LogRhythm - Cisco AMP For Endpoints - Configuration Guide - v4
LogRhythm - Cisco AMP For Endpoints - Configuration Guide - v4
LogRhythm - Cisco AMP For Endpoints - Configuration Guide - v4
Configuration Guide
https://api-docs.amp.cisco.com
It’s important to note that the API is location based, depending on what region your AMP instance resides.
At present three regions exist:
US:
api.amp.cisco.com
Europe:
api.eu.amp.cisco.com
There are also two versions of the API, v0 & v1. For the purposes of this method we will be using version v1 of the
API.
with: $PSVersionTable.PSVersion
The script provides proxy support using the credentials of the user the script is run under.
The account running the script will require rights to execute PowerShell scripts on the designated host. The
following command can be run by a member of the Administrators group to allow unsigned
PowerShell scripts to run:
set-executionpolicy remotesigned
Getting Cisco AMP for Endpoint Events into LogRhythm
This method will use the GET /v1/events action to retrieve the AMP Events that can be viewed via the AMP Console:
The retrieval of the events is performed by a PowerShell script that makes a call to the API to pull down the AMP for
Endpoint events to a flat file. Setup will take approximately 30 minutes and will consist of the following steps:
1. Log into the Console, and navigate to ‘Accounts > API Credentials’.
API credentials (API Client ID & API Key) will allow other programs to retrieve and modify your Cisco AMP for
Endpoints data. It is functionally equivalent to a username and password, and should be treated as such.
Delete the API credentials for an application if you suspect they have been compromised and create new ones.
Deleting API credentials will lock out any clients using the old ones so make sure to update them to the
new credentials.
Your API credentials are not stored in plain text and can only be displayed once. If you lose the credentials you will
have to generate new ones.
6. Navigate to ‘Accounts > API Credentials’. You should see an account called LogRhythm is present:
You can expand the account details and verify the ‘Ready-Only’ scope by clicking on the + box:
You can then use the table below to determine which specific URL and port will need to be allowed from
the LogRhythm System Monitor host.
The connection will be initiated outbound to the AMP API by the LogRhythm System Monitor host. No
inbound connection is required.
1. Create a directory “AMP4EP” in your LogRhythm System Monitor folder. For non-HA systems this will
be located here: C:\Program Files\LogRhythm\LogRhythm System Monitor\
For HA systems, create the folder on the replicated volume D: in the following location:
D:\LogRhythmHA\LogRhythm System Monitor\
The PowerShell script is HA aware, so will only complete when the System Monitor host it resides on is
the Active node. This ensures that only the active node collects the AMP events and that the events, state
and log information is shared between the two HA hosts.
3. Create the directories “Events”, “Log” & “State” within the AMP4EP directory.
Creating the Credentials File
The following steps take place on the LogRhythm System Monitor host.
1. Run the following command in an Administrator PowerShell window. Note, you must run this command
from the same account that will be running the scheduled task, due to the way Windows encrypts the
credentials.
For HA systems:
Get-Credential | Export-Clixml -Path "D:\LogRhythmHA\LogRhythm
System Monitor\AMP4EP\${env:USERNAME}_cred.xml"
3. In the ‘User name:’ field enter the ‘3rd Party API Client ID’ saved earlier.
4. In the ‘Password:’ field enter the ‘API Key’ saved earlier.
6. Check that the credentials file created successfully by navigating to the AMP4EP directory and
validating that the <account-name>_cred.xml file exists:
We will now create a scheduled task to run the PowerShell script AMP4EP.ps1 every 1 minute. As the script
resides within the LogRhythm System Monitor directory, the task will need to be set to run under an account that
has Administrator permissions or alternatively an account that has specific permissions to the previously created
AMP4EP directory.
3. On the ‘Task Trigger’ window, select ‘Daily’ and click ‘Next >’. We will change the schedule later:
5. On the ‘Action’ window, select ‘Start a program’ and click ‘Next >’:
6. On the ‘Start a Program’ window, enter the following details in the textboxes. Ensuring you edit the
“<account-name>_cred.xml” part to match the file name of your credentials file created earlier.
For HA systems:
Textbox Value
Program/script powershell
-command "& D:\LogRhythmHA\LogRhythm System
Add Arguments Monitor\AMP4EP\AMP4EP.ps1' -CredentialsFile
(optional): 'D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\<account-
name>_cred.xml'"
8. On the ‘Summary’ window, check the ‘Open the Properties dialog for this task when I click
Finish’ checkbox and click ‘Finish’:
9. The AMP4EP Task Properties will now be displayed. On the ‘General’ tab, change the ‘Run only
when user is logged on’ bullet to ‘Run whether user is logged on or not’.
The ‘Do not store password’ option will now be available. Check the checkbox to enforce this option:
10. Click on the ‘Triggers’ tab and highlight the ‘Daily’ trigger as below:
• Run with highest permissions
11. Now click the ‘Edit…’ button. The ‘Edit Trigger’ window will appear:
12. Under the ‘Advanced Settings’ section, check the ‘Repeat task every:’ checkbox and within
the associated dropdown box enter ‘1 minute’. In the ‘for a duration of:’ dropdown box select
the ‘Indefinitely’ option:
13. Click the ‘OK’ to accept the changes.
14. You will now be back at the AMP4EP Task Properties window. Click ‘OK’ to save the task.
15. Verify that the task has been created by clicking on the ‘Task Scheduler Library’ icon and checking
that the ‘LogRhythm Cisco AMP4EP’ task appears in the list of tasks.
When the Schedule Task runs any new events will be written to:
For HA systems:
D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\Events\AMP4EP.txt
For HA systems:
D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\Log\AMP4EP.log
Creating the Log Source Type
The following steps take place in the LogRhythm Client Console.
