Configure Cisco AMP
Access and Configure Cisco AMP for Endpoints
Generate an API Key and Client ID
To configure a Cisco AMP integration within LogRhythm NDR, you must first obtain an API key and Client ID within the Cisco AMP for Endpoints Console.
- Log in to AMP for Endpoints Console or go to the API URL: https://api.amp.cisco.com.
- Click Accounts and then API Credentials.
- To generate an API Key and Client ID, click New API Credential.
Add a New Cisco AMP Integration in LogRhythm NDR
After completing your configuration within the Cisco AMP for Endpoints Console, you can add a Cisco AMP integration in LogRhythm NDR.
To create a Cisco AMP integration:
- Log in to the LogRhythm NDR UI.
- Point to the Settings tab, and then click Endpoint Integrations.
The Endpoint Integrations page appears and displays the endpoint table where previous endpoint Integrations are listed. - At the top right, click Add Endpoint Integration.
The Add Endpoint Integration page appears. - Click Active to make the integration active.
- Click Endpoint Type, and then click CiscoAMP.
Using the following table, enter the integration credentials into the relevant fields.
Field Description Endpoint Type Cisco AMP Integration Name A unique name for this integration configuration. Polling Interval The amount of time (in minutes) between each collection of new information from the integration. API URL The API URL for Cisco AMP is https://api.amp.cisco.com Client ID The Client ID obtained in the AMP for Endpoints Console. API Key The API Key obtained in the AMP for Endpoints Console. - To verify the credentials have been entered correctly, click Test.
If the information is correct, Connection Success appears. Otherwise, Connection Failed appears, meaning the credentials need to be re-entered and re-verified. - Click Save.
The Cisco AMP EDR integration is now complete within LogRhythm NDR.
Verify a Cisco AMP Integration is Working
To verify that information is being collected for the Cisco AMP integration:
- Log in to the LogRhythm NDR UI.
- Click the Hunt tab, and then click Activity.
The Activity page appears. By default, the legend graph is displayed, showing the logs and events for the past hour. - To view the integration events alone, click ThirdPartyEvent on the graph.
All integration-related events appear. - To view the integration, click the Discover icon located to the left of the search field, and then click General.
- Select the Origin option and click the visualize icon (which is the bar graph icon) for the option.
If events do not display, you may have to change the time range. - To single out data for a selected filter, click the addfilter option in the Discover menu.
For example, use the "entry_origin" filter (entry_origin: "CiscoAmp") to filter the engine that detected the traffic, giving you the following options:
1 - Carbonblack
2 - CiscoAmp
3 - Distributed Analytics Engine
4 - Mistwatcher Engine
5 - Network Analysis Engine
6 - Rules Engine
The Value based Filters & Aggregations dialog box appears. - To add the filter to the item displayed in the Value based Filters & Aggregations dialog box, click the + icon next to the item. Conversely, to remove the filter, click the - icon next to the item.
- To view the integration events, click the + icon.
Edit a Cisco AMP Integration
To make changes to an existing Cisco AMP integration:
- Click the Settings tab, and then click Endpoint Integrations.
The Endpoint page appears. - Click the green Edit icon in the Actions column for the Cisco AMP integration you want to edit.
The Edit Operator page appears. - Once changes have been made, click Update.
The endpoint integration is updated within LogRhythm NDR.
Delete a Cisco AMP Integration
To delete an existing Cisco AMP integration:
- Click the Settings tab, and then click Endpoint Integrations.
The Endpoint page appears. - Click the red Delete icon in the Actions column for the Cisco AMP integration you want to remove.
- Click Yes.
The Cisco AMP integration is deleted in LogRhythm NDR.