Skip to main content
Skip table of contents

Flat File - Cisco AMP for Endpoints

Cisco Advanced Malware Protection (AMP) for Endpoints is a cloud-based software-as-a-service endpoint security solution. AMP connectors are deployed on Windows, Linux, and Mac endpoints. Events from the AMP connectors are forwarded to the cloud deployment and, optionally, to an on-prem Firepower Management Console (FMC) appliance.

Cisco AMP Application Programming Interface (API)

Cisco provides a REST-based API for AMP that allows you to pull data from an AMP for Endpoints deployment and manipulate it if necessary. The Cisco AMP API documentation can be found at https://api-docs.amp.cisco.com.

It’s important to note that the API is location-based, and varies depending on where your AMP instance resides. Currently, three regions exist:

There are also two versions of the API: v0 and v1. This guide uses v1.

Prerequisites

PowerShell

To use the provided collection script, you must be running PowerShell 3.

  • To check your PowerShell version, run:
    $PSVersionTable.PSVersion
  • The script provides proxy support based on the credentials of the user running the script.
  • The account running the script requires privileges to execute PowerShell scripts on the designated host. Any member of the Administrators group can run the following command to allow unsigned PowerShell scripts to run:
    set-executionpolicy remotesigned

Operating System

AMP for Endpoints is compatible with the following operating systems:

Microsoft

  • Windows 7
  • Windows 8, 8.1
  • Windows 10
  • Windows Server 2008 R2, 2012, 2012 R2, 2016

Linux

  • Red Hat Enterprise Linux or CentOS 6.x 7.x

Android

  • Android 2.1 (Éclair) to 6.0 (Marshmallow)

Apple

  • iOS 11 and later
  • OSX 10.11
  • MacOS 10.12, 10.13

Browser

Accessing the AMP for Endpoints console requires one of the following web browsers:

  • Microsoft Internet Explorer 10 or later
  • Mozilla Firefox 14 or later
  • Apple Safari 6 or later
  • Google Chrome 20 or later

Device Configuration Checklist

Getting Cisco AMP for Endpoint Events into LogRhythm

This method uses the GET /v1/events action to retrieve the AMP events that can be viewed in the AMP console.

A PowerShell script retrieves the events by making a call to the API to pull the AMP for Endpoint events into a flat file.

Setup takes approximately 30 minutes.

Create an AMP API Read-Only Account

To use the AMP for Endpoint API, you must set up an API credential. Event collection requires a Read-Only API account.

  1. Log in to the Cisco Console.
  2. Click Accounts, and then click API Credentials.
  3. On the API Credentials page, click New API Credential to create a new set of keys.
    The New API Credential page appears.
  4. In the Application name field, enter LogRhythm.
  5. In the Scope field, select Read-only.
  6. Click Create.
    The API Key Details page appears.

  7. Copy the 3rd Party API Client ID and API Key information to a secure location, such as a password manager or encrypted file.

    Note the following Cisco warnings:

    • API credentials allow other programs to retrieve and modify your Cisco AMP for Endpoints data. It is functionally equivalent to a username and password, and should be treated as such.
    • If you suspect the API credentials for an application have been compromised, delete them and create new ones. Deleting API credentials locks out any clients using the old ones, so make sure to update them to the new credentials.
    • Your API credentials are not stored in plain text and can only be displayed once. If you lose the credentials, you must generate new ones.
  8. Go back to the Cisco Console home page.
  9. Click Accounts, and then click API Credentials.
    You should now see the LogRhythm account.
  10. (Optional) You can expand the account details and verify the Read-Only scope by clicking on the + box to the left of the account name.

Configure the System Monitor Host

Identify the System Monitor Host to Use

You must identify which LogRhythm System Monitor host will retrieve the Cisco AMP for Endpoint events. The host requires internet access to one of the following Cisco API URLs. If you are unsure which AMP instance you are using, log in to the AMP Console and take note of the console URL.

Cisco AMP Console URL

Location

console.amp.cisco.com

U.S.

console.apjc.amp.cisco.com

Asia, Pacific, Japan & China

console.eu.amp.cisco.com

Europe

Use the table below to determine which specific URL and port to allow from the LogRhythm System Monitor host.

