Cisco AMP event stream configuration
Configure a log source in QRadar to manage a specific event stream that you want QRadar to collect events from.
To connect to a specific Cisco AMP event stream, you also need to have access to the Advanced Message Queuing Protocol (AMQP) credentials that are provided by the Cisco AMP for Endpoints API.
Parameter | Description |
---|---|
Log Source Type | Cisco AMP |
Protocol Configuration | RabbitMQ |
Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If more than one Cisco AMP log source is configured, you might identify the first log source as CiscoAMP1, the second log source as CiscoAMP2, and so on. |
Event Format | You must select Cisco AMP. |
IP or Hostname | The IP address or host name that is used for the Cisco AMP for Endpoints API event stream. You can find the IP or host name in the AMQP credentials field. For more information about AMQP credentials, see Creating a Cisco AMP event stream. |
Port |
The port that is used for the Cisco AMP for Endpoints API event stream. You can find the port number in the AMQP credentials field. For more information about AMQP credentials, see Creating a Cisco AMP event stream. |
Queue | The queue name that is used for the Cisco AMP for Endpoints API event stream. You can find the queue name value in the AMQP credentials field. For more information about the AMQP credentials, see Creating a Cisco AMP event stream. |
Username | The user name that is used for the Cisco AMP for Endpoints API event stream. You can find the user name value in the AMQP credentials field. For more information about AMQP credentials, see Creating a Cisco AMP event stream. |
Password | The password that is used for the Cisco AMP for Endpoints API event stream. You can find the password value in the AMQP credentials field. For more information about AMQP credentials, see Creating a Cisco AMP event stream . |
EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000. |
Allow Untrusted Certificates |
Enable this option when the endpoint is using a certificate that cannot be verified via the Certificate Chain. This would include a self-signed certificate, or one from a private CA that you do not want to import into your CA trust. This option should not be used for endpoints with a certificate issued by a Public CA (SaaS Products, Public Cloud Infrastructure, and so on.) The certificate must be downloaded in PEM or DER encoded binary format and then placed in the /opt/qradar/conf/trusted_certificates/ directory with a .cert or .crt file extension. |