icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Cisco AMP for Endpoints Events Input
SHA256 checksum (cisco-amp-for-endpoints-events-input_113.tgz) c9fdba6545a511bdd418f75007a78ce712df75db033bea7084dcf000fac8aac5 SHA256 checksum (cisco-amp-for-endpoints-events-input_112.tgz) 727dd24e1bc8cdc2456e98304312facbd3ecde1ed3c3fa284157867fdf96c62d SHA256 checksum (cisco-amp-for-endpoints-events-input_111.tgz) ac3eda669807de480820b7093119e9484043f412cc1a6e6f8be4fcd8ffbf2b8c SHA256 checksum (cisco-amp-for-endpoints-events-input_110.tgz) a84a256ad6c654793a5204fb423a0460da44eef47c81c5fac1432957f9e51e37 SHA256 checksum (cisco-amp-for-endpoints-events-input_109.tgz) f21dc21d372dab3fb053ab3798f887573dda8c335d745d039dc1f7874b1c5e4b SHA256 checksum (cisco-amp-for-endpoints-events-input_106.tgz) 85421757c0f9a85398b7d9d4b8fb8c615ed266b5f44042c677d6a058c7f890b2
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Cisco AMP for Endpoints Events Input

Overview
Details
The Cisco AMP for Endpoints Events Input provides a mechanism to create, update, and delete event streams in Cisco Advanced Malware Protection (AMP) for Endpoints via the API and index them in your Splunk® instance to make them searchable. All you need to do is provide your API host and credentials from your AMP for Endpoints account and specify the stream parameters. This app has been tested on Splunk v6.6.0

Cisco AMP for Endpoints Events Input

Introduction

This input provides a mechanism to create, update, and delete event streams in Cisco Advanced Malware Protection (AMP) for Endpoints via the API and index them in your Splunk® instance to make them searchable. All you need to do is provide your API host and credentials from your AMP for Endpoints account and specify the stream parameters (like events or which event types and groups should be directed to this stream).
This app was tested on Splunk v6.6.0

Prerequisites

It is expected that a user of this app:

  • is familiar with Cisco AMP for Endpoints and understands the concepts of AMP business, events, event types, and groups.
  • has an account within a working instance of the cloud hosted version of AMP for Endpoints Console. At this point, there is no support for private cloud AMP for endpoint appliances
  • has a set of Read/Write AMP API credentials.
  • knows how to access the event types and groups API endpoints in order to retrieve the codes of event types and guids of groups.

Connections

Please ensure that the following url endpoints are open

Public Cloud Regions AMP for Endpoints URL endpoint port protocol
North America api.amp.cisco.com, export-streaming.amp.cisco.com 443 TCP
Europe api.eu.amp.cisco.com, export-streaming.eu.amp.cisco.com 443 TCP
Asia Pacific api.apjc.amp.cisco.com, export-streaming.apjc.amp.cisco.com 443 TCP

Architecture

This app comes with a custom interface to ensure that every meaningful action (like creating, editing, or deleting an input)
yields expected results.
Please note: This app interacts with a third-party service, namely, Cisco Advanced Malware Protection (AMP) for Endpoints.
This app also uses Splunk’s built-in key-value store for persisting crucial information about event streams.

Installation

This app can be installed directly from Splunkbase. The app will appear in your Splunk Apps navigation bar after it is
successfully installed. When you visit one of the app pages, it will ask you to provide settings on the configuration page.
The configuration contains options related to authenticating to the AMP server by API calls, specifically:

  • API host (Web address of the Cisco AMP for Endpoints API found in the AMP for Endpoints API documentation)
  • API id (3rd Party API Client ID provided by AMP for Endpoints. The credentials must allow read and write access.)
  • API key (API secret key that corresponds to the API id above.)

Once these have been configured you are ready to create and use the inputs.

Use cases

Creating an input

You need to create the input to have the events flow into your index. To do this, go to the app interface and navigate to
‘New Input’. If your app is properly configured, you can populate the fields:

  • ‘Name’ should contain the Input name. The Name must be unique and cannot be changed later. If you attempt to create an input with the Name of an input that already exists, the validation will fail.
  • 'Index' contains the Splunk index the events will be directed to. It defaults to 'main', however you can specify any index within your instance. The index cannot be changed after the input is saved.
  • ‘Stream name’ should contain the unique name of an event stream. Since event streams can be created not only from Splunk app, but also via the API interface, this name serves a purpose of distinguishing the streams.
  • ‘Event Types’ allows you to select one or more event types to direct to the stream. You can only select event types that are accessible by your business. Leave this field blank to return all event types.
  • ‘Groups’ allows you to select one or more connector groups to direct to the stream. Leave this field blank to return all groups in the business.

When you click ‘Save’, the stream with the parameters you provided will be created within AMP for Endpoints.
If there is a validation failure, the appropriate message will be displayed.
Leave either the Event Type or Groups field blank to direct all respective event types or groups to the created stream and the Splunk index.
Please note: the number of event streams per business is limited to 5.

Updating an input

To update an input, click on its name at the inputs list view. Follow the procedures described previously to change the
stream parameters. Please note: you will not be able to edit the input name or index.

Deleting an input

To delete an input, click the ‘Delete’ link in its row at the inputs list view. Confirm your choice to finish the procedure.
The event stream will be deleted from AMP for Endpoints along with the input.

Searching for events

By default, the events from the stream will be directed to the ‘main’ index. They will be populated with the sourcetype of cisco:amp:event

Support

This project is open-source, please seek guidance at project's github page.

Release Notes

Version 1.1.3
April 15, 2019

- Event Type parameter is now optional

Version 1.1.2
March 15, 2019

Version 1.1.1
June 1, 2018

* New: Support for Splunk 7.x
* Bug fix: Deletion of a streaming resource fails in some instances
* Bug fix: Better support for custom Splunk installation paths

Version 1.1.0
Oct. 16, 2017

* Usability Enhancements
* Bug fixes

Version 1.0.9
Sept. 27, 2017

Fix incompatibility with some Splunk environments

Version 1.0.6
Sept. 21, 2017

bug Fixes

196
Installs
1,009
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.