Cisco AMP

The IBM® QRadar® DSM for Cisco Advanced Malware Protection (Cisco AMP) collects event logs from your Cisco AMP for Endpoints platform. The DSM for Cisco AMP uses the RabbitMQ protocol.

Important: The Cisco AMP integration does not support private cloud if the Server Name Indication (SNI) is required. Contact Cisco for more details.
To integrate Cisco AMP with QRadar, complete the following steps:
  1. If automatic updates are not enabled, RPMs are available for download from the IBM support website ( Download and install the following RPMs on your QRadar Console.
    Important: You need QRadar V7.2.8 Patch 9 (V7.2.8.20170726184122) or later to install the RabbitMQ Protocol RPM.
    • Protocol Common RPM
    • DSMCommon RPM
    • RabbitMQ Protocol RPM
    • Cisco AMP DSM RPM
  2. Create a Cisco AMP Client ID and API key. Alternatively, you can request access to an already created event stream from your administrator. For more information about creating these values, go to the Creating a Cisco AMP Client ID and API key procedure.
  3. Create a Cisco AMP event stream. For more information about creating the event stream, go to the Creating a Cisco AMP event stream procedure.
  4. Add a Cisco AMP log source on the QRadar Console for a user to manage the Cisco AMP event stream.