Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9713
Views
6
Helpful
3
Replies

Can CISCO AMP integrate with QRadar

Go to solution
sherif.hassan
Level 1
Level 1

‎09-05-2016 04:25 PM - edited ‎02-20-2020 09:01 PM

Hi Team

is it possible to integrate CISCO AMP (all modules, i.e Endpoint, network, ESA,WSA and Threatgrid) to IBM QRadar SIEM solution.

In other words, is it possible for me to view from QRadar all the malicious file or flow activities that has been detected by CISCO AMP.

Another question, what is the format of the CISCO AMP logs (CEF, LEEF,...etc)

Thanks guys,

1 Accepted Solution

Accepted Solutions

Go to solution
brmcmaho
Cisco Employee
Cisco Employee

‎09-07-2016 10:52 AM

In the case of AMP for Networks, the Malware events are available from Firepower Management Center (FMC) via eStreamer, which is widely supported by SIEMS, including (I am pretty sure) QRader.

In the case of AMP for Endpoints, until relatively recently the recommended way to get those events into a SIEM was to integrate your endpoint cloud console with FMC and then use eStreamer, as above.  With the API that is now available in the AMP for Endpoints product, it is now possible for SIEM vendors to retrieve events directly; I don't know if QRadar has done so yet.

Threat Grid has had a richly functional API from day one -- literally.  They made the strategic decision to build the entire product around the API from the ground up.

As for the content gateways (AMP for ESA and AMP for WSA), the Malware events are included in the normal logging mechanisms from those products, meaning syslog and/or periodic exports of the underlying log files.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
thomas
Cisco Employee
Cisco Employee

‎09-07-2016 10:25 AM

Moving to Advanced Malware Protection (AMP) ...

0 Helpful

Go to solution
brmcmaho
Cisco Employee
Cisco Employee

‎09-07-2016 10:52 AM

In the case of AMP for Networks, the Malware events are available from Firepower Management Center (FMC) via eStreamer, which is widely supported by SIEMS, including (I am pretty sure) QRader.

In the case of AMP for Endpoints, until relatively recently the recommended way to get those events into a SIEM was to integrate your endpoint cloud console with FMC and then use eStreamer, as above.  With the API that is now available in the AMP for Endpoints product, it is now possible for SIEM vendors to retrieve events directly; I don't know if QRadar has done so yet.

Threat Grid has had a richly functional API from day one -- literally.  They made the strategic decision to build the entire product around the API from the ground up.

As for the content gateways (AMP for ESA and AMP for WSA), the Malware events are included in the normal logging mechanisms from those products, meaning syslog and/or periodic exports of the underlying log files.

0 Helpful

Go to solution
Ravi Singh
Level 7
Level 7

‎01-12-2017 01:10 AM

brmcmaho already provided you the answer. Below is the doc link which help you to integrate QRader with FMC

IBM Knowledge Center

Customers Also Viewed These Support Documents