Current ThreatQ Version Filter
 

Cisco AMP for Endpoints CDF

The web format of this guide reflects the most current release.  Guides for older iterations are available in PDF format.  

Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The Cisco AMP for Endpoints CDF enables a ThreatQ user to ingest events from Cisco AMP for Endpoints.

The CDF provides the following feed:

  • Cisco AMP for Endpoints Events - ingests events from Cisco AMP for Endpoints.

The integration ingests the following system objects:

  • Events
    • Event Attributes
  • Indicators
    • Indicator Attributes

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

  1. Navigate to your integrations management page in ThreatQ.
  2. Select the Commercial option from the Category dropdown (optional).
  3. Click on the integration entry to open its details page.
  4. Enter the following parameters under the Configuration tab:
    Parameter Description
    Client ID Cisco AMP Client ID.
    API Token Cisco AMP API Client Token.
    Region Region of the Cisco AMP instance.
  5. Review any additional settings, make any changes if needed, and click on Save.
  6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

Cisco AMP for Endpoints Events

This Cisco AMP for Endpoints Events feed ingests events from Cisco AMP for Endpoints.

GET https://<region>/v1/events

Sample Response:

[
  {
    "data": [
      {
        "computer": {
          "active": true,
          "connector_guid": "a3e4eb31-24b7-4d4c-bc80-f31f3b49889c",
          "external_ip": "167.224.180.197",
          "hostname": "Demo_TeslaCrypt",
          "links": {
            "computer": "https://api.amp.cisco.com/v1/computers/a3e4eb31-24b7-4d4c-bc80-f31f3b49889c",
            "group": "https://api.amp.cisco.com/v1/groups/c3486bd8-4c40-4411-b80e-c1a857d40a12",
            "trajectory": "https://api.amp.cisco.com/v1/computers/a3e4eb31-24b7-4d4c-bc80-f31f3b49889c/trajectory"
          },
          "network_addresses": [
            {
              "ip": "188.198.174.15",
              "mac": "34:b6:39:91:08:c4"
            }
          ]
        },
        "connector_guid": "a3e4eb31-24b7-4d4c-bc80-f31f3b49889c",
        "date": "2020-05-13T13:45:07+00:00",
        "detection": "W32.DFC.MalParent",
        "detection_id": "6159258594551267599",
        "event_type": "Threat Detected",
        "event_type_id": 1090519054,
        "file": {
          "disposition": "Blocklisted",
          "file_name": "iodnxvg.exe",
          "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\iodnxvg.exe",
          "identity": {
            "md5": "209a288c68207d57e0ce6e60ebf60729",
            "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
            "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
          }
          "parent": {
            "disposition": "Clean",
            "file_name": "Fax.exe",
            "identity": {
              "md5": "8b88ebbb05a0e56b7dcc708498c02b3e",
              "sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9",
              "sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"
            },
        },
        "group_guids": ["c3486bd8-4c40-4411-b80e-c1a857d40a12"],
        "id": 6159258594551267599,
        "severity": "Medium",
        "timestamp": 1589377507,
        "timestamp_nanoseconds": 525000000
      }
    ],
    "metadata": {
      "links": {
        "prev": "https://api.amp.cisco.com/v1/events?limit=100&offset=800",
        "self": "https://api.amp.cisco.com/v1/events?limit=100&offset=900"
      },
      "results": {
        "current_item_count": 32,
        "index": 900,
        "items_per_page": 100,
        "total": 932
      }
    },
    "version": "v1.2.0"
  }
]

Response data will vary depending on the event type

ThreatQ provides the following default mapping for this feed:

