Skip to content

Cisco Amp

Cisco ucm

About

Cisco AMP Advanced Malware Protection is a Prevention, Detection and Response platform for enterprise environments. AMP protects by looking for known malware exploits accurately and efficiently without being solely dependent on signatures. AMP uses signatures to detect malware, and also employs behaviour based models and Machine Learning models. Behavior-based malware detection, which builds a full context around every process execution path in real time. Machine learning models, which identify patterns that match known malware characteristics and other various forms of artificial intelligence. Finally, AMP response methods include agent based endpoint detection and response (EDR) and—more recently—extended detection and response (XDR) tools.

Product Details

Vendor URL: Cisco Secure Endpoint

Product Type: Endpoint Security

Product Tier: Tier II

Integration Method: Syslog

Log Guide: Cisco AMP Log File Format

Parser Details

Log Format: JSON

Expected Normalization Rate: 100%

Data Label: CISCO_AMP

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
computer.external_ip principal.nat_ip
computer.links.computer metadata.url_back_to_product
computer.user target.user.user_display_name
description metadata.description
detection_id metadata.product_log_id
file.attack_details.attacked_module target.process.file.full_path
file.file_path target.file.full_path
file.identity.md5 target.file.md5
file.identity.md5 target.process.command_line_history
file.identity.sha256 target.file.sha256
file.parent.process_id target.process.parent_process.pid
ip_address principal.ip
mac_address principal.mac
observer observer.ip
observer observer.hostname
observer_domain observer.domain.name
product_version metadata.product_version
target target.hostname
target_port target.port
vendor_name metadata.vendor_name

Product Event Types

Type Severity UDM Event Classification Alerting Enabled
Default GENERIC_EVENT
Update STATUS_UPDATE
Process PROCESS_UNCATEGORIZED

Log Sample

{
  "event_type_id": 111111111,
  "connector_guid": "f3aedff0-xxxx-xxxx-xxxx-xxd62e151f3d",
  "scan": {
    "description": "Process Scan"
  },
  "timestamp": 1234035278,
  "date": "2023-05-02T13:47:58+00:00",
  "event_type": "Scan Started",
  "computer": {
    "external_ip": "172.10.255.255",
    "active": true,
    "network_addresses": [
      {
        "ip": "",
        "mac": "xx:xx:xx:f2:83:7e"
      },
      {
        "ip": "",
        "mac": "xx:xx:xx:f2:83:7f"
      },
      {
        "mac": "bc:d0:ga:33:1a:70",
        "ip": "172.10.248.158"
      }
    ],
    "links": {
      "computer": "https://api.amp.cisco.com/v1/computers/f3aedff0-xxxx-xxxx-xxxx-xxd62e151f3d",
      "trajectory": "https://api.amp.cisco.com/v1/computers/f3aedff0-xxxx-xxxx-xxxx-xxd62e151f3d/trajectory",
      "group": "https://api.amp.cisco.com/v1/groups/1a34b322-f829-4242-9453-51c8a2c5af03"
    },
    "connector_guid": "f3aedff0-xxxx-xxxx-xxxx-xxd62e151f3d",
    "hostname": "obfuscated_hostname"
  },
  "id": 11111111111111111111114532,
  "timestamp_nanoseconds": 3822395499344532,
  "group_guids": [
    "1a34b322-f829-4242-9453-51c8a2c5af03"
  ]
}

Sample Parsing

metadata.event_timestamp.seconds = 1234035278
metadata.event_timestamp.nanos = 0
metadata.event_type = "SCAN_UNCATEGORIZED"
metadata.ingested_timestamp.seconds = 1683036129
metadata.ingested_timestamp.nanos = 313195000
metadata.log_type = "CISCO_AMP"
metadata.product_event_type = "Scan Started"
metadata.product_log_id = "111111111"
metadata.product_name = "AMP"
metadata.url_back_to_product = "https://api.amp.cisco.com/v1/computers/f3aedff0-xxxx-xxxx-xxxx-xxd62e151f3d"
metadata.vendor_name = "Cisco"
principal.hostname = "N/A"
principal.ip = "172.10.255.255"
principal.mac = "xx:xx:xx:f2:83:7e"
principal.nat_ip = "172.10.255.255"
security_result.about.hostname = "obfuscated_hostname"
security_result.about.ip = "172.10.255.255"
security_result.about.mac = "xx:xx:xx:f2:83:7e"
security_result.about.nat_ip = "172.10.255.255"
security_result.about.process.parent_process.pid = "11111111111111111111114532"
target.hostname = "obfuscated_hostname"
target.process.parent_process.pid = "11111111111111111111114532"

Rules

Coming Soon