From 6e430e9f6554335a27d82fb35e36e4f37ab778bd Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Thu, 19 Dec 2024 19:18:44 +0530 Subject: [PATCH 1/7] Cisco AMP - Apps --- blog-service/2024-12-24-apps.md | 15 ++ cid-redirects.json | 1 + .../product-list/product-list-a-l.md | 2 +- docs/integrations/saas-cloud/cisco-amp.md | 172 ++++++++++++++++++ docs/integrations/saas-cloud/index.md | 6 + sidebars.ts | 1 + 6 files changed, 196 insertions(+), 1 deletion(-) create mode 100644 blog-service/2024-12-24-apps.md create mode 100644 docs/integrations/saas-cloud/cisco-amp.md diff --git a/blog-service/2024-12-24-apps.md b/blog-service/2024-12-24-apps.md new file mode 100644 index 0000000000..18ad509ed6 --- /dev/null +++ b/blog-service/2024-12-24-apps.md @@ -0,0 +1,15 @@ +--- +title: Cisco AMP (Apps) +image: https://help.sumologic.com/img/sumo-square.png +keywords: + - cisco-amp + - apps +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +icon + +We're excited to introduce the new Cisco AMP app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud Cisco AMP source that collects Cisco AMP logs from the Cisco AMP platform. This app helps security analysts with comprehensive tools to enhance threat detection capabilities, investigate incidents thoroughly, and fortify cybersecurity defenses proactively. + [Learn more](/docs/integrations/saas-cloud/cisco-amp/). diff --git a/cid-redirects.json b/cid-redirects.json index 8af9425d8f..39dc68230f 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -2568,6 +2568,7 @@ "/cid/80550": "/docs/integrations/app-development/jira", "/cid/80808": "/docs/integrations/google/cloud-load-balancing", "/cid/13398": "/docs/integrations/saas-cloud/cisco-umbrella", + "/cid/13400": "/docs/integrations/saas-cloud/cisco-amp", "/cid/80901": "/docs/integrations/containers-orchestration/docker-ulm", "/cid/80902": "/docs/integrations/web-servers/heroku", "/cid/21208": "/docs/integrations/security-threat-detection/alert-logic", diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md index 01036014b6..dea574d2ed 100644 --- a/docs/integrations/product-list/product-list-a-l.md +++ b/docs/integrations/product-list/product-list-a-l.md @@ -155,7 +155,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | Thumbnail icon | [CIRCL](http://www.circle.lu) | Automation integration: [CIRCL CVE Search](/docs/platform-services/automation-service/app-central/integrations/circl-cve-search/)
Cloud SIEM integration: [PassiveDns](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/ab6459e5-53ac-4791-845f-0f7b861a8f4c.md) | | Thumbnail icon | [CircleCI](https://circleci.com/) | Partner integration: [CircleCI](https://circleci.com/docs/sumo-logic-integration/) | | Thumbnail icon | [CIS Benchmarks for AWS](https://aws.amazon.com/what-is/cis-benchmarks/) | App: [CIS AWS Foundations Benchmark](/docs/integrations/amazon-aws/cis-aws-foundations-benchmark/) | -| Thumbnail icon | [Cisco](https://www.cisco.com/) | Apps:
- [Cisco Meraki](/docs/integrations/security-threat-detection/cisco-meraki/)
- [Cisco Meraki - C2C](/docs/integrations/saas-cloud/cisco-meraki-c2c/)
- [Cisco Umbrella](/docs/integrations/saas-cloud/cisco-umbrella/)
- [Webex](/docs/integrations/saas-cloud/webex)
Automation integrations:
- [Armorblox](/docs/platform-services/automation-service/app-central/integrations/armorblox/)
- [Cisco AMP for Endpoints](/docs/platform-services/automation-service/app-central/integrations/cisco-amp-for-endpoints/)
- [Cisco Cyber Vision](/docs/platform-services/automation-service/app-central/integrations/cisco-cyber-vision/)
- [Cisco ESA](/docs/platform-services/automation-service/app-central/integrations/cisco-esa/)
- [Cisco IOS XE](/docs/platform-services/automation-service/app-central/integrations/cisco-ios-xe/)
- [Cisco ISE](/docs/platform-services/automation-service/app-central/integrations/cisco-ise/)
- [Cisco Meraki](/docs/platform-services/automation-service/app-central/integrations/cisco-meraki/)
