Re: Cisco Secure Endpoint API Integration to custom SIEM

Dinobravo69 · ‎07-11-2024

Hello,

I want to forward the alerts generated from Cisco Secure Endpoint to my custom SIEM.

Which type of API would best fit in this case?

Thanks,

Dino

Ken Stieers · ‎07-11-2024

If you're building your own API query thing, eventstream. https://developer.cisco.com/docs/secure-endpoint/eventstream/

There's an elastic beat for it if you're using Elastic. Logrythym has one too... There may be others with similar things.

Dinobravo69 · ‎07-18-2024

Tried to setup the event stream api but no logs are coming in, is there any documentation, FAQ or relevant videos for these kind of issues?

And question, the ioc api is not the actual alerts on the EDR console (successfully deployed this one, but only IOC information is displayed and not the actual alert), which one would be used for specifically and only the alerts generated in the secure endpoint console.

Thanks,

Dino

Ken Stieers · ‎07-18-2024

Start here.

https://developer.cisco.com/amp-for-endpoints/

This is closer to the actual page you want( on my phone so I'm not seeing everything)
https://developer.cisco.com/docs/secure-endpoint/v1-api-reference-event/

bharatpoojary · ‎07-16-2024

You can use microsoft graph api.

Dinobravo69 · ‎07-18-2024

Not using azure.

bharatpoojary · ‎07-21-2024

if you have azure premium P1 licence that's enough.