Cisco AMP sample event message
Use this sample event to verifying a successful integration with QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage returns or line feed characters.
Cisco AMP sample message when you use the RabbitMQ protocol
The following sample event message shows that a DFC threat is detected.
{"id":6629038896162275332,"timestamp":1543443393,"timestamp_nanoseconds":258000000,"date":"2018-11-28T22:16:33+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection_id":"6629038896162275330","connector_guid":"connector_guid","group_guids":["group_guids"],"severity":"High","computer":{"connector_guid":"connector_guid","hostname":"example.com","external_ip":"172.16.0.0","user":"root","active":true,"network_addresses":[{"ip":"172.16.0.0","mac":"00-00-5E-00-53-00"}],"links":{"computer":"computer","trajectory":"trajectory","group":"group"}},"network_info":{"remote_ip": "172.16.0.1","remote_port": 443,"local_ip": "10.51.100.0","local_port": 55807,"nfm":{"direction":"Outgoing connection from","protocol":"UDP"},"parent":{"process_id":2608,"disposition":"Clean","file_name":"chrome.exe","identity": {"sha256": "sha256","sha1": "sha1","md5": "md5"}}}}
QRadar field name | Highlighted payload field name |
---|---|
Event ID | event_type_id |
Category | CiscoAMP |
Source IP | local_ip |
Source Port | local_port |
Network Addresses | remote_ip |
Destination Port | remote_port |
Log Source TIME | timestamp |