Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3769
Views
15
Helpful
8
Replies

AMP: Archiving Events

matty-boy
Level 1
Level 1

‎02-13-2019 06:49 AM - edited ‎02-20-2020 09:07 PM

Hello,

We need to archive some events so they're not lost forever after 30 days.

I believe Splunk can integrate with the AMP API and can do this but alas we do not have Splunk or any other decent SIEM for that matter.

Any bright ideas on how we could achieve this?

Thanks,
Matt.

Labels:
0 Helpful
8 Replies 8

seanmil
Cisco Employee
Cisco Employee

‎02-13-2019 07:13 AM

I'm assuming you are wanting some type of historical log analysis? If that is the case right now, a SIEM is the only way you are able to extract that data and retain it. There are a number of open source SIEM tools available that can take advantage of the API's available. ELK (Elasticsearch, Logstash, and Kibana) is a popular option. I have not personally used it with AMP, but I can't see any reason it won't work.

matty-boy
Level 1
Level 1
In response to seanmil

‎02-13-2019 07:50 AM

Thank you for the suggestion. I'll take a look at ELK.

 

Cheers,

Matt.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to matty-boy

‎02-13-2019 02:11 PM

I would prefer to use ELK its open source with some addons to pay additional and you do your own dashboards.

 

it is easy and simple.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

matty-boy
Level 1
Level 1
In response to balaji.bandi

‎02-14-2019 12:09 AM

Hi BB,

Thank you for your input.

I've not used ELK before and like many open source solutions, it looks kind of.... "involved".

Have you used it for something similar? Can you point me in the direction of a how-to guide to get it set up and extracting events from AMP to be easily used at later date?

Thanks!

Matt.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to matty-boy

‎02-14-2019 12:59 AM

Its still under process in  my lab start putting all in place for other device to collect and make kibana dashboard, on hand i do not have document to offer for you now.

 

But there is good cisco document others did already that give you idea, how you can start with.

 

https://blogs.cisco.com/security/step-by-step-setup-of-elk-for-netflow-analytics

 

As for the content gateways (AMP for ESA and AMP for WSA), the Malware events are included in the normal logging mechanisms from those products, meaning syslog and/or periodic exports of the underlying log files.

 

Hope you have AMP onsite infrastructure ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

matty-boy
Level 1
Level 1
In response to balaji.bandi

‎02-14-2019 01:05 AM

Thank you sir. It's actually AMP4E that we need to extract events from. The events have already happened and we need a way to archive those events as they're only held in the AMP4E dashboard for 30 days.

 

Thanks,

Matt.

0 Helpful

seanmil
Cisco Employee
Cisco Employee
In response to matty-boy

‎02-14-2019 09:23 AM - edited ‎02-14-2019 09:24 AM

The API doc for AMP4E is located here. https://api-docs.amp.cisco.com/api_resources?api_host=api.amp.cisco.com&api_version=v1 You'll be able to massage the data into ELK as you see fit.

 

If you haven't already, I'd also explore joining Cisco Devnet. https://developer.cisco.com/ You'll gain access to a ton of great development content for the beginner to advance programmer.

matty-boy
Level 1
Level 1
In response to seanmil

‎02-18-2019 01:46 AM

Thanks Sean, I'll check out the API and Devnet.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents