Re: Data retention and Syslog

kostasthedelegate · ‎01-10-2020

Hello,

I have Cisco AMP for Endpoints. It is a new installation.

I would like to ask if there is a possibility to change the data retention setting.

I would like to have data for more than 30 days.

Is there any option to send data to a Syslog server?

Thanks and regards,

Konstantinos

kostasthedelegate · ‎01-13-2020

Hello,
Any ideas?

Wojciech Cecot · ‎01-14-2020

Hi,

If you need to have more than 30 days of Events you can always consider to use the AMP API:
https://api-docs.amp.cisco.com/api_resources?api_host=api.eu.amp.cisco.com&api_version=v1
Event section will be the one, which you can use on your SIEM system. There is even special Splunk extension for the Cisco AMP console which gathers such data:
https://splunkbase.splunk.com/app/3670/

Regular syslog is not possible.

Hope that helps,
Wojciech

kostasthedelegate · ‎01-14-2020

Hello Wojciech,

Thank you for your answer.
Because I am not aware of the API calls. is there any guide, that could be used?
Especially, I would like to find compatibilities with SIEM systems.

Regards,
Konstantinos

brmcmaho · ‎01-16-2020

A new resource for third party integrations with AMP is now available:

https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/AMP-endpoints-partners-integrations.html#~third-party-integrations

kostasthedelegate · ‎01-17-2020

Thanks a lot!!

Will review it!!