09-05-2016 04:25 PM - edited 02-20-2020 09:01 PM
Hi Team
is it possible to integrate CISCO AMP (all modules, i.e Endpoint, network, ESA,WSA and Threatgrid) to IBM QRadar SIEM solution.
In other words, is it possible for me to view from QRadar all the malicious file or flow activities that has been detected by CISCO AMP.
Another question, what is the format of the CISCO AMP logs (CEF, LEEF,...etc)
Thanks guys,
Solved! Go to Solution.
09-07-2016 10:52 AM
In the case of AMP for Networks, the Malware events are available from Firepower Management Center (FMC) via eStreamer, which is widely supported by SIEMS, including (I am pretty sure) QRader.
In the case of AMP for Endpoints, until relatively recently the recommended way to get those events into a SIEM was to integrate your endpoint cloud console with FMC and then use eStreamer, as above. With the API that is now available in the AMP for Endpoints product, it is now possible for SIEM vendors to retrieve events directly; I don't know if QRadar has done so yet.
Threat Grid has had a richly functional API from day one -- literally. They made the strategic decision to build the entire product around the API from the ground up.
As for the content gateways (AMP for ESA and AMP for WSA), the Malware events are included in the normal logging mechanisms from those products, meaning syslog and/or periodic exports of the underlying log files.
09-07-2016 10:25 AM
Moving to Advanced Malware Protection (AMP) ...
09-07-2016 10:52 AM
In the case of AMP for Networks, the Malware events are available from Firepower Management Center (FMC) via eStreamer, which is widely supported by SIEMS, including (I am pretty sure) QRader.
In the case of AMP for Endpoints, until relatively recently the recommended way to get those events into a SIEM was to integrate your endpoint cloud console with FMC and then use eStreamer, as above. With the API that is now available in the AMP for Endpoints product, it is now possible for SIEM vendors to retrieve events directly; I don't know if QRadar has done so yet.
Threat Grid has had a richly functional API from day one -- literally. They made the strategic decision to build the entire product around the API from the ground up.
As for the content gateways (AMP for ESA and AMP for WSA), the Malware events are included in the normal logging mechanisms from those products, meaning syslog and/or periodic exports of the underlying log files.
01-12-2017 01:10 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide