CiscoAMP
The CiscoAMP application enables you to fetch event logs from a Cisco Advanced Malware Protection (AMP) for Endpoints deployment. It uses the Cisco AMP for Endpoints API - Version 1 to fetch the logs.
Important Notice
If a CiscoAMP log has multiple values of the source_address and vulnerability fields, the application splits the log into multiple events. All the split events have normalized fields but only one of them has the raw log. You can use log_id to search for all the split events.
For example, the following log has two different source_address: 10.0.1.193 and 192.168.192.237. So, the application has split the log into two different events. To find all the split events, you can use the search query: "log_id" = 8655583428776078746.
Package Details
The application package consists of the following components:
-
Fetcher
- Cisco AMP Fetcher
-
Compiled Normalizer
- CiscoAMPNormalizer
Bug Fix
The following issue has been resolved:
- Users could not edit or delete the CiscoAMP fetcher configuration if the URL field had an ampersand (&) symbol.
Installation
LogPoint
Follow these steps to install the CiscoAMP v5.2.0 application in LogPoint:
- Download the CiscoAMP_5.2.0.zip file provided in the Download section above.
- Extract the zip file to obtain the CiscoAMP_5.2.0.pak file.
- Install the application by importing the pak file to LogPoint under Settings >> System >> Applications.
For more details, refer to the CiscoAMP Manual for LogPoint.
Director Console UI
Follow these steps to install the CiscoAMP v5.2.0 application in the Director Console UI:
- Download the CiscoAMP_5.2.0.zip file provided in the Download section above.
- Extract the zip file to obtain the CiscoAMP_5.2.0.pak file.
- Upload the CiscoAMP pak file to the Director Console from the Assets page.
- Select the LogPoints from the Install page.
- Review your changes on the Confirmation page and click Install.
For more details, refer to the CiscoAMP Manual for Director Console UI.
Director Console API
Follow these steps to install the CiscoAMP v5.2.0 application in the Director Console API:
- Download the CiscoAMP_5.2.0.zip file provided in the Download section above.
- Extract the zip file to obtain the CiscoAMP_5.2.0.pak file.
- Upload the CiscoAMP_5.2.0.pak file to the Fabric Storage by selecting Upload API.
- Install the plugin in the Fabric-enabled LogPoint by selecting Install API.
For more details, refer to the CiscoAMP Manual for Director Console API.
Verification
Use the following search query in LogPoint to access the logs fetched by the CiscoAMP application:
col_type = ciscoamp
Documentation
You can obtain the following CiscoAMP manuals from the LogPoint Documentation Portal:
Changes in the Previous Version
Bug Fixes
The following issues have been resolved:
- When the timestamp of a log had a future date in it, the application stopped fetching until that date.
- The application fetched some of the logs twice, causing log duplication.
Important Notice
If a CiscoAMP log has multiple values of the source_address and vulnerability fields, the application splits the log into multiple events. All the split events have normalized fields but only one of them has the raw log. You can use log_id to search for all the split events.
For example, the following log has two different source_address: 10.0.1.193 and 192.168.192.237. So, the application has split the log into two different events. To find all the split events, you can use the search query: "log_id" = 8655583428776078746.
Package Details
The application package consists of the following components:
-
Fetcher
- Cisco AMP Fetcher
-
Compiled Normalizer
- CiscoAMPNormalizer
Enhancement
A minor update has been done in the application’s normalizer for better signature handling.
Installation
LogPoint
Follow these steps to install the CiscoAMP v3.2.0 application in LogPoint:
- Download the CiscoAMP_3.2.0.zip file provided in the Download section above.
- Extract the zip file to obtain the CiscoAMP_3.2.0.pak file.
- Install the application by importing the pak file to LogPoint under Settings >> System >> Applications.
For more details, refer to the CiscoAMP Manual for LogPoint.
Director Console UI
Follow these steps to install the CiscoAMP v3.2.0 application in the Director Console UI:
- Download the CiscoAMP_3.2.0.zip file provided in the Download section above.
- Extract the zip file to obtain the CiscoAMP_3.2.0.pak file.
- Upload the CiscoAMP pak file to Director Console from the Assets page.
- Select the LogPoints from the Install page.
- Review your changes on the Confirmation page and click Install.
For more details, refer to the CiscoAMP Manual for Director Console UI.
Director Console API
Follow these steps to install the CiscoAMP v3.2.0 application in the Director Console API:
- Download the CiscoAMP_3.2.0.zip file provided in the Download section above.
- Extract the zip file to obtain the CiscoAMP_3.2.0.pak file.
- Upload the CiscoAMP_3.2.0.pak file to the Fabric Storage using the Upload API.
- Install the plugin in the Fabric-enabled LogPoint using the Install API.
For more details, refer to the CiscoAMP Manual for Director Console API.
Verification
Use the following search query in LogPoint to access the logs fetched by the CiscoAMP application:
col_type = ciscoamp
Documentation
You can download the following CiscoAMP Manuals from the Download section above:
- For LogPoint users: CiscoAMP_3.2.0_LP.pdf
- For Director Console UI users: CiscoAMP_3.2.0_DCUI.pdf
- For Director Console API users: CiscoAMP_3.2.0_DCAPI.pdf
Support
If you have any queries or require assistance, please feel free to contact our support team:
Email: servicedesk@logpoint.com
Phone: +45 7060 6100
Best regards,
Comments
Article is closed for comments.