SecureX with Advanced Malware Protection (AMP) for Endpoints Integration Guide

Available Languages

Download Options

  • PDF     (391.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (444.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (280.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 25, 2020
Document ID:215917

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the process required to integrate and verify Cisco SecureX with Cisco Advanced Malware Protection (AMP) for Endpoints.

    Contributed by Yeraldin Sanchez and Uriel Torres, Edited by Jorge Navarrete, Cisco TAC Engineers.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco AMP for Endpoints
    • Basic Navigation in the SecureX Console
    • Optional Virtualization of images  

    Components Used

    • AMP for Endpoints Console Version 5.4.20200804
    • AMP for Endpoints Administrator Account
    • SecureX Console Version 1.54
    • SecureX Administrator Account
    • Microsoft Edge Version 84.0.522.52

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Cisco Advanced Malware Protection (AMP) for Endpoints is a core part of the endpoint security platform and is deployed as a preventative and investigative tool that supports detection and/or response functions for Windows, MacOS, Linux, Android, and iOS devices, the AMP for Endpoints module provides 5 tiles.

    • Compromises Detected by AMP:set of metrics that summarizes compromises detected by AMP
    • AMP Computers Summary: A set of metrics that summarizes the state of AMP computers
    • AMP Summary: A set of metrics that summarizes AMP detection and response
    • AMP Quarantines: A set of metrics that summarizes AMP Quarantines by time
    • MITRE ATT&CK Tactics Detected by AMP: A set of metrics that summarizes MITRE ATT&CK tactics detected by AMP

    Configure

    Generate the API Credentials in the AMP console

    In the AMP console, new API credentials are created.

    • Log in to the AMP Console with administrator privileges
    • On the AMP Console navigate to Accounts > API Credentials 
    • Click on New API Credential

    • Name the application
    • Select Read & Write
    • Check Enable Command Line and Allow API access to File Repository download audit logs
    • Click on Create

    •  The API credentials are generated

    Note: This information is available only in this window, save your credentials in a backup file.

    Enable SecureX Ribbon in the AMP Console

    SecureX is both a centralized console and a distributed set of capabilities that unify visibility, enable automation, accelerate incident response workflows, and improve threat hunting. These distributed capabilities are presented in the form of applications (apps) and tools in the SecureX Ribbon, the SecureX Ribbon can be enabled in the AMP Console.

    • Log in to SecureX
    • On the AMP Console
    • Navigate to Accounts > Users > Click on your User
    • On Settings box click SecureX Ribbon Authorize 

    • You are redirected to the SecureX Threat Response
    • Click Authorize AMP for Endpoints

    • The Ribbon is located in the lower portion of the page and persists as you move between the dashboard and other security products in your environment

    Integrate the AMP for Endpoints Module in SecureX

    The AMP for Endpoints module allows you to investigate and identify multiple files with context from integrations across security products. It provides detailed information on affected endpoints and devices, including IP addresses, OS, and AMP GUID.

    • On SecureX console navigate to Integrations Click Add New Module
    • Select the AMP for Endpoints module and click Add New Module
    • Name the module
    • Select the AMP Cloud
    • The API Credentials gathered previously are entered under 3rd Party API Client ID and API Key

    Verify 

    Validate that the information from the AMP Console is displayed in the SecureX Dashboard.

    • On SecureX navigate to Dashboard
    • Click on New Dashboard and name it
    • Select the AMP Module previously generated
    • Select the tiles, for this guide all of them are added
    • Click Save

    • Select the Timeframe and verify if data from AMP is Displayed in SecureX

    Troubleshoot 

    API Client Does Not Have Write Access [403]

    The SecureX - AMP for Endpoints Integration requires Read & Write AMP for Endpoints APIs, if not, an error message is displayed as shown in the image.

    Error: Unknown API Key Or Client ID [401]

    If the APIs are not valid if an investigation is performed in SecureX Threat Response as shown in the image.

    Verify the API credentials are valid or exist in the AMP Console, if not, try with new ones. 

    If after you review the information above you are still have issues, please contact Support.

    Video Guide

    TAC Authored

    Contributed by Cisco Engineers

    • Yeraldin Sanchez
      Cisco TAC Engineer
    • Uriel Torres
      Cisco TAC Engineer
    • Edited by Jorge Navarrete
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products