Cisco AMP event stream configuration

Configure a log source in QRadar to manage a specific event stream that you want QRadar to collect events from.

To connect to a specific Cisco AMP event stream, you also need to have access to the Advanced Message Queuing Protocol (AMQP) credentials that are provided by the Cisco AMP for Endpoints API.

The Cisco AMP for Endpoints API is used to manage event streams. For more information about supported queries to manage the Cisco AMP for Enpoint API, see Cisco AMP for Endpoints API.
Important: If an issue occurs while you use the Cisco AMP for Endpoints API, contact your Cisco administrator for assistance. For Cisco contact information, see Cisco Support.
The following table describes the parameters that require specific values to collect events from the Cisco AMP for Endpoints API by using the RabbitMQ protocol:
Table 1. RabbitMQ protocol log source parameters
Parameter Description
Log Source Type Cisco AMP
Protocol Configuration RabbitMQ
Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If more than one Cisco AMP log source is configured, you might identify the first log source as CiscoAMP1, the second log source as CiscoAMP2, and so on.

Event Format You must select Cisco AMP.
IP or Hostname The IP address or host name that is used for the Cisco AMP for Endpoints API event stream. You can find the IP or host name in the AMQP credentials field. For more information about AMQP credentials, see Creating a Cisco AMP event stream.
Port

The port that is used for the Cisco AMP for Endpoints API event stream. You can find the port number in the AMQP credentials field. For more information about AMQP credentials, see Creating a Cisco AMP event stream.

Queue The queue name that is used for the Cisco AMP for Endpoints API event stream. You can find the queue name value in the AMQP credentials field. For more information about the AMQP credentials, see Creating a Cisco AMP event stream.
Username The user name that is used for the Cisco AMP for Endpoints API event stream. You can find the user name value in the AMQP credentials field. For more information about AMQP credentials, see Creating a Cisco AMP event stream.
Password The password that is used for the Cisco AMP for Endpoints API event stream. You can find the password value in the AMQP credentials field. For more information about AMQP credentials, see Creating a Cisco AMP event stream .
EPS Throttle

The maximum number of events per second that QRadar ingests.

If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

The default is 5000.

Allow Untrusted Certificates

Enable this option when the endpoint is using a certificate that cannot be verified via the Certificate Chain. This would include a self-signed certificate, or one from a private CA that you do not want to import into your CA trust.

This option should not be used for endpoints with a certificate issued by a Public CA (SaaS Products, Public Cloud Infrastructure, and so on.)

The certificate must be downloaded in PEM or DER encoded binary format and then placed in the /opt/qradar/conf/trusted_certificates/ directory with a .cert or .crt file extension.