1. In The LogRhythm Client Console, create a new Log Source Type by clicking on the "Deployment Manager"
tab and navigating to ‘Tools --> Knowledge --> Log Source Type Manager’
2. In the ‘Log Source Type Manager’ click on the green plus to create a new log source type.
3. Enter the following information in the ‘Log Source Properties’ window, then click ‘OK’:
1. In The LogRhythm Client Console, create a new Log Processing Policy by clicking on the "Deployment
Manager" tab and then clicking on the ‘Log Processing Policies’ tab:
3. In the ‘Log Source Type Selector’ window highlight ‘Custom’ in the ‘Record Type Filter’ area and then when
the ‘Flat File – Cisco Amp for Endpoint’ log source appears in the ‘Log Source Type’ area highlight it.
4. Click the ‘OK’ button. The ‘MPE Policy Editor’ window will appear. Enter the following information in
the textboxes:
Textbox Value
Name LogRhythm Default
Brief Description Cisco AMP for Endpoints
er_Connector_GUID[^"]+")?(,"Computer_Hostname=(?<sname>[^"]+)?")?(,"Computer_External_ IP=(?<snatip>[^"]+)?")?(,"Computer_User=(?<login>[^"]+)?")?(,"Computer_Active[^"]+")?(
,"Network_Addr_IP=(?<sip>[^"]+)?")?(,"Network_Addr_MAC=(?<smac>[^"]+)?")?(,"Links_Comp uter[^"]+")?(,"Links_Trajectory[^"]+")?(,"Links_Group[^"]+")?(,"File_Disposition[^"]+"
)?(,"File_Name=(?<object>[^"]+)?")?(,"File_Path=(?<parentprocesspath>[^"]+)?")?(,"File _Identity_SHA1[^"]+")?(,"File_Identity_SHA256=(?<hash>[^"]+)?")?(,"File_Parent_Disposi
tion[^"]+")?(,"File_Parent_File_Name[^"]+")?(,"File_Parent_Identity_SHA1[^"]+")?(,"Fil e_Parent_Identity_SHA256[^"]+")?(,"Scan_Description=(?<subject>[^"]+)?")?(,"Scan_Clean
=(?<result>[^"]+)?")?(,"Scanned_Files[^"]+")?(,"Scanned_Processes[^"]+")?(,"Scanned_Pa ths[^"]+")?(,"Malicious_Detections[^"]+")?(,"Vuln_Name=(?<objectname>[^"]+)?")?(,"Vuln
_Version=(?<version>[^"]+)?")?(,"Vuln_CVEs=(?<cve>[^"]+)?")?(,"Vuln_Scores[^"]+")?(,"C VE_URLs[^"]+")?(,"Dirty_URL=(?<url>[^"]+)?")?(,"Remote_IP=(?<dip>[^"]+)?")?(,"Remote_P
ort=(?<dport>[^"]+)?")?(,"Local_IP=(?<sip>[^"]+)?")?(,"Local_Port=(?<sport>[^"]+)?")?( ,"IOC_Desc[^"]+")?(,"IOC_Short_Desc[^"]+")?
3. Locate the System Monitor Agent that you setup the AMP script on and double-click the entry.
4. In the ‘Log Source Properties’ window that appears, in the lower pane, right-click and select ‘New’ from
the menu that appears:
5. In the ‘Log Message Source Properties’ window that appears, Select your new Log Message Source Type
‘Flat File - Cisco AMP for Endpoints’. This will be located under the Custom ‘Record Type Filter’
For HA systems:
D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\Events\AMP4EP.txt
8. Create a new date parsing format using the values for the following table:
Textbox Value
Name Cisco AMP for Endpoints
Regex <UTC><yy>-<M>-<d>T<h>:<m>:<s><utcoffset>
Description Date=2018-04-19T14:37:43+00:00
9. On the ‘Additional Settings’ tab check the ‘Start collection from the beginning of the log.’ checkbox.
10. Click the ‘Advanced’ button in the lower left of the of the ‘Log Message Source Properties’ window. The ‘
Log Source Advanced Properties’ window will appear:
11. Change the value in the table below, to increase the maximum number of logs that will be collected per
Agent cycle:
Name Value
MaxMessageCount 1000
13. You will now be back at the ‘Log Message Source Properties’ window. Click ‘OK’ to save the new log source.
Configuration of the Cisco AMP log source is now complete. Validate log collection via the usual methods.
Web Console Dashboard
A Web Console dashboard is available for the Cisco AMP log source:
Troubleshooting
Troubleshooting can be performed by viewing the log file located here:
For HA systems:
D:\LogRhythmHA\LogRhythm System Monitor\AMP4EP\Log\AMP4EP.log
The log file has three severity levels, Information, Warning and Error. Logs with an Error severity will indicate
an issue that requires resolving. The table below provides some common messages and troubleshooting steps:
Failed to parse date from the The state file is corrupt. Delete the ‘.pos’ file in the
state file Error
\AMP4EP\State directory.
Message Severity Description & Troubleshooting Actions
This is not the active HA node. Warning The script has detected a HA system, but the System
Exiting
Monitor Agent is not running, indicating it is not the
active HA node.
This is a HA node but the Warning The script has detected a HA system, but the LifeKeeper
LifeKeeper service is not running.
Exiting service is not running.
Could not write logs to the events Warning The events file in the \AMP4EP\Events directory is
file: <file location>
currently locked by another process.
Could not get last date entry from Warning Indicates a script error. Please raise to LogRhythm
received events
Professional Services.
Could not write timestamp to state Warning The state file in the \AMP4EP\State directory is
file: <file location>. This may
result in duplicate logs currently locked by another process.