LogRhythm - Cisco AMP For Endpoints - Configuration Guide - v4

Download as pdf or txt
Download as pdf or txt
You are on page 1of 29

Cisco AMP for Endpoints

Configuration Guide

1st June, 2018


Contents
What is Cisco AMP for Endpoints .................................................................................................................................... 3
Cisco AMP Application Programming Interface (API)...................................................................................................... 3
Prerequisites & Items of Note ......................................................................................................................................... 3
Getting Cisco AMP for Endpoint Events into LogRhythm................................................................................................ 4
Creating an AMP API Read Only Account ........................................................................................................................ 5
Internet Access & Firewall Rules Requirements.............................................................................................................. 7
Creating the Directory Structure & Copying Files ........................................................................................................... 7
Creating the Credentials File ........................................................................................................................................... 8
Creating the Scheduled Task ........................................................................................................................................... 9
Creating the Log Source Type ........................................................................................................................................ 15
Creating the Log Processing Policy ................................................................................................................................ 16
Creating the MPE Processing Rules ............................................................................................................................... 17
Base Rule Regular Expression .................................................................................................................................... 17
Metadata Field Mappings.......................................................................................................................................... 17
Custom Common Events ........................................................................................................................................... 18
MPE Rule Information ............................................................................................................................................... 18
Adding the Log Source to Your System Monitor Agent................................................................................................. 23
Web Console Dashboard ............................................................................................................................................... 27
Troubleshooting ............................................................................................................................................................ 28
What is Cisco AMP for Endpoints
Cisco Advanced Malware Protection (AMP) for Endpoints is a cloud-based software-as-a-service endpoint security
solution. AMP connectors are deployed on Windows, Linux & Mac endpoints. Events from the AMP connectors are
forwarded to the cloud deployment and optionally to an on-prem Firepower Management Console (FMC) appliance.

Cisco AMP Application Programming Interface (API)


Cisco provide a REST based API for AMP that allows you to pull data from an AMP for Endpoints deployment, and
manipulate them, when necessary. The Cisco AMP API documentation can be found here:

https://api-docs.amp.cisco.com

It’s important to note that the API is location based, depending on what region your AMP instance resides.
At present three regions exist:
US:
api.amp.cisco.com

Asia, Pacific, Japan & China:


api.apjc.amp.cisco.com

Europe:
api.eu.amp.cisco.com

There are also two versions of the API, v0 & v1. For the purposes of this method we will be using version v1 of the
API.

Prerequisites & Items of Note


You will need PowerShell 3 to use the provided collection script. Check your PowerShell version

with: $PSVersionTable.PSVersion

The script provides proxy support using the credentials of the user the script is run under.

The account running the script will require rights to execute PowerShell scripts on the designated host. The
following command can be run by a member of the Administrators group to allow unsigned
PowerShell scripts to run:

set-executionpolicy remotesigned
Getting Cisco AMP for Endpoint Events into LogRhythm
This method will use the GET /v1/events action to retrieve the AMP Events that can be viewed via the AMP Console:

The retrieval of the events is performed by a PowerShell script that makes a call to the API to pull down the AMP for
Endpoint events to a flat file. Setup will take approximately 30 minutes and will consist of the following steps:

1. Create an AMP API Read Only account


2. Create directory structure and copy files
3. Configure the PowerShell to query the AMP API on a regular basis
4. Create a Log Source Type in the LogRhythm Client Console
5. Add the MPE processing rules to the LogRhythm Client Console
6. Add the Log Source to your System Monitor
Creating an AMP API Read Only Account
In order to use the AMP for Endpoint API, you have to set up an API credential. Follow the steps below to create a
credential through the AMP Console. For the purposes of event collection we only require a Read-Only API account.

1. Log into the Console, and navigate to ‘Accounts > API Credentials’.

2. Click ‘New API Credential’ to create a new set of Keys.

3. Provide an ‘Application name’ of “LogRhythm” and select the ‘Scope’ of “Read-only”:

4. Click the ‘Create’ button.

5. The API Key Details screen will now be displayed:


It’s important to copy the ‘3rd Party API Client ID’ and ‘API Key’ information and store them in a secure
location, i.e. a Password Manager or encrypted file. They will not be able to be retrieve later. Also take note
of the following Cisco warnings:

API credentials (API Client ID & API Key) will allow other programs to retrieve and modify your Cisco AMP for
Endpoints data. It is functionally equivalent to a username and password, and should be treated as such.

Delete the API credentials for an application if you suspect they have been compromised and create new ones.

Deleting API credentials will lock out any clients using the old ones so make sure to update them to the
new credentials.

Your API credentials are not stored in plain text and can only be displayed once. If you lose the credentials you will
have to generate new ones.