Cisco AMP Instance Location

API URL

Port

U.S.

api.amp.cisco.com

443

Asia, Pacific, Japan & China

api.apjc.amp.cisco.com

443

Europe

api.eu.amp.cisco.com

443

The LogRhythm System Monitor host initiates the outbound connection to the AMP API. No inbound connection is required.

Create the Directory Structure

  1. On the LogRhythm System Monitor host machine, create a directory called AMP4EP in the LogRhythm System Monitor folder.
    • Non-HA systems: C:\Program Files\LogRhythm\LogRhythm System Monitor\
    • HA systems: D:\LogRhythmHA\LogRhythm System Monitor\
      The PowerShell script is HA-aware, so it only completes when the System Monitor host it resides on is the active node. This ensures that only the active node collects the AMP events and that the events, state, and log information is shared between the two HA hosts.

  2. Copy the AMP4EP.ps1 file to your AMP4EP directory.

    The AMP4EP.ps1 file can be downloaded from the LogRhythm Community. However, as of November 2020, this script is no longer maintained due to the introduction of the Open Collector's Cisco AMP Beat as the preferred collection method. For more information, see Cisco AMP Beat.

  3. Create three directories (Events, Log, and State) within the AMP4EP directory.

Create the Credentials File

  1. On the LogRhythm System Monitor host machine, run the following command in an Administrator PowerShell window:

    You must run this command from the same account that will run the scheduled task.
    • Non-HA systems: Get-Credential | Export-Clixml -Path "C:\Program Files\LogRhythm\LogRhythm System Monitor\AMP4EP\${env:USERNAME}_cred.xml"
    • HA systems: Get-Credential | Export-Clixml -Path "D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\${env:USERNAME}_cred.xml"
    The credentials window appears.
  2. In the User name field, enter the 3rd Party API Client ID you generated in the Cisco Console.
  3. In the Password field, enter the API Key you generated in the Cisco Console.
  4. To create the encrypted credentials file, click OK.
  5. Go to the AMP4EP directory and validate that the <account-name>_cred.xml file exists.

Create the Scheduled Task

The following steps were documented based on a Windows Server 2012 R2 system. Steps for other Windows versions may differ slightly.

Create a scheduled task to run the PowerShell script AMP4EP.ps1 every 1 minute. As the script resides within the LogRhythm System Monitor directory, the task needs to be set to run under an account that has Administrator permissions or an account with specific permissions to the previously created AMP4EP directory.

  1. On the LogRhythm System Monitor host machine, open Task Scheduler (press the Windows + R keys, enter taskschd.msc, and then click OK).
  2. In the left pane, right-click Task Scheduler, and then click Create Basic Task.
    The Create a Basic Task Wizard appears.

  3. Enter the following information, and then click Next.

    Parameter

    Value

    Name

    LogRhythm Cisco AMP4EP

    Description

    This task will call the AMP4EP.ps1 script every 1 minute to retrieve any new Cisco AMP for Endpoint events.

  4. From the menu on the left, click Trigger, select Daily, and then click Next.
  5. In the Daily window, click Next to accept the defaults.
  6. In the Action window, select Start a program, and then click Next.
  7. In the Start a Program window, enter the following details in the text boxes. Edit the "<account-name>_cred.xml” value to match the file name of your credentials file created earlier. Leave the Start in (optional): field blank.

    • Non-HA systems:

      Parameter

      Value

      Program/script

      powershell

      Add arguments (optional):

      -command "& 'C:\Program Files\LogRhythm\LogRhythm System Monitor\AMP4EP\AMP4EP.ps1' -CredentialsFile 'C:\Program Files\LogRhythm\LogRhythm System Monitor\AMP4EP\<account-name>_cred.xml'"

    • HA systems:

      Parameter

      Value

      Program/script

      powershell

      Add arguments (optional):

      -command "& D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\AMP4EP.ps1' -CredentialsFile 'D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\<account-name>_cred.xml'"

  8. Click Next.
  9. In the Summary window, select the Open the Properties dialog for this task when I click Finish checkbox, and then click Finish.
    The LogRhythm Cisco AMP4EP Task Properties window appears.
  10. On the General tab, select Run whether user is logged on or not.
  11. Select the Do not store password check box.
  12. Click the Triggers tab, select the Daily trigger, and then click Edit.
    The Edit Trigger window appears.
  13. In the Advanced settings section, select the Repeat task every check box, and then select 1 minute.
  14. In the for a duration of field, select Indefinitely.
  15. To accept the changes, click OK, and then click OK again.
  16. To verify that the task has been created, click on the Task Scheduler Library icon and check that the LogRhythm Cisco AMP4EP task appears in the list of tasks.

When the Schedule Task runs, any new events are written to:

  • Non-HA systems: C:\Program Files\LogRhythm\LogRhythm System Monitor\AMP4EP\Events\AMP4EP.txt
  • HA systems: D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\Events\AMP4EP.txt

In addition, a log is created for troubleshooting purposes at:

  • Non-HA systems: C:\Program Files\LogRhythm\LogRhythm System Monitor\AMP4EP\Log\AMP4EP.log
  • HA systems: D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\Log\AMP4EP.log

Configure the Logs

Create the Custom Log Source Type

  1. Log in to the LogRhythm Client Console.
  2. On the main toolbar, click Deployment Manager.

  3. Click the Tools menu, click Knowledge, and then click Log Source Type Manager.
    The Log Source Type Manager appears.

  4. Click the green plus at the top of the page.

  5. Complete the following fields:

    • Name. Flat File - Cisco AMP for Endpoints

    • Abbreviation. Cisco AMP4EP
    • Log Format. Text File
    • Brief Description. Cisco AMP for Endpoints

  6. Click OK.

Create the Log Processing Policy

  1. On the main toolbar, click Deployment Manager.
  2. Click the Log Processing Policies tab.
  3. Click File, and then click New.
    The Log Source Type Selector appears.
  4. In the Record Type Filter, select Custom.

  5. Select the Flat File – Cisco Amp for Endpoint log source type.

    If the list is long, use the filtering options at the top of the pane.
  6. Click OK.
    The MPE Policy Editor appears.

  7. Enter the following information:

    • Name. LogRhythm Default

    • Brief Description. Cisco AMP for Endpoints
  8. Click OK.

Create the MPE Processing Rules

Importing the MPE Processing Rules is beyond the scope of this document and requires the assistance of LogRhythm Professional Services. The MPE Processing Rules will be added to a future Knowledge Base release, which will negate the requirement to import the rules.

Base Rule Regular Expression

For information purposes, the Base Rule regular expression is provided below. The Base Rule only functions in LogRhythm version 7.2 and later.

^.*?"Event_Type=(?<vendorinfo>[^"]+)","Event_TypeID=(?<vmid>[^"]+)"(,"Detection=(?<thr eatname>[^"]+)?")?(,"DetectionID=(?<threatid>[^"]+)?")?(,"Group_GUIDs[^"]+")?(,"Comput er_Connector_GUID[^"]+")?(,"Computer_Hostname=(?<sname>[^"]+)?")?(,"Computer_External_ IP=(?<snatip>[^"]+)?")?(,"Computer_User=(?<login>[^"]+)?")?(,"Computer_Active[^"]+")?(,"Network_Addr_IP=(?<sip>[^"]+)?")?(,"Network_Addr_MAC=(?<smac>[^"]+)?")?(,"Links_Computer[^"]+")?(,"Links_Trajectory[^"]+")?(,"Links_Group[^"]+")?(,"File_Disposition[^"]+")?(,"File_Name=(?<object>[^"]+)?")?(,"File_Path=(?<parentprocesspath>[^"]+)?")?(,"File_Identity_SHA1[^"]+")?(,"File_Identity_SHA256=(?<hash>[^"]+)?")?(,"File_Parent_Disposition[^"]+")?(,"File_Parent_File_Name[^"]+")?(,"File_Parent_Identity_SHA1[^"]+")?(,"Fil e_Parent_Identity_SHA256[^"]+")?(,"Scan_Description=(?<subject>[^"]+)?")?(,"Scan_Clean=(?<result>[^"]+)?")?(,"Scanned_Files[^"]+")?(,"Scanned_Processes[^"]+")?(,"Scanned_Paths[^"]+")?(,"Malicious_Detections[^"]+")?(,"Vuln_Name=(?<objectname>[^"]+)?")?(,"Vuln_Version=(?<version>[^"]+)?")?(,"Vuln_CVEs=(?<cve>[^"]+)?")?(,"Vuln_Scores[^"]+")?(,"CVE_URLs[^"]+")?(,"Dirty_URL=(?<url>[^"]+)?")?(,"Remote_IP=(?<dip>[^"]+)?")?(,"Remote_Port=(?<dport>[^"]+)?")?(,"Local_IP=(?<sip>[^"]+)?")?(,"Local_Port=(?<sport>[^"]+)?")?(,"IOC_Desc[^"]+")?(,"IOC_Short_Desc[^"]+")?

