Cisco AMP for Endpoints Collector Plugin - 5thColumn/Revolver-wiki-archive GitHub Wiki

Description

This plugin will gather all events in real-time from your endpoints that are protected by Cisco AMP and deliver them to BOSS. Note that to be protected the endpoint must have the Cisco AMP agent installed on it.

Configuration Instructions

  1. Navigate to https://amp.cisco.com and log into your account.
  2. Go to My Account under your name on the top righthand corner of the screen.
  3. Select the Accounts dropdown, and then API Credentials.
  4. Select New API Credential.
  5. Under Application name, write "BOSS".
  6. Under Scope, check Read & Write. Note: the plugin will not work unless you complete this step.
  7. Select Create. You will receive the 3rd Party API Client ID and API Key. Note: store the keys in a secure place. If you lose the credentials you will have to generate new ones.
  8. Next, log in to your Revolver instance and navigate to Manage Plugins.
  9. Select the arrow next to Cisco AMP Collector to expand the section and enter the keys (from Step 7) into their respective fields.
  10. Select Configure.
  11. You will receive a notification that the plugin is in the process of being configured. After a few moments, you will receive a second notification that the plugin has been configured and is ready for use. Note: If the second notification indicates there was an error configuring the plugin, select Configure again. It should succeed this time. If it does not, contact the support team.

Release Notes

Current Version: 1.3