6. Navigate to ‘Accounts > API Credentials’. You should see an account called LogRhythm is present:

You can expand the account details and verify the ‘Ready-Only’ scope by clicking on the + box:

The creation of the Read-Only API account in AMP is now complete.


Internet Access & Firewall Rules Requirements
You will need to identify which LogRhythm System Monitor host you would like to use to retrieve the Cisco AMP
for Endpoint events. The host will require internet access to one of the following Cisco API URLs. If you are unsure
of which AMP instance you are using, then log in to the AMP Console and take note of the Console URL:

Cisco AMP Console URL Location


console.amp.cisco.com US
console.apjc.amp.cisco.com Asia, Pacific, Japan & China
console.eu.amp.cisco.com Europe

You can then use the table below to determine which specific URL and port will need to be allowed from
the LogRhythm System Monitor host.

Cisco AMP Instance Location API URL Port


US api.amp.cisco.com 443
Asia, Pacific, Japan & China api.apjc.amp.cisco.com 443
Europe api.eu.amp.cisco.com 443

The connection will be initiated outbound to the AMP API by the LogRhythm System Monitor host. No
inbound connection is required.

Creating the Directory Structure & Copying Files


The following steps take place on the LogRhythm System Monitor host.

1. Create a directory “AMP4EP” in your LogRhythm System Monitor folder. For non-HA systems this will
be located here: C:\Program Files\LogRhythm\LogRhythm System Monitor\

For HA systems, create the folder on the replicated volume D: in the following location:
D:\LogRhythmHA\LogRhythm System Monitor\

The PowerShell script is HA aware, so will only complete when the System Monitor host it resides on is
the Active node. This ensures that only the active node collects the AMP events and that the events, state
and log information is shared between the two HA hosts.

2. Copy the AMP4EP.ps1 file to your AMP4EP directory.

3. Create the directories “Events”, “Log” & “State” within the AMP4EP directory.
Creating the Credentials File
The following steps take place on the LogRhythm System Monitor host.

1. Run the following command in an Administrator PowerShell window. Note, you must run this command
from the same account that will be running the scheduled task, due to the way Windows encrypts the
credentials.

For Non-HA systems:


Get-Credential | Export-Clixml -Path "C:\Program
Files\LogRhythm\LogRhythm System Monitor\AMP4EP\${env:USERNAME}_cred.xml"

For HA systems:
Get-Credential | Export-Clixml -Path "D:\LogRhythmHA\LogRhythm
System Monitor\AMP4EP\${env:USERNAME}_cred.xml"

2. The following window will appear:

3. In the ‘User name:’ field enter the ‘3rd Party API Client ID’ saved earlier.
4. In the ‘Password:’ field enter the ‘API Key’ saved earlier.

5. Click ‘OK’ to create the encrypted credentials file.

6. Check that the credentials file created successfully by navigating to the AMP4EP directory and
validating that the <account-name>_cred.xml file exists:

7. You can now close the Administrator PowerShell window.

Creating the Scheduled Task


The following steps take place on the LogRhythm System Monitor host. Note that the steps documented were
run on a Windows Server 2012 R2 system. Steps for other Windows versions may differ slightly.

We will now create a scheduled task to run the PowerShell script AMP4EP.ps1 every 1 minute. As the script
resides within the LogRhythm System Monitor directory, the task will need to be set to run under an account that
has Administrator permissions or alternatively an account that has specific permissions to the previously created
AMP4EP directory.

1. Open Task Scheduler and create a new ‘Basic Task’:


2. Enter the following information in the Name and Description text boxes and then click ‘Next >’:
TextboxValue
Name LogRhythm Cisco AMP4EP
This task will call the AMP4EP.ps1 script every 1 minute to retrieve
Description
any new Cisco AMP for Endpoint events.

3. On the ‘Task Trigger’ window, select ‘Daily’ and click ‘Next >’. We will change the schedule later:

4. On the ‘Daily’ window, click ‘Next >’ to accept the defaults:

5. On the ‘Action’ window, select ‘Start a program’ and click ‘Next >’:
6. On the ‘Start a Program’ window, enter the following details in the textboxes. Ensuring you edit the
“<account-name>_cred.xml” part to match the file name of your credentials file created earlier.