Metadata Field Mappings

The table below details the Cisco AMP for Endpoints log fields to LogRhythm metadata field mappings. This is useful for knowing what data is being parsed out of the AMP log into LogRhythm.

Cisco AMP Field Name

LogRhythm Metadata Field

Value/Data Type

Event_Type

<vendorinfo>

Vendor Info

Event_TypeID

<vmid>

Vendor Message Id

Detection

<threatname>

Threat Name

DetectionID

<threatid>

Threat Id

Computer_Hostname

<sname>

Origin host name

Computer_User

<login>

Login

Network_Addr_IP

<snatip>

Origin host

Network_Addr_MAC

<smac>

Origin MAC Address

File_Name

<process>

Process

File_Path

<object>

Object

File_Identity_SHA1 Or

File_Identity_SHA256

<hash>

Hash value

File_Parent_File_Name

<parentprocessname>

Parent Process Name

Vuln_CVEs

<cve>

CVE

Dirty_URL

<url>

URL

Remote_IP

<dip>

Impacted IP

Remote_Port

<dport>

Impacted Port

Local_IP

<sip>

Origin IP

Local_Port

<sport>

Origin Port

Custom Common Events

Several custom Common Events were created to provide additional context to the AMP for Endpoints data:

Common Event Name

Classification

Risk Rating

Parsing Required

Operations / Information

7 - High-Low

Fault Cleared

Operations / Information

0 - No Rating

IOC Scan Information

Operations / Information

0 - No Rating

Reboot Advised

Operations / Information

2 - Low-Medium

Reboot Required

Operations / Information

3 - Low-High

Reboot Completed

Operations / Information

0 - No Rating

Scan Completed – No Detections

Operations / Information

0 - No Rating

Minor Fault Raised

Operations / Warning

5 - Medium-Medium

Major Fault Raised

Operations / Error

7 - High-Low

Uninstall Failed

Operations / Error

7 - High-Low

Critical Fault Raised

Operations / Critical

9 - High-High

Generic IOC

Security / Activity

7 - High-Low

Possible Ransomware Activity

Security / Malware

9 - High-High

Vulnerable Application Detected

Security / Vulnerability

9 - High-High

Threat Detected

Security / Vulnerability

9 - High-High

Threat Quarantined

Security / Failed Activity

2 - Low-Medium

Quarantined Item Deleted

Security / Other Security

1 - Low-Low

Policy Update Failure

Audit / Other Audit Failure

3 - Low-High

MPE Rule Information

The following table details the MPE Base and Sub-Rule information.

Name

Classification

Common Event

Forward As Event

Risk Rating

VMID Value

Description

Adobe Reader Compromise

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1107296261

A suspicious portable executable file was downloaded and executed by Adobe Reader.

Adobe Reader Launched a Shell

Security / Suspicious

Suspicious Activity

TRUE

6 - Medium-High

1107296266

Adobe Reader executed an unknown application, which in turn launched a command shell.

All Fault Cleared

Operations / Information

Fault Cleared

FALSE

0 - No Rating

553648197

All faults has been cleared.

APK Custom Threat Detected

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1090524041

An APK matching an Android Simple Custom Detection was found on this system.

APK Threat Detected

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1090524040

A threat was found on this system.

Apple QuickTime Compromise

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1107296270

A suspicious portable executable file was downloaded and executed by Apple QuickTime.

Apple QuickTime Launched a Shell

Security / Suspicious

Suspicious Activity

TRUE

6 - Medium-High

1107296271

Apple QuickTime executed an unknown application, which in turn launched a command shell.