- [Cisco Stealthwatch](/docs/platform-services/automation-service/app-central/integrations/cisco-stealthwatch/)
- [Cisco Threat Grid](/docs/platform-services/automation-service/app-central/integrations/cisco-threat-grid/)
- [Cisco Threat Response](/docs/platform-services/automation-service/app-central/integrations/cisco-threat-response/)
- [Cisco Umbrella Investigate](/docs/platform-services/automation-service/app-central/integrations/cisco-umbrella-investigate/)
- [Cisco Webex](/docs/platform-services/automation-service/app-central/integrations/cisco-webex/)
- [Snort](/docs/platform-services/automation-service/app-central/integrations/snort/)
Cloud SIEM integration: [Cisco Systems](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/e2d55f62-8ebb-4d00-b2f9-b55d1fa642bb.md)
Collectors:
- [Cisco AMP Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/)
- [Cisco ASA - Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa/)
- [Cisco Meraki Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-meraki-source/)
- [Cisco Meraki - Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki/)
- [Cisco Vulnerability Management Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-vulnerability-management-source/)
- [Webex Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/webex-source/)
Community app: [Sumo Logic for Cisco Sourcefire](https://github.com/SumoLogic/sumologic-content/tree/master/Cisco/Sourcefire) | +| Thumbnail icon | [Cisco](https://www.cisco.com/) | Apps:
- [Cisco AMP](/docs/integrations/saas-cloud/cisco-amp/)
- [Cisco Meraki](/docs/integrations/security-threat-detection/cisco-meraki/)
- [Cisco Meraki - C2C](/docs/integrations/saas-cloud/cisco-meraki-c2c/)
- [Cisco Umbrella](/docs/integrations/saas-cloud/cisco-umbrella/)
- [Webex](/docs/integrations/saas-cloud/webex)
Automation integrations:
- [Armorblox](/docs/platform-services/automation-service/app-central/integrations/armorblox/)
- [Cisco AMP for Endpoints](/docs/platform-services/automation-service/app-central/integrations/cisco-amp-for-endpoints/)
- [Cisco Cyber Vision](/docs/platform-services/automation-service/app-central/integrations/cisco-cyber-vision/)
- [Cisco ESA](/docs/platform-services/automation-service/app-central/integrations/cisco-esa/)
- [Cisco IOS XE](/docs/platform-services/automation-service/app-central/integrations/cisco-ios-xe/)
- [Cisco ISE](/docs/platform-services/automation-service/app-central/integrations/cisco-ise/)
- [Cisco Meraki](/docs/platform-services/automation-service/app-central/integrations/cisco-meraki/)
- [Cisco Stealthwatch](/docs/platform-services/automation-service/app-central/integrations/cisco-stealthwatch/)
- [Cisco Threat Grid](/docs/platform-services/automation-service/app-central/integrations/cisco-threat-grid/)
- [Cisco Threat Response](/docs/platform-services/automation-service/app-central/integrations/cisco-threat-response/)
- [Cisco Umbrella Investigate](/docs/platform-services/automation-service/app-central/integrations/cisco-umbrella-investigate/)
- [Cisco Webex](/docs/platform-services/automation-service/app-central/integrations/cisco-webex/)
- [Snort](/docs/platform-services/automation-service/app-central/integrations/snort/)
Cloud SIEM integration: [Cisco Systems](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/e2d55f62-8ebb-4d00-b2f9-b55d1fa642bb.md)
Collectors:
- [Cisco AMP Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/)
- [Cisco ASA - Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-asa/)
- [Cisco Meraki Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-meraki-source/)
- [Cisco Meraki - Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/cisco-meraki/)
- [Cisco Vulnerability Management Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-vulnerability-management-source/)
- [Webex Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/webex-source/)
Community app: [Sumo Logic for Cisco Sourcefire](https://github.com/SumoLogic/sumologic-content/tree/master/Cisco/Sourcefire) | | Thumbnail icon | [Citrix](https://www.citrix.com/) | App: [Citrix Cloud](/docs/integrations/saas-cloud/citrix-cloud/)
