Cisco AMP collector

[ 1 Overview ] [ 2 Devo collector features ] [ 3 Data sources ] [ 4 Minimum configuration required for basic pulling ] [ 5 Accepted authentication methods ] [ 6 Run the collector ] [ 7 Collector services detail ] [ 8 Collector operations ] [ 9 Change log ]

Overview

Cisco Advanced Malware Protection (AMP) for Endpoints is a cloud-managed endpoint security solution that provides advanced protection against viruses, malware, and other cyber-threats by detecting, preventing, and responding to threats.

Devo collector features

Feature	Details

Feature	Details
Allow parallel downloading (`multipod`)	`not allowed`
Running environments	`collector server` `on-premise`
Populated Devo events	`table`
Flattening preprocessing	`yes`

Data sources

Data source	Description	API endpoint	Collector service name	Devo table	Available from release

Data source	Description	API endpoint	Collector service name	Devo table	Available from release
Events	Events in Event Stream	`/Events`	`Events`	`edr.cisco.amp.events`	`v1.0.0`

For more information on how the events are parsed, visit our page.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting	Details

Setting	Details
`api_client_id`	User Client ID to authenticate to the service.
`api_key`	User Api Key to authenticate to the service.
`event_stream_name`	The name of the event stream
`event_stream_password`	The password for the event stream

Accepted authentication methods

The following are the accepted authentication methods for this collector.

Authentication method	Client ID	Api key	Event stream name	Event stream password

Authentication method	Client ID	Api key	Event stream name	Event stream password
Basic Authentication	REQUIRED	REQUIRED	REQUIRED	REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component	Description

Component	Description
Setup	The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller	The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

INFO InputProcess::CiscoAmpPullerSetup(unknown,cisco_amp#23512,event_stream#predefined) -> Authentication Successful
2024-02-23T08:24:54.579    INFO InputProcess::CiscoAmpPullerSetup(unknown,cisco_amp#23512,event_stream#predefined) -> Setup for module <CiscoAmpPuller> has been successfully executed
2024-02-23T08:24:54.794    INFO InputProcess::CiscoAmpPuller(cisco_amp,23512,event_stream,predefined) -> credentials are valid

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

2024-02-23T08:24:54.795    INFO InputProcess::CiscoAmpPuller(cisco_amp,23512,event_stream,predefined) -> Starting data collection every 60 seconds
2024-02-23T08:24:55.046    INFO InputProcess::CiscoAmpPuller(cisco_amp,23512,event_stream,predefined) -> Pika version 1.3.2 connecting to ('107.20.203.8', 443)
2024-02-23T08:24:55.071    INFO InputProcess::CiscoAmpPuller(cisco_amp,23512,event_stream,predefined) -> Socket connected: <socket.socket fd=118, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('192.168.1.69', 62905), raddr=('107.20.203.8', 443)>
2024-02-23T08:24:55.123    INFO InputProcess::CiscoAmpPuller(cisco_amp,23512,event_stream,predefined) -> SSL handshake completed successfully: <ssl.SSLSocket fd=118, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('192.168.1.69', 62905), raddr=('107.20.203.8', 443)>
2024-02-23T08:24:55.124    INFO InputProcess::CiscoAmpPuller(cisco_amp,23512,event_stream,predefined) -> Streaming transport linked up: (<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10db77a30>, _StreamingProtocolShim: <SelectConnection PROTOCOL transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10db77a30> params=<URLParameters host=export-streaming.amp.cisco.com port=443 virtual_host=/ ssl=True>>).
2024-02-23T08:24:55.196    INFO InputProcess::CiscoAmpPuller(cisco_amp,23512,event_stream,predefined) -> AMQPConnector - reporting success: <SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10db77a30> params=<URLParameters host=export-streaming.amp.cisco.com port=443 virtual_host=/ ssl=True>>
2024-02-23T08:24:55.196    INFO InputProcess::CiscoAmpPuller(cisco_amp,23512,event_stream,predefined) -> AMQPConnectionWorkflow - reporting success: <SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10db77a30> params=<URLParameters host=export-streaming.amp.cisco.com port=443 virtual_host=/ ssl=True>>
2024-02-23T08:24:55.196    INFO InputProcess::CiscoAmpPuller(cisco_amp,23512,event_stream,predefined) -> Connection workflow succeeded: <SelectConnection OPEN transport=<pika.adapters.utils.io_services_utils._AsyncSSLTransport object at 0x10db77a30> params=<URLParameters host=export-streaming.amp.cisco.com port=443 virtual_host=/ ssl=True>>
2024-02-23T08:24:55.197    INFO InputProcess::CiscoAmpPuller(cisco_amp,23512,event_stream,predefined) -> Created channel=1

Currently, this collector uses no persistence.