Application Authorized

Operations / Information

General Information

FALSE

0 - No Rating

570425398

An application was authorized.

Application Deauthorized

Operations / Information

General Information

FALSE

0 - No Rating

570425399

An application was deauthorized.

Application Deregistered

Operations / Information

General Information

FALSE

0 - No Rating

570425397

An application was deregistered.

Application Registered

Operations / Information

General Information

FALSE

0 - No Rating

570425396

An application was registered.

Attempting Quarantine Delete

Security / Activity

Quarantine

FALSE

0 - No Rating

553648151

Attempting to remove item from quarantine,

Cisco AMP4EP - Base Rule

Operations / Information

Parsing Required

TRUE

7 - High-Low

-

If the Base Rule is matched, then the log does not have a Sub-Rule created for it. Please use the <vmid> and <vendorinfo> tags to create one.

Cloud Recall Quarantine Attempt

Operations / Information

General Information

FALSE

0 - No Rating

553648155

A retrospective quarantine was attempted and completed successfully.

Cloud Recall Quarantine Attempt Failed

Operations / Warning

General Warning

FALSE

3 - Medium-Medium

2164260893

A retrospective quarantine was attempted and failed. Most likely the original location no longer exists.

Cloud Recall Quarantine of False Negative

Operations / Information

General Information

FALSE

0 - No Rating

553648147

A retrospective quarantine was attempted for a false negative.

Cloud Recall Quarantine Successful

Operations / Information

General Information

FALSE

0 - No Rating

553648155

A retrospective quarantine was completed successfully.

Cloud Recall Restore from Quarantine

Operations / Information

General Information

FALSE

0 - No Rating

553648154

A retrospective restore was completed successfully.

Cloud Recall Restore from Quarantine Failed

Operations / Warning

General Warning

FALSE

3 - Medium-Medium

2164260892

A retrospective restore was attempted and failed. Most likely the original location no longer exists.

Cloud Recall Restore of False Positive

Operations / Information

General Information

FALSE

0 - No Rating

553648146

A file once thought to be malicious has been marked as clean and restored.

Cognitive Incident

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1107296285

Cisco Cognitive Threat Analytics has detected a threat.

Connection to Suspicious Domain

Security / Suspicious

Suspicious Activity

TRUE

6 - Medium-High

1107296277

The computer has made an outbound connection to a domain that is similar to randomly generated domains used by some malware command and control systems.

Critical Fault Raised

Operations / Critical

Critical Fault Raised

TRUE

9 - High-High

2164260931

A critical fault has been raised.

DFC Threat Detected

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1090519084

A connection has been detected by DFC.

Email Confirmation

Operations / Information

Email Message Sent

FALSE

0 - No Rating

1003

Sent when a user account gets created.

Endpoint IOC Configuration Update Failure

Operations / Error

Configuration Update Failure

FALSE

7 - High-Low

2164260911

Endpoint IOC configuration updated failed.

Endpoint IOC Configuration Update Success

Audit / Configuration

Configuration Modified : Application

FALSE

2 - Low-Medium

553648176

Endpoint IOC configuration updated successfully.

Endpoint IOC Definition Update Failure

Operations / Error

Update Failed

TRUE

7 - High-Low

2164260914

Endpoint IOC definition update Failed.

Endpoint IOC Definition Update Success

Audit / Configuration

Signatures Updated

FALSE

2 - Low-Medium

553648179

Endpoint IOC definition updated successfully.

Endpoint IOC Scan Completed With Detections

Security / Vulnerability

Threat Detected

FALSE

9 - High-High

1091567670

An endpoint IOC scan has completed and detected malicious items.

Endpoint IOC Scan Completed, No Detections

Operations / Information

Scan Completed - No Detections

FALSE

0 - No Rating

554696757

An endpoint IOC scan has completed without detecting anything malicious.

Endpoint IOC Scan Detection Summary

Operations / Information

IOC Scan Information

FALSE

0 - No Rating

1090519089

Endpoint IOC Scan Detection Summary

Endpoint IOC Scan Failed

Operations / Error

Scan Process Error

TRUE

7 - High-Low

2165309495

Endpoint IOC scan failed.

