This input provides a mechanism to create, update, and delete event streams in Cisco Advanced Malware Protection (AMP) for Endpoints via the API and index them in your Splunk® instance to make them searchable. All you need to do is provide your API host and credentials from your AMP for Endpoints account and specify the stream parameters (like events or which event types and groups should be directed to this stream).
This app was tested on Splunk v8.1
It is expected that a user of this app:
Please ensure that the following url endpoints are open
| Public Cloud Regions AMP for Endpoints | URL endpoint | port | protocol |
|---|---|---|---|
| North America | api.amp.cisco.com, export-streaming.amp.cisco.com | 443 | TCP |
| Europe | api.eu.amp.cisco.com, export-streaming.eu.amp.cisco.com | 443 | TCP |
| Asia Pacific | api.apjc.amp.cisco.com, export-streaming.apjc.amp.cisco.com | 443 | TCP |
This app comes with a custom interface to ensure that every meaningful action (like creating, editing, or deleting an input)
yields expected results.
Please note: This app interacts with a third-party service, namely, Cisco Advanced Malware Protection (AMP) for Endpoints.
This app also uses Splunk’s built-in key-value store for persisting crucial information about event streams.
This app can be installed directly from Splunkbase. The app will appear in your Splunk Apps navigation bar after it is
successfully installed. When you visit one of the app pages, it will ask you to provide settings on the configuration page.
The configuration contains options related to authenticating to the AMP server by API calls, specifically:
Once these have been configured you are ready to create and use the inputs.
You need to create the input to have the events flow into your index. To do this, go to the app interface and navigate to
‘New Input’. If your app is properly configured, you can populate the fields:
When you click ‘Save’, the stream with the parameters you provided will be created within AMP for Endpoints.
If there is a validation failure, the appropriate message will be displayed.
Leave either the Event Type or Groups field blank to direct all respective event types or groups to the created stream and the Splunk index.
Please note: the number of event streams per business is limited to 5.
To update an input, click on its name at the inputs list view. Follow the procedures described previously to change the
stream parameters. Please note: you will not be able to edit the input name or index.
To delete an input, click the ‘Delete’ link in its row at the inputs list view. Confirm your choice to finish the procedure.
The event stream will be deleted from AMP for Endpoints along with the input.
By default, the events from the stream will be directed to the ‘main’ index. They will be populated with the sourcetype of cisco:amp:event
This project is open-source, please seek guidance at project's github page.
ValueError: Expected instance of Parameters, not <URLParameters host=export-streaming.amp.cisco.com port=443 virtual_host=/ ssl=True>
$SPLUNK_HOME/etc/apps/amp4e_events_input/bin/pika/pika exists on your Splunk server. If it does, remove it with:$ rm -rf $SPLUNK_HOME/etc/apps/amp4e_events_input/bin/pika/pika
If you receive a warning message after updating the app "Warning! It appears your configuration is incomplete, so you will not be able to create any inputs. Please update your configuration."
Updated compatibility for Splunk Cloud and Splunk 9.0, refactored existing UI to depend less on non-supported javascript libraries
Updated amp certificate to reflect the latest API requirements, identified issues with Splunk 8.2.x and updated compatibility version.
Updated version tags in xml view files for Splunk Cloud Compliance
Fixed an issue where creating or editing an input would fail in some cases
Fix AppInspect failure
https://github.com/Cisco-AMP/amp4e_splunk_events_input/pull/64
NOTES: Please completely uninstall previous versions of this app before installing this on your splunk instance
Adds Support for Splunk Cloud 7.3 by fixing appinspect errors preventing Splunk Cloud certification.
- Converts api key from unsecured to secured using Splunk's storage passwords API
- Creating a new input configuration and stream will not save the api key in your input.conf file
- To migrate your existing app and input configurations:
* Make sure you have your API ID and key written down or copied to a file before installation
* Install version 1.1.8 of the app
* Restart Splunk
* Visit https://\<your splunk address>/en-US/_bump and click the 'Bump version' button
* Your app config will be automatically updated when visiting the inputs page
* If you see the error message Warning! It appears your configuration is incomplete, so you will not be able to create any inputs. Please update your configuration. when first visiting the page after updating, try refreshing
* If that doesn't work, visit the configuration page and ensure your configuration is correct
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.