Integrate Cisco AMP EventTracker v9.x and above

Publication Date: June 8, 2018

1

Integrate Cisco AMP

Abstract This guide provides instructions to configure a Cisco AMP to send its logs to EventTracker Enterprise

Scope

The configurations detailed in this guide are consistent with EventTracker Enterprise version v9.x or above

and Cisco AMP for End points.

Audience Administrators who are assigned the task to monitor Cisco AMP events using EventTracker.

The information contained in this document represents the current view of EventTracker. on the

issues discussed as of the date of publication. Because EventTracker must respond to changing

market conditions, it should not be interpreted to be a commitment on the part of EventTracker,

and EventTracker cannot guarantee the accuracy of any information presented after the date of

publication.

This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,

EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, this paper may be freely distributed without permission from

EventTracker, if its content is unaltered, nothing is added to the content and credit to

EventTracker is provided.

EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from EventTracker, the furnishing of this document does not give you

any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious.

No association with any real company, organization, product, person or event is intended or

should be inferred.

© 2018 EventTracker Security LLC. All rights reserved. The names of actual companies and

products mentioned herein may be the trademarks of their respective owners.

2

Integrate Cisco AMP

Table of Contents Abstract ............................................................................................................................................................. 1

Scope ................................................................................................................................................................. 1

Audience ............................................................................................................................................................ 1

Overview ................................................................................................................................................................ 3

Prerequisites .......................................................................................................................................................... 3

Integration of Cisco AMP with EventTracker manager ......................................................................................... 3

Configuring Log Delivery ................................................................................................................................... 3

EventTracker Knowledge Pack .............................................................................................................................. 6

Alerts ............................................................................................................................................................. 7

Flex Reports ................................................................................................................................................... 7

Categories .................................................................................................................................................... 13

Knowledge Objects ...................................................................................................................................... 14

Import Cisco AMP knowledge pack into EventTracker ....................................................................................... 14

Alerts ............................................................................................................................................................... 15

Category .......................................................................................................................................................... 16

Knowledge Objects .......................................................................................................................................... 18

Flex Reports ..................................................................................................................................................... 19

Verify Cisco AMP knowledge pack in EventTracker ............................................................................................ 21

Alerts ............................................................................................................................................................... 21

Categories ........................................................................................................................................................ 22

Knowledge Objects .......................................................................................................................................... 22

Flex Reports ..................................................................................................................................................... 23

3

Integrate Cisco AMP

Overview Cisco Advanced Malware Protection (AMP) for Endpoints is a cloud-managed endpoint security solution that

provides the visibility, context and control to prevent cyber-attacks, also rapidly detect, contain, and

remediate advanced threats.

EventTracker helps to monitor events from Cisco AMP. Its knowledge objects and flex reports will help you to

analyze Scanning details, Threat detection and quarantine details, vulnerable application details, Suspicious

and System activities.

Prerequisites EventTracker v9.x or above should be installed.

Cisco AMP for Endpoints should be configured for forwarding logs.

Integration of Cisco AMP with EventTracker manager

Configuring Log Delivery To configure a Cisco AMP,

Generating Client ID and API Key:

1. Log into https://console.amp.sourcefire.com (N.A.) or https://console.eu.amp.sourcefire.com (E.U.)

2. Go to the Business Page from the Accounts dropdown menu.

3. Click on the 'Edit' button.

4. Under features, click on "Regenerate..." button beside "3rd Party API Access" to generate the Client

ID and secure API Key

5. Once you have the API client ID and API key, you can get the logs as follows:

To configure a log collector for Cisco AMP:

1. Run “amp integration.ps1 ” with admin privileges

2. Fill the form with API client ID and API key which we got from the previous steps.

4

Integrate Cisco AMP

Figure 1

3. Provide System Admin User Name and Password and click OK.

Figure 2

Figure 3

5

Integrate Cisco AMP

4. Once script is executed successfully it will show the message box

5. On the Task Scheduler window, check if Cisco AMP task has been created under Task Scheduler Library.

Figure 4

To verify Direct Log Archiver (DLA) configuration

Go to Manager under Admin dropdown menu from EventTracker Web console

6

Integrate Cisco AMP

Figure 5

Under Direct Log Archiver Tab, check for Configuration Name “Cisco AMP” and click “Save” button to

save the configuration.

Figure 6

EventTracker Knowledge Pack Once logs are received by EventTracker manager, knowledge packs can be configured into EventTracker.

The following Knowledge Packs are available in EventTracker Enterprise to support Cisco AMP

7

Integrate Cisco AMP

Alerts

Cisco AMP- Scan Completed with Detections– This alert generates when any threat is detected while

scanning.

Cisco AMP- Suspicious Activity Detected – This alert generates when any suspicious activity like

application launched a shell, suspicious connection detected, etc occurs.

Cisco AMP- Threat Detected - This alert generates when any threat is detected or malware is

executed.

Flex Reports

Cisco AMP - Scan detail – This report gives information about all the scan details such as scan started,

scan completed along with threat detections and scan failures.

Figure 7

8

Integrate Cisco AMP

Sample logs:

Figure 8

Cisco AMP - Threat detected and quarantine details – This report gives information about all the

threats detected, quarantine threats, quarantine failed and malwares executed.

Figure 9

9

Integrate Cisco AMP

Sample logs

Figure 10

Cisco AMP - Vulnerable application and fault detected – This report gives the information about all

the vulnerable application that is detected at the endpoints along with the critical faults raised or

cleared details.

Figure 11

10

Integrate Cisco AMP

Sample logs

Figure 12

Cisco AMP - Suspicious activity detected– This report gives information about all the suspicious

activities like application launched a shell, suspicious connection detected, etc.

Figure 13

11

Integrate Cisco AMP

Sample Log

Figure 14

Cisco AMP - File activity – This report gives information about all the file activity details such as

remote file fetching requested and request failed activity details.

Figure 15

12

Integrate Cisco AMP

Sample Log

Figure 16

Cisco AMP - System activity – This report gives information about all the system and policy update,

create and delete details.

Figure 17

13

Integrate Cisco AMP

Sample Logs

Figure 18

Categories

Cisco AMP- Scan Detail - This category provides information about all the scan details such as scan

started, scan completed along with threat detections and scan failures.

Cisco AMP- Threat Detected and Quarantine Details - This category provides information about all the

threats detected, quarantine threats, quarantine failed and malwares executed.

Cisco AMP- Vulnerable Application and Fault Detected - This category provides information about all

the vulnerable application that is detected at the endpoints along with the critical faults raised or cleared

details.

Cisco AMP- Suspicious Activity Detected - This category provides information about all the suspicious

activities like application launched a shell, suspicious connection detected, etc.

Cisco AMP- System Activity – This category provides information about all the system and policy update,

create and delete details.

14

Integrate Cisco AMP

Cisco AMP- File Activity - This category provides information about all the file activity details such as

remote file fetching requested and request failed activity details.

Knowledge Objects

Cisco AMP- Scan Detail - This knowledge object will help us to analyze logs related to scan started, scan

completed along with threat detections and scan failures.

Cisco AMP- Threat Detected and Quarantine Details - This knowledge object will help us to analyze logs

related to threats detected, quarantine threats, quarantine failed and malware executed details.

Cisco AMP- Vulnerable Application and Fault Detected - This knowledge object will help us to analyze

logs related to vulnerable applications that are detected at the endpoints and critical faults raised or

cleared details.

Cisco AMP- Suspicious Activity Detected - This knowledge object will help us to analyze logs related to

suspicious activities like application launched a shell, suspicious connection detected, etc.

Cisco AMP- System Activity - This knowledge object will help us to analyze logs related to the system

and policy update, create and delete details.

Cisco AMP- File Activity - This knowledge object will help us to analyze logs related to remote file

fetching requested and request failed activity details.

Import Cisco AMP knowledge pack into EventTracker NOTE: Import knowledge pack items in the following sequence:

Alerts

Categories

Knowledge Objects

Parsing Rules

Flex Reports

1. Launch EventTracker Control Panel.

2. Double click Export Import Utility.

15

Integrate Cisco AMP

Figure 19

3. Click the Import tab.

Alerts

1. Click Category option, and then click the browse button.

16

Integrate Cisco AMP

Figure 20

2. Locate Alert_Cisco AMP. Isalt file, and then click the Open button.

3. To import categories, click the Import button.

EventTracker displays success message.

Category

1. Click Category option, and then click the browse button.

17

Integrate Cisco AMP

Figure 21

2. Locate Category_Cisco AMP. iscat file, and then click the Open button.

3. To import categories, click the Import button.

EventTracker displays success message.

Figure 22

4. Click OK, and then click the Close button.

18

Integrate Cisco AMP

Knowledge Objects 1. Click Knowledge objects under Admin option in the EventTracker manager page.

2. Locate the file named KO_Cisco AMP etko.

Figure 23

3. Now select all the check box and then click on ‘Import’ option.

Figure 24

4. Knowledge objects are now imported successfully.

19

Integrate Cisco AMP

Figure 25

Flex Reports On EventTracker Control Panel,

1. Click Reports option, and select new(etcrx) from the option.

Figure 26

2. Locate the file named Reports_ Cisco AMP etcrx, and select all the check box.

20

Integrate Cisco AMP

Figure 27

3. Click the Import button to import the reports. EventTracker displays success message.

Figure 28

21

Integrate Cisco AMP

Verify Cisco AMP knowledge pack in EventTracker

Alerts 1. Logon to EventTracker Enterprise.

2. Click the Admin menu, and then click Alerts.

Figure 29

3. In the Search box, type Cisco AMP, and then click the Go button.

Alert Management page will display all the imported alerts.

Figure 30

4. To activate the imported alerts, select the respective checkbox in the Active column.

EventTracker displays message box.

22

Integrate Cisco AMP

Figure 31

5. Click OK, and then click the Activate Now button.

NOTE: Please specify appropriate systems in alert configuration for better performance.

Categories 1. Logon to EventTracker Enterprise.

2. Click Admin dropdown, and then click Categories.

3. In Category Tree to view imported categories, scroll down and expand Cisco AMP group folder to

view the imported categories.

Figure 32

Knowledge Objects 1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click Knowledge

Objects.

23

Integrate Cisco AMP

2. In the Knowledge Object tree, expand Cisco AMP group folder to view the imported Knowledge

objects.

Figure 33

Flex Reports 1. In the EventTracker Enterprise web interface, click the Reports icon, and then select Report

Configuration.

Figure 34

2. In Reports Configuration pane, select Defined option.

3. Click on the Cisco AMP group folder to view the imported Cisco AMP reports.

24

Integrate Cisco AMP

Figure 35