The ‘Start in (optional):’ textbox should be left blank:

For Non-HA systems:


Textbox Value
Program/script powershell
-command "& 'C:\Program Files\LogRhythm\LogRhythm System
Add Arguments Monitor\AMP4EP\AMP4EP.ps1' -CredentialsFile 'C:\Program
(optional): Files\LogRhythm\LogRhythm System Monitor\AMP4EP\<account-
name>_cred.xml'"

For HA systems:
Textbox Value
Program/script powershell
-command "& D:\LogRhythmHA\LogRhythm System
Add Arguments Monitor\AMP4EP\AMP4EP.ps1' -CredentialsFile
(optional): 'D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\<account-
name>_cred.xml'"

7. Click ‘Next >’.

8. On the ‘Summary’ window, check the ‘Open the Properties dialog for this task when I click
Finish’ checkbox and click ‘Finish’:
9. The AMP4EP Task Properties will now be displayed. On the ‘General’ tab, change the ‘Run only
when user is logged on’ bullet to ‘Run whether user is logged on or not’.

The ‘Do not store password’ option will now be available. Check the checkbox to enforce this option:

10. Click on the ‘Triggers’ tab and highlight the ‘Daily’ trigger as below:
• Run with highest permissions
11. Now click the ‘Edit…’ button. The ‘Edit Trigger’ window will appear:

12. Under the ‘Advanced Settings’ section, check the ‘Repeat task every:’ checkbox and within
the associated dropdown box enter ‘1 minute’. In the ‘for a duration of:’ dropdown box select
the ‘Indefinitely’ option:
13. Click the ‘OK’ to accept the changes.

14. You will now be back at the AMP4EP Task Properties window. Click ‘OK’ to save the task.

15. Verify that the task has been created by clicking on the ‘Task Scheduler Library’ icon and checking
that the ‘LogRhythm Cisco AMP4EP’ task appears in the list of tasks.

When the Schedule Task runs any new events will be written to:

For Non-HA systems:


C:\Program Files\LogRhythm\LogRhythm System Monitor\AMP4EP\Events\AMP4EP.txt

For HA systems:
D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\Events\AMP4EP.txt

In addition a log will be created for troubleshooting purposes at:

For Non-HA systems:


C:\Program Files\LogRhythm\LogRhythm System Monitor\AMP4EP\Log\AMP4EP.log

For HA systems:
D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\Log\AMP4EP.log
Creating the Log Source Type
The following steps take place in the LogRhythm Client Console.

1. In The LogRhythm Client Console, create a new Log Source Type by clicking on the "Deployment Manager"
tab and navigating to ‘Tools --> Knowledge --> Log Source Type Manager’

2. In the ‘Log Source Type Manager’ click on the green plus to create a new log source type.

3. Enter the following information in the ‘Log Source Properties’ window, then click ‘OK’:

Textbox / Option Value


Name Flat File - Cisco AMP for Endpoints
Abbreviation Cisco AMP4EP
Log Format Text File
Brief Description Cisco AMP for Endpoints
Creating the Log Processing Policy
The following steps take place in the LogRhythm Client Console.

1. In The LogRhythm Client Console, create a new Log Processing Policy by clicking on the "Deployment
Manager" tab and then clicking on the ‘Log Processing Policies’ tab:

2. Right-Click and select ‘New’ from the menu that appears.

3. In the ‘Log Source Type Selector’ window highlight ‘Custom’ in the ‘Record Type Filter’ area and then when
the ‘Flat File – Cisco Amp for Endpoint’ log source appears in the ‘Log Source Type’ area highlight it.

4. Click the ‘OK’ button. The ‘MPE Policy Editor’ window will appear. Enter the following information in
the textboxes:

Textbox Value
Name LogRhythm Default
Brief Description Cisco AMP for Endpoints

5. Click the ‘OK’ button to save the Log Processing Policy.


Creating the MPE Processing Rules
Importing the MPE Processing Rules is beyond the scope of this document and will require LogRhythm
Professional Services assistance. The MPE Processing Rules will be added to a future Knowledge Base release
which will negate the requirement to import the rules.

Base Rule Regular Expression


For information the Base Rule regular expression is documented below. Note, the Base Rule will only function in
LogRhythm version 7.2 and above:
^.*?"Event_Type=(?<vendorinfo>[^"]+)","Event_TypeID=(?<vmid>[^"]+)"(,"Detection=(?<thr eatname>[^"]+)?")?(,"DetectionID=(?<threatid>[^"]+)?")?(,"Group_GUIDs[^"]+")?(,"Comput

er_Connector_GUID[^"]+")?(,"Computer_Hostname=(?<sname>[^"]+)?")?(,"Computer_External_ IP=(?<snatip>[^"]+)?")?(,"Computer_User=(?<login>[^"]+)?")?(,"Computer_Active[^"]+")?(

,"Network_Addr_IP=(?<sip>[^"]+)?")?(,"Network_Addr_MAC=(?<smac>[^"]+)?")?(,"Links_Comp uter[^"]+")?(,"Links_Trajectory[^"]+")?(,"Links_Group[^"]+")?(,"File_Disposition[^"]+"

