Cisco AMP

  • Updated on Jan 26, 2025
  • Published on May 14, 2023
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Cisco AMP event stream

✅

✅

cisco_amp_events

NDJSON

API

Overview

cisco secure endpoint logoCisco AMP, now Cisco Secure Endpoint, is a comprehensive endpoint security solution designed to prevent, detect, and respond to cyber threats. It combines advanced threat intelligence, machine learning, and behavioral analysis to protect endpoints from malware, ransomware, and other sophisticated attacks. AMP continuously monitors file activity, offering real-time threat detection and retrospective analysis to quickly identify and remediate vulnerabilities. Integrated with Cisco's security ecosystem, it provides seamless visibility and protection across networks, making it a robust tool for organizations seeking proactive and adaptive endpoint defense.

Supported data types

Cisco AMP event stream

Table name: cisco_amp_events

Cisco AMP event stream logs capture and record detailed information about security-related events detected by Cisco AMP. These logs include data on file and network activities, threat detections, and other security events, aiding in the analysis, investigation, and response to potential cybersecurity threats.

Send data to Hunters

Hunters supports the collection of logs from Cisco AMP using API.

To connect Cisco AMP logs:

  1. Follow this guide to gather the following information from Cisco:

    • Host

    • User Name

    • Password

    • Queue Name

  2. Complete the process on the Hunters platform, following this process.

Expected format

Logs are expected in NDJSON format.

{
    "id": 6914329852531179526,
    "timestamp": 1609867870,
    "timestamp_nanoseconds": 386000000,
    "date": "2021-01-05T17:31:10+00:00",
    "event_type": "Scan Started",
    "event_type_id": 554696714,
    "connector_guid": "6d5af189-4530-4632-80a4-11d367dd8c7c",
    "group_guids": [
        "572d3ccd-dace-4434-898b-50c25414d697"
    ],
    "computer": {
        "connector_guid": "6d5af189-4530-4632-80a4-11d367dd8c7c",
        "hostname": "hntrsrchcs0.hntrsrch.local",
        "external_ip": "40.75.120.251",
        "active": true,
        "network_addresses": [
            {
                "ip": "10.0.11.6",
                "mac": "00:0d:3a:7c:4c:f5"
            }
        ],
        "links": {
            "computer": "https://api.amp.cisco.com/v1/computers/6d5af189-4530-4632-80a4-11d367dd8c7c",
            "trajectory": "https://api.amp.cisco.com/v1/computers/6d5af189-4530-4632-80a4-11d367dd8c7c/trajectory",
            "group": "https://api.amp.cisco.com/v1/groups/572d3ccd-dace-4434-898b-50c25414d697"
        }
    },
    "scan": {
        "description": "Flash Scan"
    }
}