topic Re: Can CISCO AMP integrate with QRadar in Endpoint Security

Can CISCO AMP integrate with QRadar

sherif.hassan — Fri, 21 Feb 2020 05:01:50 GMT

Hi Team

is it possible to integrate CISCO AMP (all modules, i.e Endpoint, network, ESA,WSA and Threatgrid) to IBM QRadar SIEM solution.

In other words, is it possible for me to view from QRadar all the malicious file or flow activities that has been detected by CISCO AMP.

Another question, what is the format of the CISCO AMP logs (CEF, LEEF,...etc)

Thanks guys,

Re: Can CISCO AMP integrate with QRadar

thomas — Wed, 07 Sep 2016 17:25:27 GMT

Moving to Advanced Malware Protection (AMP) ...

Re: Can CISCO AMP integrate with QRadar

brmcmaho — Wed, 07 Sep 2016 17:52:21 GMT

In the case of AMP for Networks, the Malware events are available from Firepower Management Center (FMC) via eStreamer, which is widely supported by SIEMS, including (I am pretty sure) QRader.

In the case of AMP for Endpoints, until relatively recently the recommended way to get those events into a SIEM was to integrate your endpoint cloud console with FMC and then use eStreamer, as above. With the API that is now available in the AMP for Endpoints product, it is now possible for SIEM vendors to retrieve events directly; I don't know if QRadar has done so yet.

Threat Grid has had a richly functional API from day one -- literally. They made the strategic decision to build the entire product around the API from the ground up.

As for the content gateways (AMP for ESA and AMP for WSA), the Malware events are included in the normal logging mechanisms from those products, meaning syslog and/or periodic exports of the underlying log files.

Re: Can CISCO AMP integrate with QRadar

Ravi Singh — Thu, 12 Jan 2017 09:10:31 GMT

brmcmaho already provided you the answer. Below is the doc link which help you to integrate QRader with FMC

IBM Knowledge Center