)?(,"File_Name=(?<object>[^"]+)?")?(,"File_Path=(?<parentprocesspath>[^"]+)?")?(,"File _Identity_SHA1[^"]+")?(,"File_Identity_SHA256=(?<hash>[^"]+)?")?(,"File_Parent_Disposi

tion[^"]+")?(,"File_Parent_File_Name[^"]+")?(,"File_Parent_Identity_SHA1[^"]+")?(,"Fil e_Parent_Identity_SHA256[^"]+")?(,"Scan_Description=(?<subject>[^"]+)?")?(,"Scan_Clean

=(?<result>[^"]+)?")?(,"Scanned_Files[^"]+")?(,"Scanned_Processes[^"]+")?(,"Scanned_Pa ths[^"]+")?(,"Malicious_Detections[^"]+")?(,"Vuln_Name=(?<objectname>[^"]+)?")?(,"Vuln

_Version=(?<version>[^"]+)?")?(,"Vuln_CVEs=(?<cve>[^"]+)?")?(,"Vuln_Scores[^"]+")?(,"C VE_URLs[^"]+")?(,"Dirty_URL=(?<url>[^"]+)?")?(,"Remote_IP=(?<dip>[^"]+)?")?(,"Remote_P

ort=(?<dport>[^"]+)?")?(,"Local_IP=(?<sip>[^"]+)?")?(,"Local_Port=(?<sport>[^"]+)?")?( ,"IOC_Desc[^"]+")?(,"IOC_Short_Desc[^"]+")?

Metadata Field Mappings


The table below details the Cisco AMP for Endpoints log fields to LogRhythm metadata field mappings. This is
useful for knowing what data is being parsed out of the AMP log into LogRhythm:

AMP for Endpoints Log Field LogRhythm Metadata Field


Event_Type <vendorinfo>
Event_TypeID <vmid>
Detection <threatname>
Computer_Hostname <sname>
Computer_External_IP <snatip>
Computer_User <login>
Network_Addr_IP <sip>
Network_Addr_MAC <smac>
File_Name <object>
File_Path <parentprocesspath>
File_Indentity_SHA256 <hash>
Scan_Description <subject>
Scan_Clean <result>
Vuln_Name <objectname>
Vuln_Version <version>
CVEs <cve>
Dirty_URL <url>
Remote_IP <dip>
Remote_Port <dport>
Local_IP <sip>
Local_Port <sport>
Custom Common Events
Several custom Common Events were created to provide additional context to the AMP for Endpoints data.
The table below details them:

Common Event Name Classification Risk Rating


Parsing Required Operations / Information 7 - High-Low
Fault Cleared Operations / Information 0 - No Rating
IOC Scan Information Operations / Information 0 - No Rating
Reboot Advised Operations / Information 2 - Low-Medium
Reboot Required Operations / Information 3 - Low-High
Reboot Completed Operations / Information 0 - No Rating
Scan Completed – No Detections Operations / Information 0 - No Rating
Minor Fault Raised Operations / Warning 5 - Medium-Medium
Major Fault Raised Operations / Error 7 - High-Low
Uninstall Failed Operations / Error 7 - High-Low
Critical Fault Raised Operations / Critical 9 - High-High
Generic IOC Security / Activity 7 - High-Low
Possible Ransomware Activity Security / Malware 9 - High-High
Vulnerable Application Detected Security / Vulnerability 9 - High-High
Threat Detected Security / Vulnerability 9 - High-High
Threat Quarantined Security / Failed Activity 2 - Low-Medium
Quarantined Item Deleted Security / Other Security 1 - Low-Low
Policy Update Failure Audit / Other Audit Failure 3 - Low-High

