Cisco AMP For Endpoints

Cisco AMP for Endpoints

Perch integrates with your Cisco Advanced Malware Protection (AMP) for Endpoints to pull data feeds or events from AMP for Endpoints. You need a license for AMP for Endpoints and some data from AMP for the associated region (US, EU, APAC), ClientID, and API Key.

You can get all of this information from the Cisco AMP for Endpoints admin panel.

Setting up your integration

To set up the integration:

  • Log into Perch
  • Select the account you would like to set up the integration for
  • Navigate to Settings on the side navigation
  • Scroll to the integration section of the settings page
  • Click Cisco AMP for Endpoints

AMP Integrations

On the Cisco AMP for Endpoint integration page enter the required information, API region, ClientID, and API key. Then save and test your integration. After a successful test, enable log collection.


Perch will regularly poll Cisco to record integration health. If integration health checks are failing, Perch is unable to pull events from Cisco AMP for Endpoints.

Perch will collect all available events from Cisco AMP for Endpoints. When you first set up the integration, Perch will request the last 24 hours of logs and then update on 15-minute intervals. Cisco AMP for Endpoint customers have API rate limits which can impact Perch’s ability to collect logs if the API rate limit has been reached. If a pull fails, Perch will keep track of it and re-request the data when the Cisco endpoint is healthy.

With your logs from Cisco AMP for Endpoints in Perch, you can do things like search through the logs in Perchybana, create visualizations and dashboards, set up an event notification to be notified of specific events via email, create a CW manage ticket, or have the Perch SOC triage the events.

AMP Visualization

AMP Notifications

Still having trouble? Reach out to one or our specialists at