Endpoint IOC Scan Started

Operations / Information

Scan Started

FALSE

0 - No Rating

554696756

Endpoint IOC Scan Started.

Executed Malware

Security / Malware

Detected Malware Activity

TRUE

9 - High-High

1107296272

The computer executed known malware.

Execution Blocked

Security / Failed Activity

Application Blocked

TRUE

0 - No Rating

553648168

Execution of an application was blocked.

Exploit Prevention

Security / Failed Activity

Threat Blocked

TRUE

0 - No Rating

1090519103

An exploit was prevented from running.

Failed to Delete From Quarantine

Operations / Error

Quarantine Error

FALSE

7 - High-Low

2164260889

A quarantined item was not successfully removed from quarantine.

Fault Cleared

Operations / Information

Fault Cleared

FALSE

0 - No Rating

553648196

A fault has been cleared.

File Fetch Completed

Operations / Information

General Information

FALSE

0 - No Rating

553648173

The request for a remote file was successful.

File Fetch Failed

Operations / Information

General Information

FALSE

0 - No Rating

2164260910

The request for a remote file failed.

Forgotten Password Reset

Operations / Information

Password Change Requested

TRUE

0 - No Rating

1004

Sent when a user forgets password.

Generic IOC

Security / Activity

Generic IOC

TRUE

3 - Low-High

1107296274

Suspicious behaviour that indicate possible compromise of the computer.

Install Failure

Operations / Error

Install Failed

FALSE

7 - High-Low

2164260895

An installation has failed.

Install Started

Operations / Information

Install Started

FALSE

0 - No Rating

553648158

An installation has begun.

Java Compromise

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1107296260

A suspicious portable executable file was downloaded and executed by the Java plug-in.

Java Launched a Shell

Security / Suspicious

Suspicious Activity

TRUE

6 - Medium-High

1107296265

Java executed an unknown application, which in turn launched a command shell.

Major Fault Raised

Operations / Error

Major Fault Raised

TRUE

7 - High-Low

1090519107

A major fault has been raised.

Microsoft Calculator Compromise

Security / Suspicious

Suspicious Activity

TRUE

6 - Medium-High

1107296275

A suspicious portable executable file was downloaded and executed by Microsoft Calculator.

Microsoft CHM Compromise

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1107296281

A suspicious portable executable was downloaded and executed by Microsoft Help.

Microsoft Excel Compromise

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1107296263

A suspicious portable executable file was downloaded and executed by Microsoft Excel.

Microsoft Excel Launched a Shell

Security / Suspicious

Suspicious Activity

TRUE

6 - Medium-High

1107296268

Microsoft Excel executed an unknown application, which in turn launched a command shell.

Microsoft Notepad Compromise

Security / Suspicious

Suspicious Activity

TRUE

6 - Medium-High

1107296276

A suspicious portable executable file was downloaded and executed by Microsoft Notepad.

Microsoft PowerPoint Compromise

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1107296264

A suspicious portable executable file was downloaded and executed by Microsoft PowerPoint.

Microsoft PowerPoint Launched a Shell

Security / Suspicious

Suspicious Activity

TRUE

6 - Medium-High

1107296269

Microsoft PowerPoint executed an unknown application, which in turn launched a command shell.

Microsoft Word Compromise

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1107296262

A suspicious portable executable file was downloaded and executed by Microsoft Word.

Microsoft Word Launched a Shell

Security / Suspicious

Suspicious Activity

TRUE

6 - Medium-High

1107296267

Microsoft Word executed an unknown application, which in turn launched a command shell.

Minor Fault Raised

Operations / Warning

Minor Fault Raised

FALSE

3 - Medium-Medium

553648195

A minor fault has been raised.

Multiple Infected Files

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1107296257

Multiple infected files indicate multiple files on a computer are attempting to download malware.

Password Has Been Reset

Operations / Information

Performing Password Change

TRUE

0 - No Rating

1005

A scan has completed and detected malicious items.

Policy Update

Audit / Policy

Policy Modified : Auditing

FALSE

2 - Low-Medium

553648130

An agent has been told to fetch policy.

Policy Update Failure

Audit / Other Audit Failure

Policy Update Failure

TRUE

3 - Low-High

2164260866

A policy update failed, and the policy was not successfully applied.