Cloud SIEM integration: [Citrix](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/f3d0223a-78a7-42f6-93cc-3bcd15569a5b.md)
Collector: [Citrix Cloud Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/citrix-cloud-source/)
Community apps:
- [Sumo Logic for Citrix Netscaler VPN](https://github.com/SumoLogic/sumologic-content/tree/master/Citrix/VPN)
- [Sumo Logic for Citrix XenServer](https://github.com/SumoLogic/sumologic-content/tree/master/Citrix/XenServer) | | Thumbnail icon | [Claroty](https://claroty.com/) | Automation integration: [Claroty](/docs/platform-services/automation-service/app-central/integrations/claroty/)
Cloud SIEM integration: [Claroty](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/7d7a8243-bd53-417a-93f7-b73f800b1925.md) | | Thumbnail icon | [Cloudflare](https://www.cloudflare.com/) | App: [Cloudflare](/docs/integrations/saas-cloud/cloudflare/)
Automation integration: [Cloudflare](/docs/platform-services/automation-service/app-central/integrations/cloudflare/)
Cloud SIEM integration: [Cloudflare](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/4c1c0f12-5d0a-4f0c-918f-c83dca43c967.md)
Community app: [Sumo Logic Dashboards for Cloudflare](https://github.com/SumoLogic/sumologic-content/tree/master/Cloudflare)
Partner integration: [Cloudflare](https://developers.cloudflare.com/logs/get-started/enable-destinations/sumo-logic/) | diff --git a/docs/integrations/saas-cloud/cisco-amp.md b/docs/integrations/saas-cloud/cisco-amp.md new file mode 100644 index 0000000000..f8fedae848 --- /dev/null +++ b/docs/integrations/saas-cloud/cisco-amp.md @@ -0,0 +1,172 @@ +--- +id: cisco-amp +title: Cisco AMP +sidebar_label: Cisco AMP +description: The Sumo Logic App for Cisco AMP helps you monitor and analyze cybersecurity incidents, including host activity status and file types implicated in security incidents. +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +thumbnail icon + +The Sumo Logic App for Cisco AMP equips security analysts with tools to improve threat detection, conduct in-depth investigations, and strengthen cybersecurity defenses. It provides security analysts with a robust platform for real-time monitoring and analysis of cybersecurity incidents. Analysts can assess event severity, types of incidents, host activity, and file types involved in breaches. +The app also highlights top hosts, users, tactics, and techniques, helping analysts identify trends and potential risks. Analysts can investigate detection types, recent malicious files, compromised endpoints, and suspicious processes to respond swiftly to security incidents. +The app's geolocation features provide insights by mapping the origins of cybersecurity events and highlighting activities from restricted areas. + +:::info +This app includes [built-in monitors](#cisco-amp-monitors). For details on creating custom monitors, refer to the [Create monitors for Cisco AMP app](#create-monitors-for-cisco-amp-app). +::: + +## Log types + +This app uses Sumo Logic’s [Cisco AMP Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/) to collect the event logs from Cisco platform. + +### Sample log message + +
+Event Log + +```json +{ + "version": "v1.2.0", + "metadata": { + "links": { + "self": "https://api.amp.cisco.com/v1/events?limit=2", + "next": "https://api.amp.cisco.com/v1/events?limit=2&offset=2" + }, + "results": { + "total": 1165, + "current_item_count": 2, + "index": 0, + "items_per_page": 2 + } + }, + "data": [ + { + "id": 6180351977805840000, + "timestamp": 1647602406, + "timestamp_nanoseconds": 548000000, + "date": "2022-03-18T11:20:06+00:00", + "event_type": "Threat Detected", + "event_type_id": 1090519054, + "detection": "W32.GenericKD:ZVETJ.18gs.1201", + "detection_id": "6180351977805840385", + "connector_guid": "538738f5-3a14-4449-933b-86142553de06", + "group_guids": [ + "e766a0e9-96da-41b9-b1e8-87dd010d6b68" + ], + "severity": "Medium", + "computer": { + "connector_guid": "538738f5-3a14-4449-933b-86142553de06", + "hostname": "Demo_Upatre", + "external_ip": "xxx.xxx.xxx.xxx", + "user": "A@TEMPLATE-W7X86", + "active": true, + "network_addresses": [ + { + "ip": "xxx.xxx.xxx.xxx", + "mac": "xx:xx:xx:xx:xx:xx" + } + ], + "links": { + "computer": "https://api.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06", + "trajectory": "https://api.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06/trajectory", + "group": "https://api.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a" + } + }, + "file": { + "disposition": "Malicious", + "file_name": "wsymqyv90.exe", + "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe", + "identity": { + "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40", + "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48", + "md5": "e2f5dcd966e26d54329e8d79c7201652" + }, + "parent": { + "process_id": 4040, + "disposition": "Clean", + "file_name": "iexplore.exe", + "identity": { + "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", + "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", + "md5": "b3581f426dc500a51091cdd5bacf0454" + } + } + }, + "tactics": [ + "TA0042" + ], + "techniques": [ + "T1204.003" + ] + } + ] +} +``` +
+ +### Sample queries + +```sql title="Total Events" +_sourceCategory="Labs/cisco-amp-app" +| json "id", "connector_guid", "severity", "event_type", "computer.active", "file.disposition", "detection_id", "detection", "computer.hostname", "computer.user", "tactics[*]", "techniques[*]", "computer.external_ip", "file.file_name", "file.file_path", "file.parent.file_name", "file.identity.sha256", "file.identity.sha1", "file.identity.md5", "file.parent.identity.sha256", "date", "computer.network_addresses[*]", "file.parent.process_id", "file.parent.disposition", "computer.links.trajectory", "computer.links.computer", "computer.links.group" as id, connector_guid, severity, event_type, status, file_type, detection_id, detection, hostname, user, tactics, techniques, external_ip, file_name, file_path, parent_file_name, sha2565, sha1, md5, parent_sha256, date, computer_network_addresses, process_id, parent_file_type, trajectory_link, computer_link, group_link nodrop + +// global filters +| where severity matches "{{severity}}" +| where event_type matches "{{event_type}}" +| where status matches "{{host_status}}" +| extract field=tactics "\"?(?[\w\s\-&.,]*)\"?[,\n\]]" multi +| extract field=techniques "\"?(?[\w\s\-&.,]*)\"?[,\n\]]" multi +| where tactics matches "{{tactics}}" +| where techniques matches "{{techniques}}" + +| count by id, connector_guid +| count +``` + +## Set up collection + +Follow the instructions provided to set up [Cloud-to-Cloud Integration for Cisco AMP App](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Cisco AMP app is properly integrated and configured to collect and analyze your Cisco AMP data. + +## Installing the Cisco AMP app + +import AppInstall2 from '../../reuse/apps/app-install-v2.md'; + + + +## Viewing Cisco AMP dashboards + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Overview + +The **Cisco AMP - Overview** dashboard is a comprehensive tool that provides security analysts with a high-level summary of key cybersecurity metrics. It tracks total security events, newly detected threats, and recent endpoint activities, offering real-time visibility into the organization's threat landscape. By categorizing threats according to severity levels and types, the dashboard helps analysts quickly identify and prioritize response actions. It also highlights key information on top threat actors and prevalent attack techniques, enhancing threat intelligence and supporting robust incident response strategies. Continuous monitoring of threat trends and endpoint activities empowers analysts to proactively mitigate risks, ensuring a resilient cybersecurity defense posture and effective threat management.
