provided in the Download section above. 
  2. Extract the zip file to obtain the CiscoAMP_5.2.0.pak file.
  3. Upload the CiscoAMP pak file to the Director Console from the Assets page.
  4. Select the LogPoints from the Install page.
  5. Review your changes on the Confirmation page and click Install.

For more details, refer to the CiscoAMP Manual for Director Console UI.

Director Console API

Follow these steps to install the CiscoAMP v5.2.0 application in the Director Console API:

  1. Download the CiscoAMP_5.2.0.zip file provided in the Download section above. 
  2. Extract the zip file to obtain the CiscoAMP_5.2.0.pak file.
  3. Upload the CiscoAMP_5.2.0.pak file to the Fabric Storage by selecting Upload API.
  4. Install the plugin in the Fabric-enabled LogPoint by selecting Install API.

For more details, refer to the CiscoAMP Manual for Director Console API.

Verification

 Use the following search query in LogPoint to access the logs fetched by the CiscoAMP application:

col_type = ciscoamp

image2019-8-14_18_8_32.png

Documentation

You can obtain the following CiscoAMP manuals from the LogPoint Documentation Portal:

  1. CiscoAMP for LogPoint
  2. CiscoAMP for Director Console API
  3. CiscoAMP for Director Console UI

Support

If you have any questions or require assistance, create a support ticket.

Comments

Article is closed for comments.

Follow

Related articles

  • CiscoUmbrella
  • CrowdStrike
  • CheckPoint Firewall
  • GoogleCloudPlatform
  • NXLog Enterprise
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.

Note: We use cookies that are essential for the smooth functioning of our website.