Potential Dropper Infection

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1107296258

Potential dropper infections indicate a single file is repeatedly attempting to download malware onto a computer.

Potential Ransomware

Security / Malware

Possible Ransomware Activity

TRUE

9 - High-High

1107296284

This computer may be infected with ransomware.

Potential Webshell

Security / Malware

Possible Backdoor Activity

TRUE

9 - High-High

1107296283

This computer may have been compromised granting remote access.

Product Update Completed

Audit / Configuration

Software Updated

FALSE

2 - Low-Medium

553648136

A product update has successfully completed.

Product Update Failed

Operations / Error

Update Failed

TRUE

7 - High-Low

553648137

A product update has failed.

Product Update Started

Operations / Information

Update Process Started

FALSE

0 - No Rating

553648135

A product update has begun.

Quarantine Failure

Operations / Error

Quarantine Error

TRUE

7 - High-Low

2164260880

A detected threat was not successfully quarantined.

Quarantine Item Deleted

Operations / Information

Quarantined Item Deleted

FALSE

0 - No Rating

553648152

A quarantined item has been successfully deleted.

Quarantine Item Restored

Security / Activity

Quarantine

TRUE

0 - No Rating

553648149

A request has been pulled restored to its original location.

Quarantine Request Failed To Be Delivered

Operations / Error

Quarantine Error

TRUE

7 - High-Low

2181038130

A request to restore an item from quarantine was not successfully sent.

Quarantine Restore Failed

Operations / Error

Quarantine Error

TRUE

7 - High-Low

2164260884

An item requested to be restored to its original location could not be restored.

Quarantine Restore Requested

Security / Activity

Quarantine

TRUE

0 - No Rating

570425394

A request has been made to move a file from Quarantine back to its original location.

Quarantine Restore Started

Security / Activity

Quarantine

TRUE

0 - No Rating

553648150

The restoring of a file from Quarantine was attempted.

Quarantined Item Deleted

Security / Other

Quarantined Item Deleted

TRUE

1 - Low-Low

553648152

A quarantined item has been successfully deleted.

Reboot Completed

Operations / Information

Reboot Completed

FALSE

0 - No Rating

553648171

An agent has completed its reboot.

Reboot Pending

Operations / Information

Reboot Requested

FALSE

0 - No Rating

553648170

An agent has started the reboot process.

Rootkit Detection

Security / Malware

Detected Rootkit Activity

TRUE

9 - High-High

1090519081

A threat was found hidden on this system.

Scan Completed With Detections

Security / Vulnerability

Threat Detected

FALSE

9 - High-High

1091567628

A scan has completed and detected malicious items.

Scan Completed, No Detections

Operations / Information

Scan Completed - No Detections

FALSE

0 - No Rating

554696715

A scan has completed without detecting anything malicious.

Scan Failed

Operations / Error

Scan Process Error

TRUE

7 - High-Low

2165309453

A scan has been attempted, and failed to run.

Scan Started

Operations / Information

Scan Started

FALSE

0 - No Rating

554696714

An Agent has started scanning.

Suspected Botnet Connection

Security / Malware

Possible Botnet Activity

TRUE

9 - High-High

1107296273

The computer made outbound connections to suspected botnet command and control systems.

Suspicious Cscript Launch

Security / Suspicious

Suspicious Activity

TRUE

6 - Medium-High

1107296282

It triggers when Internet Explorer launches Command Shell which in turn launches Microsoft Windows Script Host (aka cscript).

Suspicious Download

Security / Suspicious

Suspicious Activity

TRUE

6 - Medium-High

1107296280

A suspicious file was downloaded.

Threat Detected

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1090519054

A threat was found on this system.

Threat Detected in Exclusion

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

553648145

A threat was detected in an exclusion path.

Threat Detected In Low Prevalence Executable

Security / Vulnerability

Threat Detected

TRUE

9 - High-High

1107296278

A threat was detected in a low prevalence executable.

Threat Quarantined

Security / Failed Activity

Threat Quarantined

TRUE

2 - Low-Medium

553648143

A threat was successfully quarantined.

Uninstall

Audit / Configuration

Software Uninstalled

TRUE

2 - Low-Medium

553648166

The software was uninstalled.

