cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5665
Views
6
Helpful
3
Replies
Highlighted
Beginner

Can CISCO AMP integrate with QRadar

Hi Team

is it possible to integrate CISCO AMP (all modules, i.e Endpoint, network, ESA,WSA and Threatgrid) to IBM QRadar SIEM solution.

In other words, is it possible for me to view from QRadar all the malicious file or flow activities that has been detected by CISCO AMP.

Another question, what is the format of the CISCO AMP logs (CEF, LEEF,...etc)

Thanks guys,

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Can CISCO AMP integrate with QRadar

In the case of AMP for Networks, the Malware events are available from Firepower Management Center (FMC) via eStreamer, which is widely supported by SIEMS, including (I am pretty sure) QRader.

In the case of AMP for Endpoints, until relatively recently the recommended way to get those events into a SIEM was to integrate your endpoint cloud console with FMC and then use eStreamer, as above.  With the API that is now available in the AMP for Endpoints product, it is now possible for SIEM vendors to retrieve events directly; I don't know if QRadar has done so yet.

Threat Grid has had a richly functional API from day one -- literally.  They made the strategic decision to build the entire product around the API from the ground up.

As for the content gateways (AMP for ESA and AMP for WSA), the Malware events are included in the normal logging mechanisms from those products, meaning syslog and/or periodic exports of the underlying log files.

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: Can CISCO AMP integrate with QRadar

Highlighted
Cisco Employee

Re: Can CISCO AMP integrate with QRadar

In the case of AMP for Networks, the Malware events are available from Firepower Management Center (FMC) via eStreamer, which is widely supported by SIEMS, including (I am pretty sure) QRader.

In the case of AMP for Endpoints, until relatively recently the recommended way to get those events into a SIEM was to integrate your endpoint cloud console with FMC and then use eStreamer, as above.  With the API that is now available in the AMP for Endpoints product, it is now possible for SIEM vendors to retrieve events directly; I don't know if QRadar has done so yet.

Threat Grid has had a richly functional API from day one -- literally.  They made the strategic decision to build the entire product around the API from the ground up.

As for the content gateways (AMP for ESA and AMP for WSA), the Malware events are included in the normal logging mechanisms from those products, meaning syslog and/or periodic exports of the underlying log files.

View solution in original post

Highlighted
Rising star

Re: Can CISCO AMP integrate with QRadar

brmcmaho already provided you the answer. Below is the doc link which help you to integrate QRader with FMC

IBM Knowledge Center