MPE Rule Information


The table below details the MPE Base and Sub-Rule information:
Forward
Name Classification Common Event Risk Rating VMID Value Description
As Event
A suspicious portable
Security / executable file was
Adobe Reader Compromise Threat Detected TRUE 9 - High-High 1107296261
Vulnerability downloaded and executed by
Adobe Reader.
Adobe Reader executed an
Adobe Reader Launched a Security / unknown application, which in
Suspicious Activity TRUE 6 - Medium-High 1107296266
Shell Suspicious turn launched a command
shell.
Operations /
All Fault Cleared Fault Cleared FALSE 0 - No Rating 553648197 All faults has been cleared.
Information
An APK matching an Android
APK Custom Threat Security /
Threat Detected TRUE 9 - High-High 1090524041 Simple Custom Detection was
Detected Vulnerability
found on this system.
Security / A threat was found on this
APK Threat Detected Threat Detected TRUE 9 - High-High 1090524040
Vulnerability system.
A suspicious portable
Apple QuickTime Security / executable file was
Threat Detected TRUE 9 - High-High 1107296270
Compromise Vulnerability downloaded and executed by
Apple QuickTime.
Apple QuickTime executed an
Apple QuickTime Launched Security / unknown application, which in
Suspicious Activity TRUE 6 - Medium-High 1107296271
a Shell Suspicious turn launched a command
shell.
Operations /
Application Authorized General Information FALSE 0 - No Rating 570425398 An application was authorized.
Information
Operations / An application was
Application Deauthorized General Information FALSE 0 - No Rating 570425399
Information deauthorized.
Operations / An application was
Application Deregistered General Information FALSE 0 - No Rating 570425397
Information deregistered.
Operations /
Application Registered General Information FALSE 0 - No Rating 570425396 An application was registered.
Information
Attempting Quarantine Security / Attempting to remove item
Quarantine FALSE 0 - No Rating 553648151
Delete Activity from quarantine,
If the Base Rule is matched,
then the log does not have a
Operations / Sub-Rule created for it. Please
Cisco AMP4EP - Base Rule Parsing Required TRUE 7 - High-Low -
Information use the <vmid> and
<vendorinfo> tags to create
one.
A retrospective quarantine was
Cloud Recall Quarantine Operations /
General Information FALSE 0 - No Rating 553648155 attempted and completed
Attempt Information
successfully.
A retrospective quarantine was
Cloud Recall Quarantine Operations / attempted and failed. Most
General Warning FALSE 3 - Medium-Medium 2164260893
Attempt Failed Warning likely the original location no
longer exists.
Cloud Recall Quarantine of Operations / A retrospective quarantine was
General Information FALSE 0 - No Rating 553648147
False Negative Information attempted for a false negative.
Cloud Recall Quarantine Operations / A retrospective quarantine was
General Information FALSE 0 - No Rating 553648155
Successful Information completed successfully.
Cloud Recall Restore from Operations / A retrospective restore was
General Information FALSE 0 - No Rating 553648154
Quarantine Information completed successfully.
A retrospective restore was
Cloud Recall Restore from Operations / attempted and failed. Most
General Warning FALSE 3 - Medium-Medium 2164260892
Quarantine Failed Warning likely the original location no
longer exists.
A file once thought to be
Cloud Recall Restore of Operations /
General Information FALSE 0 - No Rating 553648146 malicious has been marked as
False Positive Information
clean and restored.
Security / Cisco Cognitive Threat Analytics
Cognitive Incident Threat Detected TRUE 9 - High-High 1107296285
Vulnerability has detected a threat.
The computer has made an
outbound connection to a
Connection to Suspicious Security / domain that is similar to
Suspicious Activity TRUE 6 - Medium-High 1107296277
Domain Suspicious randomly generated domains
used by some malware
command and control systems.
Operations /
Critical Fault Raised Critical Fault Raised TRUE 9 - High-High 2164260931 A critical fault has been raised.
Critical
Security / A connection has been
DFC Threat Detected Threat Detected TRUE 9 - High-High 1090519084
Vulnerability detected by DFC.
Operations / Sent when a user account gets
Email Confirmation Email Message Sent FALSE 0 - No Rating 1003
Information created.
Endpoint IOC Configuration Operations / Configuration Update Endpoint IOC configuration
FALSE 7 - High-Low 2164260911
Update Failure Error Failure updated failed.
Endpoint IOC Configuration Audit / Configuration Modified : Endpoint IOC configuration
FALSE 2 - Low-Medium 553648176
Update Success Configuration Application updated successfully.
Endpoint IOC Definition Operations / Endpoint IOC definition update
Update Failed TRUE 7 - High-Low 2164260914
Update Failure Error Failed.
Endpoint IOC Definition Audit / Endpoint IOC definition
Signatures Updated FALSE 2 - Low-Medium 553648179
Update Success Configuration updated successfully.
An endpoint IOC scan has
Endpoint IOC Scan Security /
Threat Detected FALSE 9 - High-High 1091567670 completed and detected
Completed With Detections Vulnerability
malicious items.