Cisco AMP Overview + +## Create monitors for Cisco AMP app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### Cisco AMP monitors + +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | +|:--|:--|:--|:--| +| `Cisco AMP - Events from Embargoed Geo Locations` | This alert identifies and flags events originating from embargoed geographic locations within the Cisco AMP environment. By promptly detecting and responding to activities from restricted regions, security analysts can proactively mitigate potential threats and prevent unauthorized access or breaches.. | Critical | Count > 0 | +| `Cisco AMP - High Severity Events` | This alert highlights security incidents with critical severity levels within the Cisco AMP ecosystem. By prioritizing these high-risk events, security personnel can quickly respond, investigate, and implement necessary actions to effectively mitigate risks before they escalate. | Critical | Count > 0| +| `Cisco AMP - Events with Malicious File` | This alert tracks events related to malicious files within the Cisco AMP system. By promptly alerting analysts to activities involving malicious files, it enables quick identification, isolation, and remediation of threats, helping safeguard the organization's networks and endpoints from potential cybersecurity breaches. | Critical | Count > 0| + +## Upgrade/Downgrade the Cisco AMP app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the Cisco AMP app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + diff --git a/docs/integrations/saas-cloud/index.md b/docs/integrations/saas-cloud/index.md index 56de80f7b5..f1096fc25b 100644 --- a/docs/integrations/saas-cloud/index.md +++ b/docs/integrations/saas-cloud/index.md @@ -75,6 +75,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.

Gain insight into the events and identify potential security threats with admin activities.

+
+
+ icon

Cisco AMP

 +

Monitor and analyze the host activity status and file types implicated in cybersecurity incidents.

+
+
icon

Cisco Meraki - C2C

 diff --git a/sidebars.ts b/sidebars.ts index 8c08d2797d..c413246d5a 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2455,6 +2455,7 @@ integrations: [ 'integrations/saas-cloud/atlassian', 'integrations/saas-cloud/box', 'integrations/saas-cloud/cato-networks', + 'integrations/saas-cloud/cisco-amp', 'integrations/saas-cloud/cisco-meraki-c2c', 'integrations/saas-cloud/cisco-umbrella', 'integrations/saas-cloud/citrix-cloud', From 60e8c4c3d1b92477514cfb107a0f0ac9045ad2e3 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Fri, 20 Dec 2024 10:31:51 +0530 Subject: [PATCH 2/7] Update docs/integrations/saas-cloud/cisco-amp.md Co-authored-by: Jagadisha V <129049263+JV0812@users.noreply.github.com> --- docs/integrations/saas-cloud/cisco-amp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/cisco-amp.md b/docs/integrations/saas-cloud/cisco-amp.md index f8fedae848..28b7be4850 100644 --- a/docs/integrations/saas-cloud/cisco-amp.md +++ b/docs/integrations/saas-cloud/cisco-amp.md @@ -19,7 +19,7 @@ This app includes [built-in monitors](#cisco-amp-monitors). For details on creat ## Log types -This app uses Sumo Logic’s [Cisco AMP Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/) to collect the event logs from Cisco platform. +This app uses Sumo Logic’s [Cisco AMP Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/) to collect the event logs from the Cisco platform. ### Sample log message From be24b2acd60fc599c1ddc288cf173acbcfebb87d Mon Sep 17 00:00:00 2001 From: Himanshu Pal Date: Fri, 20 Dec 2024 18:49:59 +0530 Subject: [PATCH 3/7] Apply suggestions from code review Co-authored-by: Jagadisha V <129049263+JV0812@users.noreply.github.com> --- blog-service/2024-12-24-apps.md | 3 +-- docs/integrations/saas-cloud/cisco-amp.md | 10 +++++----- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/blog-service/2024-12-24-apps.md b/blog-service/2024-12-24-apps.md index 18ad509ed6..bc4845f745 100644 --- a/blog-service/2024-12-24-apps.md +++ b/blog-service/2024-12-24-apps.md @@ -11,5 +11,4 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; icon -We're excited to introduce the new Cisco AMP app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud Cisco AMP source that collects Cisco AMP logs from the Cisco AMP platform. This app helps security analysts with comprehensive tools to enhance threat detection capabilities, investigate incidents thoroughly, and fortify