Perch integrates with your Cisco Advanced Malware Protection (AMP) for Endpoints to pull data feeds or events from AMP for Endpoints. You will need to be licensed for AMP for Endpoints and have some data from AMP for the associated region (US, EU, APAC), ClientID, and API Key.
You can get all of this information from the Cisco AMP for Endpoints admin panel.
To setup the integration you will need to:
On the Cisco AMP for Endpoint integration page enter the required information, API region, ClientID, and API key. Then save and test your integration. After a successful test, enable log collection.
Perch will regularly poll Cisco to record integration health. If integration health checks are failing, Perch is unable to pull events from Cisco AMP for Endpoints.
Perch will collect all available events from Cisco AMP for Endpoints. When you first setup the integration, Perch will request the last 24 hours of logs and then will update on 15 minute intervals. Cisco AMP for Endpoint customers do have API rate limits which can impact Perch’s ability to collect logs if the API rate limit has been reached. If a pull fails, Perch will keep track of it and re-request the data when the Cisco endpoint is healthy.
With your logs from Cisco AMP for Endpoints in Perch, you can do all the great Perchy things you’d expect like search through the logs in Perchybana, create visualizations and dashboards, or setup an event notification to be notified of specific events via email, create a CW manage ticket, or have the Perch SOC triage the events.