Uninstall Failure

Operations / Error

Uninstall Failed

TRUE

7 - High-Low

2164260903

A uninstall has failed.

Update: Reboot Advised

Operations / Information

Reboot Advised

FALSE

0 - No Rating

1090519097

It triggers when the new connector is installed and running but new driver features will not be available until the system is rebooted.

Update: Reboot Required

Operations / Information

Reboot Required

FALSE

0 - No Rating

1090519096

It triggers when the new connector is installed but not running.

Update: Unexpected Reboot Required

Operations / Information

Reboot Required

FALSE

0 - No Rating

2164260922

It triggers when the new connector is installed but not running for some unexpected scenario.

Vulnerable Application Detected

Security / Vulnerability

Vulnerable Application Detected

TRUE

2 - Low-Medium

1107296279

Vulnerable application detected.

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

The name of the log message source is Flat File - Cisco AMP for Endpoints. In addition, when configuring this log source:

  • For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
  • For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
  • On the Flat File Settings tab, enter the following:
    • File Path.
      • Non-HA systems: C:\Program Files\LogRhythm\LogRhythm System Monitor\AMP4EP\Events\AMP4EP.txt
      • HA systems: D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\Events\AMP4EP.txt
    • Date Parsing Format. Create a new date parsing format with the following values:

      • Name. Cisco AMP for Endpoints

      • Regex. <UTC><yy>-<M>-<d>T<h>:<m>:<s><utcoffset>
      • Description. Date=2018-04-19T14:37:43+00:00
  • On the Additional Settings tab:
    • Select Start collection from the beginning of the log.
      The Log Source Advanced Properties window appears.

    • To increase the maximum number of logs collected per Agent cycle, change the MaxMessageCount value to 1000.

Troubleshoot Cisco AMP for Endpoints Log Collection

Troubleshooting can be performed by viewing the log file located at:

  • Non-HA systems: C:\Program Files\LogRhythm\LogRhythm System Monitor\AMP4EP\Log\AMP4EP.log
  • HA systems: D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\Log\AMP4EP.log

The log file has three severity levels: Information, Warning, and Error. Logs with an Error severity indicate an issue that requires resolution. The table below provides some common messages and troubleshooting steps.

Message

Severity

Description and Troubleshooting Actions

Could not find credentials file: <file location>. Exiting

Error

  • Validate that the credentials file exists in the AMP4EP directory.
  • In the AMP4EP scheduled task, validate that the "Add arguments (optional):" text box contains the correct credentials, file location, and file name.

The credentials within the credentials file are corrupt. Please recreate the file: <file location>

Error

Open the scheduled task and select Run with highest privileges.

If the above action does not resolve the issue, then delete and recreate the credentials file.

Failed to call the AMP4EP API. Exiting

System.Net.WebException: The remote name could not be resolved: 'api.amp.cisco.com'

Error

  • The network interface on the host is not up.
  • DNS resolution is not available on the host.
  • Internet access is not available from the host.
  • A proxy server is in use between the host and internet.

Failed to call the AMP4EP API. Exiting 

System.Net.WebException: The remote server returned an error:

(401) Unauthorized.

Error

An incorrect ClientID or APIKey value was used to create the credentials file.

Failed to call the AMP4EP API. Exiting 

System.Net.WebException: The remote server returned an error: (501) Not Implemented.

Error

A proxy server is configured in Internet Explorer, but the proxy server is not present.

Failed to parse date from the state file

Error

The state file is corrupt. Delete the .pos file in the \AMP4EP\State directory.

This is not the active HA node. Exiting

Warning

The script has detected an HA system, but the System Monitor Agent is not running, indicating that it is not the active HA node.

This is a HA node but the LifeKeeper service is not running. Exiting

Warning

The script has detected an HA system, but the LifeKeeper service is not running.

Could not write logs to the events file: <file location>

Warning

The events file in the \AMP4EP\Events directory is currently locked by another process.

Could not get last date entry from received events

Warning

Script error. Contact LogRhythm Professional Services for assistance.

Could not write timestamp to state file: <file location>. This may result in duplicate logs

Warning

The state file in the \AMP4EP\State directory is currently locked by another process.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close