cybersecurity defenses proactively. - [Learn more](/docs/integrations/saas-cloud/cisco-amp/). +We're excited to introduce the new Cisco AMP app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud Cisco AMP source that collects system log data from the Cisco AMP platform. This app helps security analysts with comprehensive tools to enhance threat detection capabilities, investigate incidents thoroughly, and fortify cybersecurity defenses proactively. [Learn more](/docs/integrations/saas-cloud/cisco-amp/). diff --git a/docs/integrations/saas-cloud/cisco-amp.md b/docs/integrations/saas-cloud/cisco-amp.md index 28b7be4850..3c8894bd74 100644 --- a/docs/integrations/saas-cloud/cisco-amp.md +++ b/docs/integrations/saas-cloud/cisco-amp.md @@ -2,16 +2,16 @@ id: cisco-amp title: Cisco AMP sidebar_label: Cisco AMP -description: The Sumo Logic App for Cisco AMP helps you monitor and analyze cybersecurity incidents, including host activity status and file types implicated in security incidents. +description: The Sumo Logic app for Cisco AMP helps you to gain real-time monitoring and analysis of cybersecurity incidents in the Cisco AMP platform. --- import useBaseUrl from '@docusaurus/useBaseUrl'; thumbnail icon -The Sumo Logic App for Cisco AMP equips security analysts with tools to improve threat detection, conduct in-depth investigations, and strengthen cybersecurity defenses. It provides security analysts with a robust platform for real-time monitoring and analysis of cybersecurity incidents. Analysts can assess event severity, types of incidents, host activity, and file types involved in breaches. -The app also highlights top hosts, users, tactics, and techniques, helping analysts identify trends and potential risks. Analysts can investigate detection types, recent malicious files, compromised endpoints, and suspicious processes to respond swiftly to security incidents. -The app's geolocation features provide insights by mapping the origins of cybersecurity events and highlighting activities from restricted areas. +The Sumo Logic app for Cisco AMP provides security analysts with essential tools to enhance threat detection, conduct thorough investigations, and strengthen cybersecurity defenses. It offers security analysts with a powerful platform for real-time monitoring and analysis of cybersecurity incidents. Analysts can evaluate event severity, identify types of incidents, assess host activities, and analyze file types involved in breaches. + +Additionally, the app highlights the top hosts, users, tactics, and techniques, helping analysts recognize trends and potential risks. With this app, they can examine detection types, review recent malicious files, investigate compromised endpoints, and monitor suspicious processes to respond swiftly to security incidents. The app's geolocation features further enhance analysis by mapping the origins of cybersecurity events and emphasizing activities from restricted areas. :::info This app includes [built-in monitors](#cisco-amp-monitors). For details on creating custom monitors, refer to the [Create monitors for Cisco AMP app](#create-monitors-for-cisco-amp-app). @@ -155,7 +155,7 @@ import CreateMonitors from '../../reuse/apps/create-monitors.md'; | Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |:--|:--|:--|:--| -| `Cisco AMP - Events from Embargoed Geo Locations` | This alert identifies and flags events originating from embargoed geographic locations within the Cisco AMP environment. By promptly detecting and responding to activities from restricted regions, security analysts can proactively mitigate potential threats and prevent unauthorized access or breaches.. | Critical | Count > 0 | +| `Cisco AMP - Events from Embargoed Geo Locations` | This alert identifies and flags events originating from embargoed geographic locations within the Cisco AMP environment. By promptly detecting and responding to activities from restricted regions, security analysts can proactively mitigate potential threats and prevent unauthorized access or breaches. | Critical | Count > 0 | | `Cisco AMP - High Severity Events` | This alert highlights security incidents with critical severity levels within the Cisco AMP ecosystem. By prioritizing these high-risk events, security personnel can quickly respond, investigate, and implement necessary actions to effectively mitigate risks before they escalate. | Critical | Count > 0| | `Cisco