An endpoint IOC scan has
Endpoint IOC Scan Operations / Scan Completed - No
FALSE 0 - No Rating 554696757 completed without detecting
Completed, No Detections Information Detections
anything malicious.
Endpoint IOC Scan Operations / Endpoint IOC Scan Detection
IOC Scan Information FALSE 0 - No Rating 1090519089
Detection Summary Information Summary
Operations /
Endpoint IOC Scan Failed Scan Process Error TRUE 7 - High-Low 2165309495 Endpoint IOC scan failed.
Error
Operations /
Endpoint IOC Scan Started Scan Started FALSE 0 - No Rating 554696756 Endpoint IOC Scan Started.
Information
Security / Detected Malware The computer executed known
Executed Malware TRUE 9 - High-High 1107296272
Malware Activity malware.
Security / Execution of an application was
Execution Blocked Application Blocked TRUE 0 - No Rating 553648168
Failed Activity blocked.
Security / An exploit was prevented from
Exploit Prevention Threat Blocked TRUE 0 - No Rating 1090519103
Failed Activity running.
A quarantined item was not
Failed to Delete From Operations /
Quarantine Error FALSE 7 - High-Low 2164260889 successfully removed from
Quarantine Error
quarantine.
Operations /
Fault Cleared Fault Cleared FALSE 0 - No Rating 553648196 A fault has been cleared.
Information
Operations / The request for a remote file
File Fetch Completed General Information FALSE 0 - No Rating 553648173
Information was successful.
Operations / The request for a remote file
File Fetch Failed General Information FALSE 0 - No Rating 2164260910
Information failed.
Operations / Password Change Sent when a user forgets
Forgotten Password Reset TRUE 0 - No Rating 1004
Information Requested password.
Suspicious behaviour that
Security /
Generic IOC Generic IOC TRUE 3 - Low-High 1107296274 indicate possible compromise
Activity
of the computer.
Operations /
Install Failure Install Failed FALSE 7 - High-Low 2164260895 An installation has failed.
Error
Operations /
Install Started Install Started FALSE 0 - No Rating 553648158 An installation has begun.
Information
A suspicious portable
Security / executable file was
Java Compromise Threat Detected TRUE 9 - High-High 1107296260
Vulnerability downloaded and executed by
the Java plug-in.
Java executed an unknown
Security /
Java Launched a Shell Suspicious Activity TRUE 6 - Medium-High 1107296265 application, which in turn
Suspicious
launched a command shell.
Operations /
Major Fault Raised Major Fault Raised TRUE 7 - High-Low 1090519107 A major fault has been raised.
Error
A suspicious portable
Microsoft Calculator Security / executable file was
Suspicious Activity TRUE 6 - Medium-High 1107296275
Compromise Suspicious downloaded and executed by
Microsoft Calculator.
A suspicious portable
Microsoft CHM Security / executable was downloaded
Threat Detected TRUE 9 - High-High 1107296281
Compromise Vulnerability and executed by Microsoft
Help.
A suspicious portable
Microsoft Excel Security / executable file was
Threat Detected TRUE 9 - High-High 1107296263
Compromise Vulnerability downloaded and executed by
Microsoft Excel.
Microsoft Excel executed an
Microsoft Excel Launched a Security / unknown application, which in
Suspicious Activity TRUE 6 - Medium-High 1107296268
Shell Suspicious turn launched a command
shell.
A suspicious portable
Microsoft Notepad Security / executable file was
Suspicious Activity TRUE 6 - Medium-High 1107296276
Compromise Suspicious downloaded and executed by
Microsoft Notepad.
A suspicious portable
Microsoft PowerPoint Security / executable file was
Threat Detected TRUE 9 - High-High 1107296264
Compromise Vulnerability downloaded and executed by
Microsoft PowerPoint.
Microsoft PowerPoint executed
Microsoft PowerPoint Security / an unknown application, which
Suspicious Activity TRUE 6 - Medium-High 1107296269
Launched a Shell Suspicious in turn launched a command
shell.
A suspicious portable
Microsoft Word Security / executable file was
Threat Detected TRUE 9 - High-High 1107296262
Compromise Vulnerability downloaded and executed by
Microsoft Word.
Microsoft Word executed an
Microsoft Word Launched a Security / unknown application, which in
Suspicious Activity TRUE 6 - Medium-High 1107296267
Shell Suspicious turn launched a command
shell.
Operations /
Minor Fault Raised Minor Fault Raised FALSE 3 - Medium-Medium 553648195 A minor fault has been raised.
Warning
Multiple infected files indicate
Security / multiple files on a computer are
Multiple Infected Files Threat Detected TRUE 9 - High-High 1107296257
Vulnerability attempting to download
malware.
Operations / Performing Password A scan has completed and
Password Has Been Reset TRUE 0 - No Rating 1005
Information Change detected malicious items.
An agent has been told to fetch
Policy Update Audit / Policy Policy Modified : Auditing FALSE 2 - Low-Medium 553648130
policy.
A policy update failed, and the
Audit / Other
Policy Update Failure Policy Update Failure TRUE 3 - Low-High 2164260866 policy was not successfully
Audit Failure
applied.
Potential dropper infections
indicate a single file is
Security /
Potential Dropper Infection Threat Detected TRUE 9 - High-High 1107296258 repeatedly attempting to
