Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Cisco AMP event stream | ✅ | ✅ | cisco_amp_events | NDJSON | API |
Overview
Cisco AMP, now Cisco Secure Endpoint, is a comprehensive endpoint security solution designed to prevent, detect, and respond to cyber threats. It combines advanced threat intelligence, machine learning, and behavioral analysis to protect endpoints from malware, ransomware, and other sophisticated attacks. AMP continuously monitors file activity, offering real-time threat detection and retrospective analysis to quickly identify and remediate vulnerabilities. Integrated with Cisco's security ecosystem, it provides seamless visibility and protection across networks, making it a robust tool for organizations seeking proactive and adaptive endpoint defense.
Supported data types
Cisco AMP event stream
Table name: cisco_amp_events
Cisco AMP event stream logs capture and record detailed information about security-related events detected by Cisco AMP. These logs include data on file and network activities, threat detections, and other security events, aiding in the analysis, investigation, and response to potential cybersecurity threats.
Send data to Hunters
Hunters supports the collection of logs from Cisco AMP using API.
To connect Cisco AMP logs:
Follow this guide to gather the following information from Cisco:
Host
User Name
Password
Queue Name
Complete the process on the Hunters platform, following this process.
Expected format
Logs are expected in NDJSON format.
{
"id": 6914329852531179526,
"timestamp": 1609867870,
"timestamp_nanoseconds": 386000000,
"date": "2021-01-05T17:31:10+00:00",
"event_type": "Scan Started",
"event_type_id": 554696714,
"connector_guid": "6d5af189-4530-4632-80a4-11d367dd8c7c",
"group_guids": [
"572d3ccd-dace-4434-898b-50c25414d697"
],
"computer": {
"connector_guid": "6d5af189-4530-4632-80a4-11d367dd8c7c",
"hostname": "hntrsrchcs0.hntrsrch.local",
"external_ip": "40.75.120.251",
"active": true,
"network_addresses": [
{
"ip": "10.0.11.6",
"mac": "00:0d:3a:7c:4c:f5"
}
],
"links": {
"computer": "https://api.amp.cisco.com/v1/computers/6d5af189-4530-4632-80a4-11d367dd8c7c",
"trajectory": "https://api.amp.cisco.com/v1/computers/6d5af189-4530-4632-80a4-11d367dd8c7c/trajectory",
"group": "https://api.amp.cisco.com/v1/groups/572d3ccd-dace-4434-898b-50c25414d697"
}
},
"scan": {
"description": "Flash Scan"
}
}