Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3816
Views
0
Helpful
3
Replies

Retrieve past events from AMP

marcelo89_138
Level 1
Level 1

‎06-18-2020 09:24 AM

Hello all!

 

Im trying to extract more than 1 month ago events (.csv) from AMP for Endpoints, but without success. 

Is it possible to get this info?

 

Be

Labels:
0 Helpful
3 Replies 3

jesutorr@cisco.com
Cisco Employee
Cisco Employee

‎06-18-2020 10:29 AM

Hi Marcelo, 

 

Thanks for using Cisco Community, regarding your inquiry, unfortunately, the events on the "Event Section" are deleted after 30 days. 

On the AMP Console, you can find the event section in Analysis → Events 

Screen Shot 2020-06-18 at 12.14.30.png

 

However, we have other logs that are saved for more than 30days, for example, the Audit Logs, you can find this information on Account → Audit Log

 

*************

 

If you want to review the events of a specific device you can find this information directly on the computer, there is a file called "History.db" inside the AMP Folder (Commonly storage in C → Program Files → Cisco → AMP)

If you open the file with a DB Browser 

Screen Shot 2020-06-18 at 12.22.51.png

Screen Shot 2020-06-18 at 12.23.06.png

 

************

 

You can also create an Event Stream in order to send the events to a SIEM or a device to save all the events. 

 

You can create this Event Stream by generating a Read/Write API (On the Console Navigate to Accounts → API Credentials), in the following link you can find the documentation of how to create the Event Stream https://api-docs.amp.cisco.com/api_resources/EventStream?api_host=api.amp.cisco.com&api_version=v1 

 

I hope this information can be useful to you.

 

Have a great day!!!

 

0 Helpful

marcelo89_138
Level 1
Level 1
In response to jesutorr@cisco.com

‎06-18-2020 12:50 PM

Thats great!

I would like to put this event stream into Splunk, is there any step by step guide?

0 Helpful

Matthew Franks
Cisco Employee
Cisco Employee
In response to marcelo89_138

‎06-19-2020 06:27 AM

There is no step by step guide, but here is an article about Event Streams and how to set one up.  There are also a few Python scripts in github.com/CiscoSecurity that you may find useful.  As for the Splunk side, there are two AMP modules you can use.

https://splunkbase.splunk.com/app/3670/
https://splunkbase.splunk.com/app/3686/

Hope that helps!

 

-Matt

0 Helpful
Customers Also Viewed These Support Documents