This input provides a mechanism to create, update, and delete event streams in Cisco Advanced Malware Protection (AMP) for Endpoints via the API and index them in your Splunk® instance to make them searchable. All you need to do is provide your API host and credentials from your AMP for Endpoints account and specify the stream parameters (like events or which event types and groups should be directed to this stream).
This app was tested on Splunk v7.0
It is expected that a user of this app:
Please ensure that the following url endpoints are open
|Public Cloud Regions AMP for Endpoints||URL endpoint||port||protocol|
|North America||api.amp.cisco.com, export-streaming.amp.cisco.com||443||TCP|
|Asia Pacific||api.apjc.amp.cisco.com, export-streaming.apjc.amp.cisco.com||443||TCP|
This app comes with a custom interface to ensure that every meaningful action (like creating, editing, or deleting an input)
yields expected results.
Please note: This app interacts with a third-party service, namely, Cisco Advanced Malware Protection (AMP) for Endpoints.
This app also uses Splunk’s built-in key-value store for persisting crucial information about event streams.
This app can be installed directly from Splunkbase. The app will appear in your Splunk Apps navigation bar after it is
successfully installed. When you visit one of the app pages, it will ask you to provide settings on the configuration page.
The configuration contains options related to authenticating to the AMP server by API calls, specifically:
Once these have been configured you are ready to create and use the inputs.
You need to create the input to have the events flow into your index. To do this, go to the app interface and navigate to
‘New Input’. If your app is properly configured, you can populate the fields:
When you click ‘Save’, the stream with the parameters you provided will be created within AMP for Endpoints.
If there is a validation failure, the appropriate message will be displayed.
Leave either the Event Type or Groups field blank to direct all respective event types or groups to the created stream and the Splunk index.
Please note: the number of event streams per business is limited to 5.
To update an input, click on its name at the inputs list view. Follow the procedures described previously to change the
stream parameters. Please note: you will not be able to edit the input name or index.
To delete an input, click the ‘Delete’ link in its row at the inputs list view. Confirm your choice to finish the procedure.
The event stream will be deleted from AMP for Endpoints along with the input.
By default, the events from the stream will be directed to the ‘main’ index. They will be populated with the sourcetype of cisco:amp:event
This project is open-source, please seek guidance at project's github page.
ValueError: Expected instance of Parameters, not <URLParameters host=export-streaming.amp.cisco.com port=443 virtual_host=/ ssl=True>
$SPLUNK_HOME/etc/apps/amp4e_events_input/bin/pika/pikaexists on your Splunk server. If it does, remove it with:
$ rm -rf $SPLUNK_HOME/etc/apps/amp4e_events_input/bin/pika/pika
If you receive a warning message after updating the app "Warning! It appears your configuration is incomplete, so you will not be able to create any inputs. Please update your configuration."
Adds Support for Splunk Cloud 7.3 by fixing appinspect errors preventing Splunk Cloud certification.
- Converts api key from unsecured to secured using Splunk's storage passwords API
- Creating a new input configuration and stream will not save the api key in your input.conf file
- To migrate your existing app and input configurations:
* Make sure you have your API ID and key written down or copied to a file **before installation**
* Install version 1.1.8 of the app
* Restart Splunk
* Visit https://\<your splunk address\>/en-US/_bump and click the 'Bump version' button
* Your app config will be automatically updated when visiting the inputs page
* If you see the error message **Warning! It appears your configuration is incomplete, so you will not be able to create any inputs. Please update your configuration.** when first visiting the page after updating, try refreshing
* If that doesn't work, visit the configuration page and ensure your configuration is correct
- Use SPLUNK_HOME instead of hard coding paths
- Fix SSL certificates not being properly packaged into the app - https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/12
* Fix https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/10
* NOTE: If you are upgrading from version 1.1.3 of the app, please review the Known Issues section of the app details.
* New: Support for Splunk 7.x
* Bug fix: Deletion of a streaming resource fails in some instances
* Bug fix: Better support for custom Splunk installation paths
* Usability Enhancements
* Bug fixes
Fix incompatibility with some Splunk environments
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.