topic How do I ingest Cisco Advanced Malware Protection (AMP) for endpoint logs into Splunk? in Getting Data In

How do I ingest Cisco Advanced Malware Protection (AMP) for endpoint logs into Splunk?

kiran331 — Wed, 12 Jul 2017 17:48:29 GMT

Hello,

Is there an Add-on using API to ingest Cisco AMP logs into Splunk. I tried using streamer, but it's not puling all the information. Is there any way of using API to get these logs?

Re: How do I ingest Cisco Advanced Malware Protection (AMP) for endpoint logs into Splunk?

jemunos — Fri, 29 Dec 2017 02:00:09 GMT

Please see the following:
Cisco AMP for Endpoints Events Input - https://splunkbase.splunk.com/app/3670/
Cisco AMP for Endpoints CIM Add-on - https://splunkbase.splunk.com/app/3686/

Re: How do I ingest Cisco Advanced Malware Protection (AMP) for endpoint logs into Splunk?

ksirisawatdi_sp — Mon, 01 Oct 2018 05:04:37 GMT

Seem can't get the Input to work. Keep getting timeout connecting. I have test manual telnet with port 443. It is working when test with telnet. Any advise?

Re: How do I ingest Cisco Advanced Malware Protection (AMP) for endpoint logs into Splunk?

jemunos — Tue, 02 Oct 2018 16:06:04 GMT

Please file issues on the development GitHub.
https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues

Re: How do I ingest Cisco Advanced Malware Protection (AMP) for endpoint logs into Splunk?

heycisco — Thu, 04 Oct 2018 16:03:18 GMT

The Splunk app leverages the A4E Streaming Event API. This API requires read/write access. Also, it'll allow only five concurrent streams (a "stream", for this purpose, is the same as an "input" in the Splunk app - it's a set of event types and groups you'll pull from A4E). The streaming API doesn't do garbage collection, though, so when you delete an input in Splunk, you'd need to also manually delete the stream in the API; so keep an eye on that complexity." If you are still having trouble, you may want to reach out to Cisco TAC for support.