SDEE log source parameters for Cisco IDS/IPS

If QRadar does not automatically detect the log source, add a Cisco Intrusion Prevention System (IPS) log source on the QRadar Console by using the Security Device Event Exchange (SDEE) protocol.
The following table describes the parameters that require specific values to collect SDEE events from Cisco IDS/IPS devices:
Table 1. SDEE log source parameters for the Cisco IDS/IPS DSM
Parameter Value
Log Source type Cisco Intrusion Prevention System (IPS)
Protocol Configuration SDEE
Log Source Identifier Type an IP address, host name, or name to identify the SDEE event source.

The identifier helps you determine which events came from your Cisco IDS/IPS device.

URL Type the URL address to access the log source.
You must use an http or https in the URL. Here are some examples:
  • If you are using SDEE/CIDEE (for Cisco IDS v5.x and later), check that /cgi-bin/sdee-server is at the end of the URL. For example, https://www.example.com/cgi-bin/sdee-server.
  • If you are using RDEP (for Cisco IDS v4.0), check that /cgi-bin/event-server is at the end of the URL. For example, https://www.example.com/cgi-bin/event-server.
Username Type the user name.

This user name must match the SDEE URL user name that is used to access the SDEE URL. The user name can be up to 255 characters in length.

Password Type the user password.

This password must match the SDEE URL password that is used to access the SDEE URL. The password can be up to 255 characters in length.

Events / Query Type the maximum number of events to retrieve per query.

The valid range is 0 - 501 and the default is 100.

Force Subscription Select this check box if you want to force a new SDEE subscription.

The check box forces the server to drop the least active connection and accept a new SDEE subscription connection for this log source. By default, the check box is selected. Clearing the check box continues with any existing SDEE subscription.

Severity Filter Low Select this check box if you want to configure the severity level as low.

Log sources that support SDEE return only the events that match this severity level. By default, the check box is selected.

Severity Filter Medium Select this check box if you want to configure the severity level as medium.

Log sources that support SDEE return only the events that match this severity level. By default, the check box is selected.

Severity Filter High Select this check box if you want to configure the severity level as high.

Log sources that support SDEE return only the events that match this severity level. By default, the check box is selected.

For a complete list of SDEE protocol parameters and their values, see SDEE protocol configuration options.