|
| 1 | +--- |
| 2 | +id: cisco-amp |
| 3 | +title: Cisco AMP |
| 4 | +sidebar_label: Cisco AMP |
| 5 | +description: The Sumo Logic app for Cisco AMP helps you to gain real-time monitoring and analysis of cybersecurity incidents in the Cisco AMP platform. |
| 6 | +--- |
| 7 | + |
| 8 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 9 | + |
| 10 | +<img src={useBaseUrl('img/send-data/cisco-amp.png')} alt="thumbnail icon" width="85"/> |
| 11 | + |
| 12 | +The Sumo Logic app for Cisco AMP provides security analysts with essential tools to enhance threat detection, conduct thorough investigations, and strengthen cybersecurity defenses. It offers security analysts with a powerful platform for real-time monitoring and analysis of cybersecurity incidents. Analysts can evaluate event severity, identify types of incidents, assess host activities, and analyze file types involved in breaches. |
| 13 | + |
| 14 | +Additionally, the app highlights the top hosts, users, tactics, and techniques, helping analysts recognize trends and potential risks. With this app, they can examine detection types, review recent malicious files, investigate compromised endpoints, and monitor suspicious processes to respond swiftly to security incidents. The app's geolocation features further enhance analysis by mapping the origins of cybersecurity events and emphasizing activities from restricted areas. |
| 15 | + |
| 16 | +:::info |
| 17 | +This app includes [built-in monitors](#cisco-amp-monitors). For details on creating custom monitors, refer to the [Create monitors for Cisco AMP app](#create-monitors-for-cisco-amp-app). |
| 18 | +::: |
| 19 | + |
| 20 | +## Log types |
| 21 | + |
| 22 | +This app uses Sumo Logic’s [Cisco AMP Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/) to collect the event logs from the Cisco platform. |
| 23 | + |
| 24 | +### Sample log message |
| 25 | + |
| 26 | +<details> |
| 27 | +<summary>Event Log</summary> |
| 28 | + |
| 29 | +```json |
| 30 | +{ |
| 31 | + "version": "v1.2.0", |
| 32 | + "metadata": { |
| 33 | + "links": { |
| 34 | + "self": "https://api.amp.cisco.com/v1/events?limit=2", |
| 35 | + "next": "https://api.amp.cisco.com/v1/events?limit=2&offset=2" |
| 36 | + }, |
| 37 | + "results": { |
| 38 | + "total": 1165, |
| 39 | + "current_item_count": 2, |
| 40 | + "index": 0, |
| 41 | + "items_per_page": 2 |
| 42 | + } |
| 43 | + }, |
| 44 | + "data": [ |
| 45 | + { |
| 46 | + "id": 6180351977805840000, |
| 47 | + "timestamp": 1647602406, |
| 48 | + "timestamp_nanoseconds": 548000000, |
| 49 | + "date": "2022-03-18T11:20:06+00:00", |
| 50 | + "event_type": "Threat Detected", |
| 51 | + "event_type_id": 1090519054, |
| 52 | + "detection": "W32.GenericKD:ZVETJ.18gs.1201", |
| 53 | + "detection_id": "6180351977805840385", |
| 54 | + "connector_guid": "538738f5-3a14-4449-933b-86142553de06", |
| 55 | + "group_guids": [ |
| 56 | + "e766a0e9-96da-41b9-b1e8-87dd010d6b68" |
| 57 | + ], |
| 58 | + "severity": "Medium", |
| 59 | + "computer": { |
| 60 | + "connector_guid": "538738f5-3a14-4449-933b-86142553de06", |
| 61 | + "hostname": "Demo_Upatre", |
| 62 | + "external_ip": "xxx.xxx.xxx.xxx", |
| 63 | + "user": "A@TEMPLATE-W7X86", |
| 64 | + "active": true, |
| 65 | + "network_addresses": [ |
| 66 | + { |
| 67 | + "ip": "xxx.xxx.xxx.xxx", |
| 68 | + "mac": "xx:xx:xx:xx:xx:xx" |
| 69 | + } |
| 70 | + ], |
| 71 | + "links": { |
| 72 | + "computer": "https://api.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06", |
| 73 | + "trajectory": "https://api.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06/trajectory", |
| 74 | + "group": "https://api.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a" |
| 75 | + } |
| 76 | + }, |
| 77 | + "file": { |
| 78 | + "disposition": "Malicious", |
| 79 | + "file_name": "wsymqyv90.exe", |
| 80 | + "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe", |
| 81 | + "identity": { |
| 82 | + "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40", |
| 83 | + "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48", |
| 84 | + "md5": "e2f5dcd966e26d54329e8d79c7201652" |
| 85 | + }, |
| 86 | + "parent": { |
| 87 | + "process_id": 4040, |
| 88 | + "disposition": "Clean", |
| 89 | + "file_name": "iexplore.exe", |
| 90 | + "identity": { |
| 91 | + "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", |
| 92 | + "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", |
| 93 | + "md5": "b3581f426dc500a51091cdd5bacf0454" |
| 94 | + } |
| 95 | + } |
| 96 | + }, |
| 97 | + "tactics": [ |
| 98 | + "TA0042" |
| 99 | + ], |
| 100 | + "techniques": [ |
| 101 | + "T1204.003" |
| 102 | + ] |
| 103 | + } |
| 104 | + ] |
| 105 | +} |
| 106 | +``` |
| 107 | +</details> |
| 108 | + |
| 109 | +### Sample queries |
| 110 | + |
| 111 | +```sql title="Total Events" |
| 112 | +_sourceCategory="Labs/cisco-amp-app" |
