02-13-2019 06:49 AM - edited 02-20-2020 09:07 PM
Hello,
We need to archive some events so they're not lost forever after 30 days.
I believe Splunk can integrate with the AMP API and can do this but alas we do not have Splunk or any other decent SIEM for that matter.
Any bright ideas on how we could achieve this?
Thanks,
Matt.
02-13-2019 07:13 AM
I'm assuming you are wanting some type of historical log analysis? If that is the case right now, a SIEM is the only way you are able to extract that data and retain it. There are a number of open source SIEM tools available that can take advantage of the API's available. ELK (Elasticsearch, Logstash, and Kibana) is a popular option. I have not personally used it with AMP, but I can't see any reason it won't work.
02-13-2019 07:50 AM
Thank you for the suggestion. I'll take a look at ELK.
Cheers,
Matt.
02-13-2019 02:11 PM
I would prefer to use ELK its open source with some addons to pay additional and you do your own dashboards.
it is easy and simple.
02-14-2019 12:09 AM
Hi BB,
Thank you for your input.
I've not used ELK before and like many open source solutions, it looks kind of.... "involved".
Have you used it for something similar? Can you point me in the direction of a how-to guide to get it set up and extracting events from AMP to be easily used at later date?
Thanks!
Matt.
02-14-2019 12:59 AM
Its still under process in my lab start putting all in place for other device to collect and make kibana dashboard, on hand i do not have document to offer for you now.
But there is good cisco document others did already that give you idea, how you can start with.
https://blogs.cisco.com/security/step-by-step-setup-of-elk-for-netflow-analytics
As for the content gateways (AMP for ESA and AMP for WSA), the Malware events are included in the normal logging mechanisms from those products, meaning syslog and/or periodic exports of the underlying log files.
Hope you have AMP onsite infrastructure ?
02-14-2019 01:05 AM
Thank you sir. It's actually AMP4E that we need to extract events from. The events have already happened and we need a way to archive those events as they're only held in the AMP4E dashboard for 30 days.
Thanks,
Matt.
02-14-2019 09:23 AM - edited 02-14-2019 09:24 AM
The API doc for AMP4E is located here. https://api-docs.amp.cisco.com/api_resources?api_host=api.amp.cisco.com&api_version=v1 You'll be able to massage the data into ELK as you see fit.
If you haven't already, I'd also explore joining Cisco Devnet. https://developer.cisco.com/ You'll gain access to a ton of great development content for the beginner to advance programmer.
02-18-2019 01:46 AM
Thanks Sean, I'll check out the API and Devnet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide