Cisco AMP for Endpoints Splunk ES Integration Add-on provides a mechanism to map data from AMP data into Splunk Enterprise Security, using the Splunk Common Information Model Add-on. It also adds some workflow actions for AMP.
- A local instance of Splunk Enterprise
- Splunk Common Information Model (CIM)
- Clone the repository
- Copy or link it to
$SPLUNK_HOME/etc/apps/TA-cisco-amp4e - Restart Splunk
- Set up the application (Apps->Manage apps->Splunk Add-on for Cisco AMP4E->Set up)
If you've developed a feature, don't hesitate to submit a pull request for review! Please make sure your code is properly documented and tested (if needed), as it will facilitate fast reviewing.
- Clone the repo in a folder that matches the id in default/app.conf. In our case
TA-cisco-amp4e. Unfortuntaely, this cannot be changed since Splunkbase will reject if the name has changed. - Install the package toolkit
- Run
python -m slim package TA-cisco-amp4e
This project was developed by Cisco AMP For Endpoints team
This project is licensed under the BSD 2-clause "Simplified" License - see the LICENSE file for details
- Brian from Northern Trust
- cszekacs
- johnosn
- sschimper-splunk