Creating a Cisco AMP event stream

The Cisco AMP for Endpoints API returns the Advanced Message Queuing Protocol (AMQP) credentials in several Cisco AMP for Endpoints API query responses.

Procedure

  1. Download the curl command line tool from the curl download website (https://curl.haxx.se/download.html).
    You can run the curl command on your Cisco server or QRadar Console.
  2. To create a Cisco AMP event stream, type one of the following command examples. You need the parameter values when you configure a log source in IBM QRadar.
    This command can run on any device. It does not need to run on the Event Collector.
    Important: Due to formatting issues, paste the queries into a text editor and then remove any carriage return or line feed characters.

    Example 1: Default API call to get all Event IDs and all Group GUIDs in a single event stream.

    curl -X POST -H 'accept: application/json' \-H 'content-type: application/json' \-H 'accept: application/json' \-H 'accept-encoding: identity' --compressed \-H 'Accept-Encoding: gzip, deflate' \-d '{"name":"<STREAMNAME>"}' \-u <CLIENTID:APIKEY> \'https://api.amp.cisco.com/v1/event_streams'

    Example 2: API call with multiple defined Event IDs and Group GUIDs.

    curl -X POST -H 'accept: application/json' \-H 'content-type: application/json' \-H 'accept: application/json' \-H 'accept-encoding: identity' --compressed \-H 'Accept-Encoding: gzip, deflate' \-d '{"name":"<STREAMNAME>", \"event_type": [1090519105, 1090519102,553648199,1090519112], \"group_guid":["0a00a0aa-0000-000a-a000-0a0aa0a0aaa0","aa00a0aa-0000-000a-a000-0a0aa0a0aaa0"]}' \-u <CLIENTID:APIKEY> \'https://api.amp.cisco.com/v1/event_streams'

    Example 3: API call with a single defined Event ID and Group GUID.

    curl -X POST -H 'accept: application/json' \-H 'content-type: application/json' \-H 'accept: application/json' \-H 'accept-encoding: identity' --compressed \-H 'Accept-Encoding: gzip, deflate' \-d '{"name":"<STREAMNAME>", \"event_type": [1090519112], \"group_guid":["aa00a0aa-0000-000a-a000-0a0aa0a0aaa0"]}' \-u <CLIENTID:APIKEY> \'https://api.amp.cisco.com/v1/event_streams'
    When you input the query, the following values must be configured:
    • <STREAMNAME> is a name of your choosing for the event stream.
    • <group_guid> is the group GUID that you want to use to link to the <0a00a0aa-0000-000a-a000-0a0aa0a0aaa0> event stream. You can consult your Cisco AMP API to find a group GUID value, or you can leave this value blank.
    • <CLIENTID:APIKEY> is the Client ID and the API key that you created.

    If you are in the Asia Pacific Japan and China (APJC) region, change 'https://api.amp.cisco.com/v1/event_streams' to 'https://api.apjc.amp.cisco.com/v1/event_streams'.

    If you are in the European region, change 'https://api.amp.cisco.com/v1/event_streams' to 'https://api.eu.amp.cisco.com/v1/event_streams'.

    Sample Query Response:

    {
       "version":"v1.2.0",
       "metadata":{
          "links":{
             "self":"https://api.amp.cisco.com/v1/event_streams"
          }
       },
       "data":{
          "id":2216,
          "name":"STREAMNAME",
          "group_guids":[
             "0a00a8aa-0000-000a-a000-0a0aa0a0aaa0"
          ],
          "event_types":[
             553648130,
             554696714
          ],
          "amqp_credentials":{
             "user_name":"1116-aa00a0000000000000a0",
             "queue_name":"event_stream_1116",
             "password":"0a0aa00a0a0aa000000a0000aa0000aa0a00000a",
             "host":"export-streaming.amp.cisco.com",
             "port":"443",
             "proto":"https"
          }
       }
    }
    

    Each log source can accept a single stream regardless of the number of event types or group_guids requested in the stream. If the Cisco AMP API accepts the request and returns the stream connection information, you can connect to that information.

    For more information, see Cisco documentation (https://api-docs.amp.cisco.com/api_actions/details?api_action=POST+%2Fv1%2Fevent_streams&api_host=api.amp.cisco.com&api_resource=EventStream&api_version=v1).

What to do next

Configure a log source in QRadar for a user to manage the Cisco AMP event stream.