topic Re: Cisco Secure Endpoint API Integration to custom SIEM in Endpoint Security

Cisco Secure Endpoint API Integration to custom SIEM

Dinobravo69 — Thu, 11 Jul 2024 18:39:30 GMT

Hello,

I want to forward the alerts generated from Cisco Secure Endpoint to my custom SIEM.

Which type of API would best fit in this case?

Thanks,

Dino

Re: Cisco Secure Endpoint API Integration to custom SIEM

Ken Stieers — Thu, 11 Jul 2024 19:19:20 GMT

If you're building your own API query thing, eventstream. https://developer.cisco.com/docs/secure-endpoint/eventstream/

There's an elastic beat for it if you're using Elastic. Logrythym has one too... There may be others with similar things.

Re: Cisco Secure Endpoint API Integration to custom SIEM

bharatpoojary — Tue, 16 Jul 2024 08:28:08 GMT

You can use microsoft graph api.

Re: Cisco Secure Endpoint API Integration to custom SIEM

Dinobravo69 — Thu, 18 Jul 2024 20:38:31 GMT

Not using azure.

Re: Cisco Secure Endpoint API Integration to custom SIEM

Dinobravo69 — Thu, 18 Jul 2024 20:41:37 GMT

Tried to setup the event stream api but no logs are coming in, is there any documentation, FAQ or relevant videos for these kind of issues?

And question, the ioc api is not the actual alerts on the EDR console (successfully deployed this one, but only IOC information is displayed and not the actual alert), which one would be used for specifically and only the alerts generated in the secure endpoint console.

Thanks,

Dino

Re: Cisco Secure Endpoint API Integration to custom SIEM

Ken Stieers — Thu, 18 Jul 2024 21:44:39 GMT

Start here.

https://developer.cisco.com/amp-for-endpoints/

This is closer to the actual page you want( on my phone so I'm not seeing everything)
https://developer.cisco.com/docs/secure-endpoint/v1-api-reference-event/

Re: Cisco Secure Endpoint API Integration to custom SIEM

bharatpoojary — Mon, 22 Jul 2024 05:30:33 GMT

if you have azure premium P1 licence that's enough.