SDEE log source parameters for Cisco IDS/IPS

Add a Cisco Intrusion Prevention System (IPS) data source in QRadar® Log Insights by using the Security Device Event Exchange (SDEE) connector.
The following table describes the parameters that require specific values to collect SDEE events from Cisco IDS/IPS devices:
Table 1. SDEE data source parameters for the Cisco IDS/IPS data source type
Parameter Value
Data source type Cisco Intrusion Prevention System (IPS)
Connector type SDEE
Data source Identifier Type an IP address, host name, or name to identify the SDEE event source.

The identifier helps you determine which events came from your Cisco IDS/IPS device.
URL Type the URL address to access the log source.
You must use an http or https in the URL. Here are some examples:
  • If you are using SDEE/CIDEE (for Cisco IDS v5.x and later), check that /cgi-bin/sdee-server is at the end of the URL. For example, https://www.example.com/cgi-bin/sdee-server.
  • If you are using RDEP (for Cisco IDS v4.0), check that /cgi-bin/event-server is at the end of the URL. For example, https://www.example.com/cgi-bin/event-server.
Username Type the user name.

This user name must match the SDEE URL user name that is used to access the SDEE URL. The user name can be up to 255 characters in length.
Password Type the user password.

This password must match the SDEE URL password that is used to access the SDEE URL. The password can be up to 255 characters in length.
Events / Query Type the maximum number of events to retrieve per query.

The valid range is 0 - 501 and the default is 100.

Force Subscription Select this checkbox if you want to force a new SDEE subscription.

The checkbox forces the server to drop the least active connection and accept a new SDEE subscription connection for this data source. By default, the checkbox is selected. Clearing the checkbox continues with any existing SDEE subscription.
Severity Filter Low Select this checkbox if you want to configure the severity level as low.

Data sources that support SDEE return only the events that match this severity level. By default, the checkbox is selected.
Severity Filter Medium Select this checkbox if you want to configure the severity level as medium.

Data sources that support SDEE return only the events that match this severity level. By default, the checkbox is selected.

Severity Filter High Select this checkbox if you want to configure the severity level as high.

Data sources that support SDEE return only the events that match this severity level. By default, the checkbox is selected.

For a complete list of SDEE connector parameters and their values, see SDEE connector configuration options.

For more information about adding a data source in QRadar Log Insights, see Adding ingestion data sources.