Cisco AMP sample event message

Use this sample event to verifying a successful integration with QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

Cisco AMP sample message when you use the RabbitMQ protocol

The following sample event message shows that a DFC threat is detected.

{"id":6629038896162275332,"timestamp":1543443393,"timestamp_nanoseconds":258000000,"date":"2018-11-28T22:16:33+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection_id":"6629038896162275330","connector_guid":"connector_guid","group_guids":["group_guids"],"severity":"High","computer":{"connector_guid":"connector_guid","hostname":"example.com","external_ip":"172.16.0.0","user":"root","active":true,"network_addresses":[{"ip":"172.16.0.0","mac":"00-00-5E-00-53-00"}],"links":{"computer":"computer","trajectory":"trajectory","group":"group"}},"network_info":{"remote_ip": "172.16.0.1","remote_port": 443,"local_ip": "10.51.100.0","local_port": 55807,"nfm":{"direction":"Outgoing connection from","protocol":"UDP"},"parent":{"process_id":2608,"disposition":"Clean","file_name":"chrome.exe","identity": {"sha256": "sha256","sha1": "sha1","md5": "md5"}}}}
Table 1. Highlighted values in the Cisco AMP sample event message
QRadar field name Highlighted payload field name
Event ID event_type_id
Category CiscoAMP
Source IP local_ip
Source Port local_port
Network Addresses remote_ip
Destination Port remote_port
Log Source TIME timestamp