https://community.cisco.com/t5/endpoint-security/retrieve-past-events-from-amp/m-p/4105763#M5459 <P>Hello all!</P><P>&nbsp;</P><P>Im trying to extract more than 1 month ago events (.csv) from AMP for Endpoints, but without success.&nbsp;</P><P>Is it possible to get this info?</P><P>&nbsp;</P><P>Be</P> Thu, 18 Jun 2020 16:24:10 GMT marcelo89_138 2020-06-18T16:24:10Z https://community.cisco.com/t5/endpoint-security/retrieve-past-events-from-amp/m-p/4105763#M5459 <P>Hello all!</P><P>&nbsp;</P><P>Im trying to extract more than 1 month ago events (.csv) from AMP for Endpoints, but without success.&nbsp;</P><P>Is it possible to get this info?</P><P>&nbsp;</P><P>Be</P> Thu, 18 Jun 2020 16:24:10 GMT https://community.cisco.com/t5/endpoint-security/retrieve-past-events-from-amp/m-p/4105763#M5459 marcelo89_138 2020-06-18T16:24:10Z https://community.cisco.com/t5/endpoint-security/retrieve-past-events-from-amp/m-p/4105812#M5461 <P>Hi Marcelo,&nbsp;</P> <P>&nbsp;</P> <P>Thanks for using Cisco Community, regarding your inquiry, unfortunately, the events on the "Event Section" are deleted after 30 days.&nbsp;</P> <P>On the AMP Console, you can find the event section in&nbsp;<STRONG>Analysis → Events&nbsp;</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screen Shot 2020-06-18 at 12.14.30.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/77117iA1E7BF8073EB88F6/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2020-06-18 at 12.14.30.png" alt="Screen Shot 2020-06-18 at 12.14.30.png" /></span></P> <P>&nbsp;</P> <P>However, we have other logs that are saved for more than 30days, for example, the Audit Logs, you can find this information on&nbsp;<STRONG>Account → Audit Log</STRONG></P> <P>&nbsp;</P> <P>*************</P> <P>&nbsp;</P> <P>If you want to review the events of a specific device you can find this information directly on the computer, there is a file called "<STRONG>History.db"&nbsp;</STRONG>inside the AMP Folder (Commonly storage in C → Program Files → Cisco → AMP)</P> <P>If you open the file with a DB Browser&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screen Shot 2020-06-18 at 12.22.51.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/77118iD19B6AFE2169C958/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2020-06-18 at 12.22.51.png" alt="Screen Shot 2020-06-18 at 12.22.51.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screen Shot 2020-06-18 at 12.23.06.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/77119i8A7036D0A8F21494/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2020-06-18 at 12.23.06.png" alt="Screen Shot 2020-06-18 at 12.23.06.png" /></span></P> <P>&nbsp;</P> <P>************</P> <P>&nbsp;</P> <P>You can also create an&nbsp;<STRONG>Event Stream&nbsp;</STRONG>in order to send the events to a SIEM or a device to save all the events.&nbsp;</P> <P>&nbsp;</P> <P>You can create this Event Stream by generating a Read/Write API (On the Console Navigate to&nbsp;<STRONG>Accounts → API Credentials)</STRONG>, in the following link you can find the documentation of how to create the&nbsp;<STRONG>Event Stream</STRONG> <A href="https://api-docs.amp.cisco.com/api_resources/EventStream?api_host=api.amp.cisco.com&amp;api_version=v1" target="_blank">https://api-docs.amp.cisco.com/api_resources/EventStream?api_host=api.amp.cisco.com&amp;api_version=v1</A><STRONG>&nbsp;</STRONG></P> <P>&nbsp;</P> <P>I hope this information can be useful to you.</P> <P>&nbsp;</P> <P>Have a great day!!!</P> <P>&nbsp;</P> Thu, 18 Jun 2020 17:29:04 GMT https://community.cisco.com/t5/endpoint-security/retrieve-past-events-from-amp/m-p/4105812#M5461 jesutorr@cisco.com 2020-06-18T17:29:04Z https://community.cisco.com/t5/endpoint-security/retrieve-past-events-from-amp/m-p/4105917#M5468 <P>Thats great!</P><P>I would like to put this event stream into Splunk, is there any step by step guide?</P> Thu, 18 Jun 2020 19:50:11 GMT https://community.cisco.com/t5/endpoint-security/retrieve-past-events-from-amp/m-p/4105917#M5468 marcelo89_138 2020-06-18T19:50:11Z https://community.cisco.com/t5/endpoint-security/retrieve-past-events-from-amp/m-p/4106327#M5469 <P>There is no step by step guide, but <A href="https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215350-configure-amp-for-endpoints-event-stream.html" target="_self">here</A> is an article about Event Streams and how to set one up.&nbsp; There are also a few Python scripts in github.com/CiscoSecurity that you may find useful.&nbsp; As for the Splunk side, there are two AMP modules you can use.</P> <P><A href="https://splunkbase.splunk.com/app/3670/" target="_blank">https://splunkbase.splunk.com/app/3670/</A><BR /><A href="https://splunkbase.splunk.com/app/3686/" target="_blank">https://splunkbase.splunk.com/app/3686/</A><BR /><BR /></P> <P>Hope that helps!</P> <P>&nbsp;</P> <P>-Matt</P> Fri, 19 Jun 2020 13:27:04 GMT https://community.cisco.com/t5/endpoint-security/retrieve-past-events-from-amp/m-p/4106327#M5469 Matthew Franks 2020-06-19T13:27:04Z