Note that this action clears the persistence and cannot be recovered in any way. Resetting persistence could result in duplicate or lost events.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

INFO MainProcess::MainThread -> (CollectorMultiprocessingQueue) standard_queue_multiprocessing -> max_size_in_messages: 1000, max_size_in_mb: 1024, max_wrap_size_in_items: 100
INFO MainProcess::MainThread -> [OUTPUT] OutputMultiprocessingController::__init__ Configuration -> {'devo_1': {'type': 'devo_platform', 'config': {'address': 'collector-eu.devo.io', 'port': 443, ...}}}
INFO MainProcess::MainThread -> OutputProcess - Starting thread (executing_period=300s)
INFO MainProcess::MainThread -> InputProcess - Starting thread (executing_period=300s)
INFO OutputProcess::MainThread -> Process started
INFO InputProcess::MainThread -> Process Started
INFO InputProcess::MainThread -> InitVariables Started
INFO InputProcess::MainThread -> Validating variables in collector definitions Started
INFO InputProcess::MainThread -> Flatten data is not provided in the config.yaml. Considering the flatten data from collector definitions
INFO InputProcess::MainThread -> Validating collector Variables is terminated
INFO InputProcess::MainThread -> Initialization of api_base_url has started.
INFO InputProcess::MainThread -> api_base_url has been initialized
INFO InputProcess::MainThread -> Initialization of credentials has started.
INFO InputProcess::MainThread -> credentials have been initialized.
INFO OutputProcess::MainThread -> [INTERNAL LOGIC] DevoSender::_validate_kwargs_for_method__init__ -> The <address> does not appear to be an IP address and cannot be verified: collector-eu.devo.io
INFO InputProcess::MainThread -> InitVariables Terminated
INFO InputProcess::MainThread -> InputThread(wiz_data_puller,111) - Starting thread (execution_period=120s)
INFO InputProcess::MainThread -> ServiceThread(wiz_data_puller,111,issues,predefined) - Starting thread (execution_period=120s)
INFO InputProcess::MainThread -> WizDataPullerSetup(wiz_collector,wiz_data_puller#111,issues#predefined) -> Starting thread
INFO InputProcess::MainThread -> WizDataPuller(wiz_data_puller,111,issues,predefined) - Starting thread
WARNING InputProcess::WizDataPuller(wiz_data_puller,111,issues,predefined) -> Waiting until setup will be executed
INFO InputProcess::WizDataPullerSetup(wiz_collector,wiz_data_puller#111,issues#predefined) -> Puller Setup Started
INFO InputProcess::WizDataPullerSetup(wiz_collector,wiz_data_puller#111,issues#predefined) -> This is the first run of collector. Generating the access token
INFO InputProcess::WizDataPullerSetup(wiz_collector,wiz_data_puller#111,issues#predefined) -> Getting the auth token url based on provided api_base_url
INFO InputProcess::WizDataPullerSetup(wiz_collector,wiz_data_puller#111,issues#predefined) -> Using default Authentication Domain auth.wiz.io for fetching Access Token
INFO OutputProcess::MainThread -> [INTERNAL LOGIC] DevoSender::_validate_kwargs_for_method__init__ -> The <address> does not appear to be an IP address and cannot be verified: collector-eu.devo.io
INFO OutputProcess::MainThread -> [INTERNAL LOGIC] DevoSender::_validate_kwargs_for_method__init__ -> The <address> does not appear to be an IP address and cannot be verified: collector-eu.devo.io
INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> Starting thread
INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(lookup_senders,devo_1) -> Starting thread (every 300 seconds)
INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_1) -> Starting thread
INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> Starting thread
INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(internal_senders,devo_1) -> Starting thread (every 300 seconds)
INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_1) -> Starting thread
INFO InputProcess::MainThread -> [GC] global: 36.7% -> 36.7%, process: RSS(26.93MiB -> 27.97MiB), VMS(334.43MiB -> 334.67MiB)
INFO OutputProcess::MainThread -> [GC] global: 36.7% -> 36.3%, process: RSS(26.68MiB -> 28.61MiB), VMS(910.71MiB -> 910.71MiB)
INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Created a sender: {"group_name": "internal_senders", "instance_name": "devo_sender_0", "url": "collector-eu.devo.io:443", ...}

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services	Description

Sender services	Description
`internal_senders`	In charge of delivering internal metrics to Devo such as logging traces or metrics.
`standard_senders`	In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace	Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)

Displays the number of events from the last time and following the given example, the following conclusions can be obtained:

44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.
21 events where sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.

To enable this option you just need to edit the configuration file and change the debug_status parameter from false to true and restart the collector.
To disable this option, you just need to update the configuration file and change the debug_status parameter from true to false and restart the collector.

For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.

Change log

Release	Released on	Release type	Details	Recommendations

Release

Released on

Release type

Details

Recommendations

v1.1.1

Jun 3, 2024

IMPROVEMENTS BUG FIXES

Bug fixes

Updated files for vulnerability fixes and fixed auto acknowledging

Recommended version

v1.1.0

Mar 25, 2024

IMPROVEMENTS BUG FIXES

Improvements

Updated DCSDK to 1.11.1
- Added extra check for not valid message timestamps
- Added extra check for improve the controlled stop
- Changed default number for connection retries (now 7)
- Fix for Devo connection retries
- Updated DevoSDK to v5.1.9
- Fixed some bug related to development on MacOS
- Added an extra validation and fix when the DCSDK receives a wrong timestamp format
- Added an optional config property for use the Syslog timestamp format in a strict way
- Updated DevoSDK to v5.1.10
- Fix for SyslogSender related to UTF-8 Enhance of troubleshooting. Trace Standardization, Some traces has been introduced.
- Introduced a mechanism to detect "Out of Memory killer" situation

Features

Fixed bug in create stream

Update

v1.0.0

Feb 23, 2024

FEATURE

-

Initial version