Cisco AMP for Endpoints API Integration

To integrate Cisco AMP for Endpoints (now part of Cisco Secure Endpoint) with Elastic, follow these general steps:

 

Get Cisco AMP API Credentials

You need to enable API access from the Cisco Secure Endpoint console.

• Log in to: https://console.amp.cisco.com

• Go to Accounts > API Credentials

• Click Create API Credential

• Choose "Read & Write" or at minimum "Read-only"

• Save:

  • Client ID

  • API Key

These will be used to pull events from the AMP API.

 

Integrate on AQUILA

1. Log in to CyTech - AQUILA. Choose Cyber Monitoring and click the small arrow icon to redirect you to the Cyber Monitoring Dashboard.

2. In the dashboard, choose Cyber Incident Management (SIEM and XDR).

3. Navigate through the leftmost top and click Cyber Incident Monitoring.

4. Navigate through Settings>Log Source>Search Bar>Add to Agent.

5. Choose your Log Collector.

6. In the integration settings follow the instructions given below.

1. Click the drop arrow to display the contents. Make sure the Collect logs from the Cisco Secure Endpoint API is Enabled.
2. Click the other drop arrow to display the other contents needed for the integration setup. Input the Client ID and the API Key.
3. Scroll down, leave the other text fields to its default value and go to Tags. Click the Tags text field and add cisco-secure_endpoint and forwarded.
   
4. Finally, click Next to install the log source integration.

7. Wait for the Successfull window to display, this will confirm the successfull integration.

 

If you need further assistance, kindly contact our support at support@cytechint.com for prompt assistance and guidance.