# Cisco AMP for Endpoints

ThreatDefence integrates with **Cisco AMP for Endpoints (Secure Endpoint)** to ingest security telemetry and alerts into the SIEM platform.\
This integration provides visibility into malware detections, quarantines, endpoint activity, and threat intelligence data from Cisco Secure Endpoint.

***

## Prerequisites

Before you begin, ensure the following:

* An active **Cisco AMP for Endpoints (Secure Endpoint)** subscription.
* **Console access** to Cisco Secure Endpoint (cloud-based management portal).
* **API Client Credentials** (Client ID and Client Secret) created in the Secure Endpoint console.
* A working **ThreatDefence Syslog Forwarder** or API ingestion configured.

***

## Integration Steps

### Step 1 — Generate Cisco AMP API Credentials

1. Log in to the **Cisco Secure Endpoint Console**.
2. Navigate to **Management → API Credentials**.
3. Click **Create New API Credential**.
4. Select **Read & Write permissions** for:
   * **Events**
   * **Computers**
   * **Groups**
   * **Policies**
5. Save and copy the generated **Client ID** and **Client Secret** securely.

***

### Step 2 — Obtain API Endpoints

1. Go to **Management → API Credentials**.
2. Identify the **Regional API URL** assigned to your AMP tenant. Examples:
   * North America: `https://api.amp.cisco.com`
   * EU: `https://api.eu.amp.cisco.com`
   * APJC: `https://api.apjc.amp.cisco.com`
3. Copy the **Base URL** and confirm it with your ThreatDefence representative.

***

### Step 3 — Provide Credentials to ThreatDefence

Open a support request via the **ThreatDefence Service Desk** and include:

* **Client ID**
* **Client Secret**
* **Region/Base URL**

***

## Supported Event Types

ThreatDefence ingests the following Cisco AMP telemetry:

* Malware and file reputation events
* Quarantine actions
* Endpoint activity (status, agent health)
* Policy assignment and enforcement logs
* Threat intelligence correlations

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.threatdefence.com/siem-integrations/endpoint-protection/cisco-amp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.