Vulnerability
download malware onto a
computer.
Security / Possible Ransomware This computer may be infected
Potential Ransomware TRUE 9 - High-High 1107296284
Malware Activity with ransomware.
This computer may have been
Security / Possible Backdoor
Potential Webshell TRUE 9 - High-High 1107296283 compromised granting remote
Malware Activity
access.
Audit / A product update has
Product Update Completed Software Updated FALSE 2 - Low-Medium 553648136
Configuration successfully completed.
Operations /
Product Update Failed Update Failed TRUE 7 - High-Low 553648137 A product update has failed.
Error
Operations /
Product Update Started Update Process Started FALSE 0 - No Rating 553648135 A product update has begun.
Information
Operations / A detected threat was not
Quarantine Failure Quarantine Error TRUE 7 - High-Low 2164260880
Error successfully quarantined.
Operations / Quarantined Item A quarantined item has been
Quarantine Item Deleted FALSE 0 - No Rating 553648152
Information Deleted successfully deleted.
Security / A request has been pulled
Quarantine Item Restored Quarantine TRUE 0 - No Rating 553648149
Activity restored to its original location.
A request to restore an item
Quarantine Request Failed Operations /
Quarantine Error TRUE 7 - High-Low 2181038130 from quarantine was not
To Be Delivered Error
successfully sent.
An item requested to be
Operations /
Quarantine Restore Failed Quarantine Error TRUE 7 - High-Low 2164260884 restored to its original location
Error
could not be restored.
A request has been made to
Quarantine Restore Security /
Quarantine TRUE 0 - No Rating 570425394 move a file from Quarantine
Requested Activity
back to its original location.
Security / The restoring of a file from
Quarantine Restore Started Quarantine TRUE 0 - No Rating 553648150
Activity Quarantine was attempted.
Security / Quarantined Item A quarantined item has been
Quarantined Item Deleted TRUE 1 - Low-Low 553648152
Other Deleted successfully deleted.
Operations / An agent has completed its
Reboot Completed Reboot Completed FALSE 0 - No Rating 553648171
Information reboot.
Operations / An agent has started the reboot
Reboot Pending Reboot Requested FALSE 0 - No Rating 553648170
Information process.
Security / A threat was found hidden on
Rootkit Detection Detected Rootkit Activity TRUE 9 - High-High 1090519081
Malware this system.
Scan Completed With Security / A scan has completed and
Threat Detected FALSE 9 - High-High 1091567628
Detections Vulnerability detected malicious items.
Scan Completed, No Operations / Scan Completed - No A scan has completed without
FALSE 0 - No Rating 554696715
Detections Information Detections detecting anything malicious.
Operations / A scan has been attempted,
Scan Failed Scan Process Error TRUE 7 - High-Low 2165309453
Error and failed to run.
Operations /
Scan Started Scan Started FALSE 0 - No Rating 554696714 An Agent has started scanning.
Information
The computer made outbound
Suspected Botnet Security / connections to suspected
Possible Botnet Activity TRUE 9 - High-High 1107296273
Connection Malware botnet command and control
systems.
It triggers when Internet
Explorer launches Command
Security /
Suspicious Cscript Launch Suspicious Activity TRUE 6 - Medium-High 1107296282 Shell which in turn launches
Suspicious
Microsoft Windows Script Host
(aka cscript).
Security / A suspicious file was
Suspicious Download Suspicious Activity TRUE 6 - Medium-High 1107296280
Suspicious downloaded.
Security / A threat was found on this
Threat Detected Threat Detected TRUE 9 - High-High 1090519054
Vulnerability system.
Threat Detected in Security / A threat was detected in an
Threat Detected TRUE 9 - High-High 553648145
Exclusion Vulnerability exclusion path.
Threat Detected In Low Security / A threat was detected in a low
Threat Detected TRUE 9 - High-High 1107296278
Prevalence Executable Vulnerability prevalence executable.
Security / A threat was successfully
Threat Quarantined Threat Quarantined TRUE 2 - Low-Medium 553648143
Failed Activity quarantined.
Audit /
Uninstall Software Uninstalled TRUE 2 - Low-Medium 553648166 The software was uninstalled.
Configuration
Operations /
Uninstall Failure Uninstall Failed TRUE 7 - High-Low 2164260903 A uninstall has failed.
Error
It triggers when the new
connector is installed and
Operations /
Update: Reboot Advised Reboot Advised FALSE 0 - No Rating 1090519097 running but new driver features
Information
will not be available until the
system is rebooted.
It triggers when the new
Operations /
Update: Reboot Required Reboot Required FALSE 0 - No Rating 1090519096 connector is installed but not
Information
running.
It triggers when the new
Update: Unexpected Operations / connector is installed but not
Reboot Required FALSE 0 - No Rating 2164260922
Reboot Required Information running for some unexpected
scenario.
Vulnerable Application Security / Vulnerable Application Vulnerable Application
TRUE 2 - Low-Medium 1107296279
Detected Vulnerability Detected Detected.
Adding the Log Source to Your System Monitor Agent
The following steps take place in the LogRhythm Client Console.