| 113 | +| json "id", "connector_guid", "severity", "event_type", "computer.active", "file.disposition", "detection_id", "detection", "computer.hostname", "computer.user", "tactics[*]", "techniques[*]", "computer.external_ip", "file.file_name", "file.file_path", "file.parent.file_name", "file.identity.sha256", "file.identity.sha1", "file.identity.md5", "file.parent.identity.sha256", "date", "computer.network_addresses[*]", "file.parent.process_id", "file.parent.disposition", "computer.links.trajectory", "computer.links.computer", "computer.links.group" as id, connector_guid, severity, event_type, status, file_type, detection_id, detection, hostname, user, tactics, techniques, external_ip, file_name, file_path, parent_file_name, sha2565, sha1, md5, parent_sha256, date, computer_network_addresses, process_id, parent_file_type, trajectory_link, computer_link, group_link nodrop |
| 114 | + |
| 115 | +// global filters |
| 116 | +| where severity matches "{{severity}}" |
| 117 | +| where event_type matches "{{event_type}}" |
| 118 | +| where status matches "{{host_status}}" |
| 119 | +| extract field=tactics "\"?(?<tactics>[\w\s\-&.,]*)\"?[,\n\]]" multi |
| 120 | +| extract field=techniques "\"?(?<techniques>[\w\s\-&.,]*)\"?[,\n\]]" multi |
| 121 | +| where tactics matches "{{tactics}}" |
| 122 | +| where techniques matches "{{techniques}}" |
| 123 | + |
| 124 | +| count by id, connector_guid |
| 125 | +| count |
| 126 | +``` |
| 127 | + |
| 128 | +## Collection configuration and app installation |
| 129 | + |
| 130 | +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; |
| 131 | + |
| 132 | +<CollectionConfiguration/> |
| 133 | + |
| 134 | +:::important |
| 135 | +Use the [Cloud-to-Cloud Integration for Cisco AMP Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Cisco AMP app is properly integrated and configured to collect and analyze your Cisco AMP data. |
| 136 | +::: |
| 137 | + |
| 138 | +### Create a new collector and install the app |
| 139 | + |
| 140 | +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; |
| 141 | + |
| 142 | +<AppCollectionOPtion1/> |
| 143 | + |
| 144 | +### Use an existing collector and install the app |
| 145 | + |
| 146 | +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; |
| 147 | + |
| 148 | +<AppCollectionOPtion2/> |
| 149 | + |
| 150 | +### Use an existing source and install the app |
| 151 | + |
| 152 | +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; |
| 153 | + |
| 154 | +<AppCollectionOPtion3/> |
| 155 | + |
| 156 | +## Viewing the Cisco AMP dashboards |
| 157 | + |
| 158 | +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; |
| 159 | + |
| 160 | +<ViewDashboards/> |
| 161 | + |
| 162 | +### Overview |
| 163 | + |
| 164 | +The **Cisco AMP - Overview** dashboard is a comprehensive tool that provides security analysts with a high-level summary of key cybersecurity metrics. It tracks total security events, newly detected threats, and recent endpoint activities, offering real-time visibility into the organization's threat landscape. By categorizing threats according to severity levels and types, the dashboard helps analysts quickly identify and prioritize response actions. It also highlights key information on top threat actors and prevalent attack techniques, enhancing threat intelligence and supporting robust incident response strategies. Continuous monitoring of threat trends and endpoint activities empowers analysts to proactively mitigate risks, ensuring a resilient cybersecurity defense posture and effective threat management. <br/> <img src={useBaseUrl('https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Cisco-AMP/Cisco+AMP+-+Overview+(2).png')} alt="Cisco AMP Overview" style={{border: '1px solid gray'}} width="800" /> |
| 165 | + |
| 166 | +## Create monitors for Cisco AMP app |
| 167 | + |
| 168 | +import CreateMonitors from '../../reuse/apps/create-monitors.md'; |
| 169 | + |
| 170 | +<CreateMonitors/> |
| 171 | + |
| 172 | +### Cisco AMP monitors |
| 173 | + |
| 174 | +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |
| 175 | +|:--|:--|:--|:--| |
| 176 | +| `Cisco AMP - Events from Embargoed Geo Locations` | This alert identifies and flags events originating from embargoed geographic locations within the Cisco AMP environment. By promptly detecting and responding to activities from restricted regions, security analysts can proactively mitigate potential threats and prevent unauthorized access or breaches. | Critical | Count > 0 | |
| 177 | +| `Cisco AMP - High Severity Events` | This alert highlights security incidents with critical severity levels within the Cisco AMP ecosystem. By prioritizing these high-risk events, security personnel can quickly respond, investigate, and implement necessary actions to effectively mitigate risks before they escalate. | Critical | Count > 0| |
| 178 | +| `Cisco AMP - Events with Malicious File` | This alert tracks events related to malicious files within the Cisco AMP system. By promptly alerting analysts to activities involving malicious files, it enables quick identification, isolation, and remediation of threats, helping safeguard the organization's networks and endpoints from potential cybersecurity breaches. | Critical | Count > 0| |
| 179 | + |
| 180 | +## Upgrade/Downgrade the Cisco AMP app (Optional) |
| 181 | + |
| 182 | +import AppUpdate from '../../reuse/apps/app-update.md'; |
| 183 | + |
| 184 | +<AppUpdate/> |
| 185 | + |
| 186 | +## Uninstalling the Cisco AMP app (Optional) |
| 187 | + |
| 188 | +import AppUninstall from '../../reuse/apps/app-uninstall.md'; |
| 189 | + |
| 190 | +<AppUninstall/> |
0 commit comments