Cisco - AMP

There are a few different ways Cisco AMP logs can be “forwarded” and ingested into the Pondurance LOG environment.

The preferred method is described in the Cisco online documentation round in the link below, using an API

Cisco Docs

https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/201121-Overview-of-the-Cisco-AMP-for-Endpoints.html#anc1

In order to collect AMP logs, Pondurance just needs Read-Only permissions. If wanting to let actions be taken (eg. Isolate an Endpoint), then Read & Write Permissions are required.

Pondurance will need the following information in order to interact with the AMP API:

   3rd Party API Client ID
   API Key

API_NOTE