In The LogRhythm Client Console, create a new Log Source by:


1. Clicking on the ‘Deployment Manager’ tab.

2. Clicking on the ‘System Monitors’ tab.

3. Locate the System Monitor Agent that you setup the AMP script on and double-click the entry.

4. In the ‘Log Source Properties’ window that appears, in the lower pane, right-click and select ‘New’ from
the menu that appears:

5. In the ‘Log Message Source Properties’ window that appears, Select your new Log Message Source Type
‘Flat File - Cisco AMP for Endpoints’. This will be located under the Custom ‘Record Type Filter’

6. Select your Log Message Processing Engine (MPE) Policy:


7. Under the ‘Flat File Settings’ tab, in the ‘File Path’ textbox enter:

For Non-HA systems:


C:\Program Files\LogRhythm\LogRhythm System Monitor\AMP4EP\Events\AMP4EP.txt

For HA systems:
D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\Events\AMP4EP.txt
8. Create a new date parsing format using the values for the following table:
Textbox Value
Name Cisco AMP for Endpoints
Regex <UTC><yy>-<M>-<d>T<h>:<m>:<s><utcoffset>
Description Date=2018-04-19T14:37:43+00:00

9. On the ‘Additional Settings’ tab check the ‘Start collection from the beginning of the log.’ checkbox.

10. Click the ‘Advanced’ button in the lower left of the of the ‘Log Message Source Properties’ window. The ‘
Log Source Advanced Properties’ window will appear:
11. Change the value in the table below, to increase the maximum number of logs that will be collected per
Agent cycle:

Name Value
MaxMessageCount 1000

12. Click ‘OK’ to save the change.

13. You will now be back at the ‘Log Message Source Properties’ window. Click ‘OK’ to save the new log source.

Configuration of the Cisco AMP log source is now complete. Validate log collection via the usual methods.
Web Console Dashboard
A Web Console dashboard is available for the Cisco AMP log source:
Troubleshooting
Troubleshooting can be performed by viewing the log file located here:

For Non-HA systems:


C:\Program Files\LogRhythm\LogRhythm System Monitor\AMP4EP\Log\AMP4EP.log

For HA systems:
D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\Log\AMP4EP.log

The log file has three severity levels, Information, Warning and Error. Logs with an Error severity will indicate
an issue that requires resolving. The table below provides some common messages and troubleshooting steps:

Message Severity Description & Troubleshooting Actions


Validate that the credentials file exists in the
AMP4EP directory.
Could not find credentials file:
Error
<file location>. Exiting Validate that the AMP4EP scheduled task ‘Add
Arguments (optional):’ textbox contains the correct
credentials file location and file name.
The credentials within the
credentials file are corrupt.
Please recreate the file: <file Error Delete and recreate the credentials file.
location>
The network interface on the host is not up.
Failed to call the AMP4EP API.
Exiting DNS resolution is not available on the host.
System.Net.WebException: The Error Internet access is not available from the host.
remote name could not be resolved:
'api.amp.cisco.com' A Proxy Server is in use between the host and
Internet.
Failed to call the AMP4EP API.
Exiting
An incorrect ClientID or APIKey value was used to create
System.Net.WebException: The Error
the credentials file.
remote server returned an error:
(401) Unauthorized.
Failed to call the AMP4EP API.
Exiting
A Proxy Server is configured in Internet Explorer but the
System.Net.WebException: The Error Proxy Server is not present.
remote server returned an error:
(501) Not Implemented.

Failed to parse date from the The state file is corrupt. Delete the ‘.pos’ file in the
state file Error
\AMP4EP\State directory.
Message Severity Description & Troubleshooting Actions
This is not the active HA node. Warning The script has detected a HA system, but the System
Exiting
Monitor Agent is not running, indicating it is not the
active HA node.
This is a HA node but the Warning The script has detected a HA system, but the LifeKeeper
LifeKeeper service is not running.
Exiting service is not running.

Could not write logs to the events Warning The events file in the \AMP4EP\Events directory is
file: <file location>
currently locked by another process.

Could not get last date entry from Warning Indicates a script error. Please raise to LogRhythm
received events
Professional Services.

Could not write timestamp to state Warning The state file in the \AMP4EP\State directory is
file: <file location>. This may
result in duplicate logs currently locked by another process.

You might also like