AMP - Events with Malicious File` | This alert tracks events related to malicious files within the Cisco AMP system. By promptly alerting analysts to activities involving malicious files, it enables quick identification, isolation, and remediation of threats, helping safeguard the organization's networks and endpoints from potential cybersecurity breaches. | Critical | Count > 0| From 81ea4cd7947b65a337575210c5774f7553bbe024 Mon Sep 17 00:00:00 2001 From: Himanshu Pal Date: Fri, 20 Dec 2024 18:54:41 +0530 Subject: [PATCH 4/7] Update cisco-amp.md to follow c2c source docs --- docs/integrations/saas-cloud/cisco-amp.md | 28 +++++++++++++++++++---- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/docs/integrations/saas-cloud/cisco-amp.md b/docs/integrations/saas-cloud/cisco-amp.md index 3c8894bd74..9b251f0c11 100644 --- a/docs/integrations/saas-cloud/cisco-amp.md +++ b/docs/integrations/saas-cloud/cisco-amp.md @@ -125,15 +125,33 @@ _sourceCategory="Labs/cisco-amp-app" | count ``` -## Set up collection +## Collection configuration and app installation -Follow the instructions provided to set up [Cloud-to-Cloud Integration for Cisco AMP App](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Cisco AMP app is properly integrated and configured to collect and analyze your Cisco AMP data. +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; -## Installing the Cisco AMP app + -import AppInstall2 from '../../reuse/apps/app-install-v2.md'; +:::important +Use the [Cloud-to-Cloud Integration for Cisco AMP App](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Cisco AMP app is properly integrated and configured to collect and analyze your Cisco AMP data. +::: + +### Create a new collector and install the app + +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; + + + +### Use an existing collector and install the app + +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; + + + +### Use an existing source and install the app + +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; - + ## Viewing Cisco AMP dashboards From ede1a55882397f28b4fe4b2521c4c136af966272 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Fri, 20 Dec 2024 19:03:27 +0530 Subject: [PATCH 5/7] Update docs/integrations/saas-cloud/cisco-amp.md --- docs/integrations/saas-cloud/cisco-amp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/cisco-amp.md b/docs/integrations/saas-cloud/cisco-amp.md index 9b251f0c11..73588dc4a7 100644 --- a/docs/integrations/saas-cloud/cisco-amp.md +++ b/docs/integrations/saas-cloud/cisco-amp.md @@ -132,7 +132,7 @@ import CollectionConfiguration from '../../reuse/apps/collection-configuration.m :::important -Use the [Cloud-to-Cloud Integration for Cisco AMP App](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Cisco AMP app is properly integrated and configured to collect and analyze your Cisco AMP data. +Use the [Cloud-to-Cloud Integration for Cisco AMP Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-amp-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Cisco AMP app is properly integrated and configured to collect and analyze your Cisco AMP data. ::: ### Create a new collector and install the app From 381d3233b6a1458396f198827f85aea73be361e0 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Fri, 20 Dec 2024 19:04:11 +0530 Subject: [PATCH 6/7] Update docs/integrations/saas-cloud/cisco-amp.md --- docs/integrations/saas-cloud/cisco-amp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/cisco-amp.md b/docs/integrations/saas-cloud/cisco-amp.md index 73588dc4a7..a638feb401 100644 --- a/docs/integrations/saas-cloud/cisco-amp.md +++ b/docs/integrations/saas-cloud/cisco-amp.md @@ -153,7 +153,7 @@ import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; -## Viewing Cisco AMP dashboards +## Viewing the Cisco AMP dashboards import ViewDashboards from '../../reuse/apps/view-dashboards.md'; From 59c80f9c4dceedb8112920365bf0919917ec0c81 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Fri, 20 Dec 2024 19:04:30 +0530 Subject: [PATCH 7/7] Rename 2024-12-24-apps.md to 2024-12-20-apps.md --- blog-service/{2024-12-24-apps.md => 2024-12-20-apps.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename blog-service/{2024-12-24-apps.md => 2024-12-20-apps.md} (100%) diff --git a/blog-service/2024-12-24-apps.md b/blog-service/2024-12-20-apps.md similarity index 100% rename from blog-service/2024-12-24-apps.md rename to blog-service/2024-12-20-apps.md