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Published Date Examples Notes
.data[].<multiple_keys_used> Event.Title .data[].event_type .data[].timestamp <formatted> Formatted based on the .event_type
.data[].detection Related Malware.Value n/a .data[].timestamp W32.GenericKD
:Malwaregen.21
do.1201		  
.data[].computer
.network_addresses
[].ip		 Related Indicator.Value IP Address .data[].timestamp 45.139.251.184  
.data[].computer
.network_addresses
[].mac		 Related Indicator.Value MAC .data[].timestamp 71:73:52:f3:13:8a  
.data[].computer
.external_ip		 Event.Attribute & Related Indicator.Attribute Computer External IP .data[].timestamp 151.140.44.204  
.data[].computer
.active		 Event.Attribute & Related Indicator.Attribute Computer Is Active .data[].timestamp True  
.data[].computer
.hostname		 Event.Attribute & Related Indicator.Attribute Computer Hostname .data[].timestamp Demo_AMP_Intel  
.data[].computer
.links.computer		 Event.Attribute & Related Indicator.Attribute Computer Group Link .data[].timestamp https://api.amp.cisco
.com/v1/computers/
763e3460-8cf2-49a8
-be0c-6fa156f4e2fc		  
.data[].computer
.links.group		 Event.Attribute & Related Indicator.Attribute Computer Link .data[].timestamp https://api.amp.cisco
.com/v1/groups/2c4e
257f-d91a-4559-bba5
-5a75ca03f8c0		  
.data[].computer
.user		 Event.Attribute & Related Indicator.Attribute Computer User .data[].timestamp johndoe  
.data[].file.file
_name		 Related Indicator.Value Filename .data[].timestamp opticare.exe Ingested if .data[].file.
disposition != 'Clean'
.data[].file.file
_path		 Related Indicator.Value File Path .data[].timestamp \\?\C:\Users
\Administrator
\AppData\Local
\Temp\
opticare.exe		 Ingested if .data[].file.
disposition != 'Clean'
.data[].file.
identity.md5		 Related Indicator.Value MD5 .data[].timestamp b2e15a06b0cc
a8a926c94
f8a8eae3d88		 Ingested if .data[].file.
disposition != 'Clean'
.data[].file
.identity.sha1		 Related Indicator.Value SHA-1 .data[].timestamp f9b02ad8d251
57eebdb284
631ff646316dc
606d5		 Ingested if .data[].file.
disposition != 'Clean'
.data[].file
.identity.sha256		 Related Indicator.Value SHA-256 .data[].timestamp fa1789236d05
d88dd10365
660defd6ddc8
a09fcddb36
91812379438
874390ddc		 Ingested if .data[].file.
disposition != 'Clean'
.data[].network
_info.dirty_url		 Related Indicator.Value URL .data[].timestamp http://dak1otav
ola1ndos
.com/h/index.php		  
.data[].network
_info.parent
.identity.sha256		 Related Indicator.Value SHA-256 .data[].timestamp 72c027273297c
cf2f33f5b4
c5f5bce3eecc
69e5f78b6bb
c1dec9e58780a
6fd02		 Ingested if .data[].network_info.parent
.disposition != 'Clean'
.data[].file.parent
.file_name		 Related Indicator.Value Filename .data[].timestamp Fax.exe Ingested if .data[].file.parent
.disposition != 'Clean'
.data[].file.parent
.file_path		 Related Indicator.Value File Path .data[].timestamp n/a Ingested if .data[].file.parent
.disposition != 'Clean'
.data[].file.parent
.identity.md5		 Related Indicator.Value MD5 .data[].timestamp b2e15a06b0cca
8a926c94f
8a8eae3d88		 Ingested if .data[].file.parent
.disposition != 'Clean'
.data[].file.parent
.identity.sha1		 Related Indicator.Value SHA-1 .data[].timestamp f9b02ad8d2515
7eebdb28
4631ff646316
dc606d5		 Ingested if .data[].file.parent
.disposition != 'Clean'
.data[].file.parent
.identity.sha256		 Related Indicator.Value SHA-256 .data[].timestamp fa1789236d05d
88dd10365
660defd6ddc8
a09fcddb36
918123794388
74390ddc		 Ingested if .data[].file.parent
.disposition != 'Clean'
.data[].file.parent
.disposition		 Related Indicator.Attribute Disposition .data[].timestamp Malicious  
.data[].file
.disposition		 Event.Attribute & Related Indicator.Attribute Disposition .data[].timestamp Clean  
.data[].detection Event.Attribute Detection .data[].timestamp W32.GenericKD:Malwaregen.21do.1201    
.data[].severity Event.Attribute Severity .data[].timestamp Medium  
.data[].cloud_ioc
.description		 Event.Attribute Description .data[].timestamp Microsoft Word launched PowerShell. This is indicative of multiple...  
.data[].cloud_ioc
.short_description		 Event.Attribute Short Description .data[].timestamp W32.WinWord.Powershell  
.data[].error
.description		 Event.Attribute Error .data[].timestamp Object name not found  
.data[].
vulnerabilities[]
.cve		 Related Indicator.Value CVE .data[].timestamp CVE-2013-3346  
.data[].
vulnerabilities[]
.score		 Related Indicator.Attribute Score .data[].timestamp 10  
.data[]
.vulnerabilities[]
.url		 Related Indicator.Attribute Reference .data[].timestamp https://web.nvd.
nist.gov/
view/vuln/detail?
vulnId=
CVE-2013-3346		  
.data[].
vulnerabilities[]
.name		 Related Indicator.Attribute Name .data[].timestamp Adobe Acrobat Reader

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Metric Result
Run Time 2 min
Events 296
Event Attributes 2,165
Indicators 401
Indicator Attributes 907

Change Log

  • Version 1.1.0
    • The .detection field is now ingested as an event attribute opposed to a malware object.  
  • Version 1.0.1
    • Fixed an issue where responses from Cisco contained array objects that were missing a computer attribute.
    • Fixed an issue where responses from Cisco contained Exploit Prevention array objects that were missing attributes of the file attribute
  • Version 1.0.0
    • Initial release

PDF Guides

Document ThreatQ Version
Cisco AMP for Endpoints CDF v1.1.0 4.25 or Greater
Cisco AMP for Endpoints CDF v1.0.1 4.25 or Greater
Cisco AMP for Endpoints CDF v1.0.0 4.25 or Greater