OTHER SIEM INTEGRATION CASE STUDIES
Customer is a leading SIEM solution provider.
They provide a platform for companies to aggregate and act upon Threat Intelligence.
Customer requested to build a Connector to integrate their platform with Cisco AMP End Event Monitoring to collect events and perform orchestration action like isolation, unisolation based on file hash, IP address, change host group, and add IOC list based on security alert or event.
Sacumen developed the Connector app to integrate Cisco AMP using java, and Apache REST. The Connector app performs the following actions:
Set up the prerequisites
Login Cisco AMP Endpoint
Setup the Connect App
Authenticate using API (REST) with Basic OAuth , the access using API Key and Client ID.
Collect the events
Collect event based on a filter like event type, event creation date
Sampling of the records to calculate estimated EPS.
Calculate the error rate.
Calculate bandwidth consumption.
Perform orchestration action like isolate host, change host group, and add a host to IOC list