Cisco AMP event stream configuration

Configure a log source in QRadar® to manage a specific event stream that you want QRadar to collect events from.

To connect to a specific Cisco AMP event stream, you also need to have access to the Advanced Message Queuing Protocol (AMQP) credentials that are provided by the Cisco AMP for Endpoints API.

The Cisco AMP for Endpoints API is used to manage event streams. For more information about supported queries to manage the Cisco AMP for Enpoint API, see Cisco AMP for Endpoints API (https://api-docs.amp.cisco.com/).

Important: If an issue occurs while you use the Cisco AMP for Endpoints API, contact your Cisco administrator for assistance. For Cisco contact information, see Cisco Support (https://www.cisco.com/c/en/us/support/security/fireamp-endpoints/tsd-products-support-series-home.html).

The following table describes the parameters that require specific values to collect events from the Cisco AMP for Endpoints API by using the RabbitMQ protocol:

Table 1. RabbitMQ protocol log source parameters
Parameter	Description
Log Source Type	Cisco AMP
Protocol Configuration	RabbitMQ
Log Source Identifier	Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If more than one Cisco AMP log source is configured, you might identify the first log source as `CiscoAMP1`, the second log source as `CiscoAMP2`, and so on.
Event Format	You must select Cisco AMP.
IP or Hostname	The IP address or host name that is used for the Cisco AMP for Endpoints API event stream. You can find the IP or host name in the AMQP credentials field. For more information about AMQP credentials, see Creating a Cisco AMP event stream.
Port	The port that is used for the Cisco AMP for Endpoints API event stream. You can find the port number in the AMQP credentials field. For more information about AMQP credentials, see Creating a Cisco AMP event stream.
Queue	The queue name that is used for the Cisco AMP for Endpoints API event stream. You can find the queue name value in the AMQP credentials field. For more information about the AMQP credentials, see Creating a Cisco AMP event stream.
Username	The user name that is used for the Cisco AMP for Endpoints API event stream. You can find the user name value in the AMQP credentials field. For more information about AMQP credentials, see Creating a Cisco AMP event stream.
Password	The password that is used for the Cisco AMP for Endpoints API event stream. You can find the password value in the AMQP credentials field. For more information about AMQP credentials, see Creating a Cisco AMP event stream .
EPS Throttle	The upper limit for the maximum number of events per second (EPS). The default is 5000.
Automatically Acquire Server Certificate(s)	Select Yes for QRadar to automatically download the server certificate and begin trusting the target server. If you select No, server certificates are not retrieved.