Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Cisco AMP

 

The JSA DSM for Cisco advanced malware protection (Cisco AMP) collects event logs from your Cisco AMP for Endpoints platform. The Cisco AMP DSM uses the RabbitMQ protocol.

To integrate AMP with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA Console:Note

    You need JSA 2014.8 Patch 9 (2014.8.20170726184122) or later to install the RabbitMQ Protocol

    • Protocol Common RPM

    • DSMCommon RPM

    • Centrify Identity Platform DSM RPM

    • RabbitMQ Protocol RPM

    • Cisco AMP DSM RPM

  2. Create a Cisco AMP Client ID and API key. Alternatively, you can request access to an already created event stream from your administrator.
  3. Create a Cisco AMP event stream.
  4. Add a Cisco AMP log source on the JSA Console for a user to manage the Cisco AMP event stream.

Creating a Cisco AMP Client ID and API Key for Event Queues

A Cisco AMP administrator must create a Client ID and an API key in the Cisco AMP for Endpoints Portal. These keys are used to manage queues.

If you do not have Administrator privileges, request the Client ID and API key values from your Administrator. If you want JSA to automatically manage the event stream, you need these values when you configure a log source in JSA.

  1. Log in to the Cisco AMP for Endpoints Portal as an administrator.
  2. Click Accounts > API Credentials.
  3. In the API Credentials pane, click New API Credential.
  4. In the Application name field, type a name, and then select Read & Write.Note

    You must have Read & Write access to manage event streams on your Cisco AMP for Endpoints platform.

  5. Click Create.
  6. From the API Key Details section, make note of the values for the 3rd Party API Client ID and the API Key. You need these values to manage queues.

Creating a Cisco AMP Event Stream

The Cisco AMP for Endpoints API returns the Advanced Message Queuing Protocol (AMQP) credentials in several Cisco AMP for Endpoints API query responses.

  1. Download the curl command line tool from curl.download website
  2. To create a Cisco AMP event stream, type the following command. You will need the parameter values when you configure a log source in JSA.

    Where:

    • <STREAMNAME> is a name of your choosing for the event stream.

    • <group_guid> is the group GUID that you want to use to link to the <0a00a0aa-0000-000a000aa000- 0a0aa0a0aaa0> event stream.

    • <CLIENTID:APIKEY> is the Client ID and the API key that you created.

    If you are in the Asia Pacific Japan and China (APJC) region, change 'https://api.amp.cisco.com/ v1/event_streams' to'https://api.apjc.amp.cisco.com/v1/event_streams'.

    If you are in the European region, change 'https://api.amp.cisco.com/v1/event_streams' to 'https://api.eu.amp.cisco.com/v1/event_streams'.

    Sample Query Response:

Configure a Log Source for a User to Manage the Cisco AMP Event Stream

Configure a log source in JSA to manage a specific event stream that you want JSA to collect events from.

To connect to a specific Cisco AMP event stream, you also need to have access to the Advanced Message Queuing Protocol (AMQP) credentials that are provided by the Cisco AMP for Endpoints API.

The Cisco AMP for Endpoints API is used to manage event streams. For more information about supported queries to manage the Cisco AMP for Enpoint API.

Note

If an issue occurs while you use the Cisco AMP for Endpoints API, contact your Cisco administrator for assistance.

The following table describes the parameters that require specific values to collect events from the Cisco AMP for Endpoints API by using the RabbitMQ protocol:

Table 1: RabbitMQ Protocol Log Source Parameters

Parameter

Description

Log Source type

Cisco AMP

Protocol Configuration

RabbitMQ

Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have more than one Cisco AMP log source that is configured, you might want to identify the first log source as CiscoAMP1, the second log source as CiscoAMP2 and so on.

Event Format

You must select Cisco AMP.

IP or Hostname

The IP address or host name that is used for the Cisco AMP for Endpoints API event stream. You can find the IP or host name in the AMQP credentials field.

Port

The port that is used for the Cisco AMP for Endpoints API event stream. You can find the port number in the AMQP credentials field.

Queue

The queue name that is used for the Cisco AMP for Endpoints API event stream. You can find the queue name value in the AMQP credentials.

Username

The user name that is used for the Cisco AMP for Endpoints API event stream. You can find the user name value in the AMQP credentials field.

Password

The password that is used for the Cisco AMP for Endpoints API event stream. You can find the password value in the AMQP credentials field.

EPS Throttle

The upper limit for the maximum number of events per second (EPS). The default is 5000.

Automatically Acquire Server Certificate(s)

Select Yes for JSA to automatically download the server certificate and begin trusting the target server.

Cisco AMP DSM Specifications

The following table describes the specifications for the Cisco AMP DSM.

Table 2: Cisco AMP DSM Specifications

Event Name

Low-level category

Sample log message

Threat Detected

MIsc Malware

{"id":2833634772994537203

,"timestamp":12833529

36,"timestamp

_nanoseconds":193372272,"date"

:"2030 -10-29T17:11:20+00:00","event_type":"Threat Detec ted",

"event_type_id":1090519054,"detection":"Simp le_Custom_Detection","detection_id":

"192317311379 9513612","connector_guid":"zzzzZZZZ-zzzz-ZZZZ-ZZZZ -zzzzZZZZ-zzzz",

"group_guids":["(zzzzZZZZ-zzzz-ZZZZ -ZZZZ-

zzzzZZZZ-zzzz)"],"computer":{"connector_guid"

:"(zzzzZZZZ-zzzz-ZZZZ-ZZZZ-zzzzZZZZ-zzzz)","host name":"example",

"external_ip":"192.0.2.0","user" :"pqrsDSP@Cisco-DSC","active":true,"network_addre sses":[{"ip":"192.0.2.111","mac":

"00-00-5E-00-00 -00"}],"links":{"computer":"https://api.amp.cisco. com/v1/computers/

zzzzZZZZ-zzzz-ZZZZ-ZZZZ-zzzzZZZZ-zz zz","trajectory":"https://api.amp.cisco.com/v1/co mputers/

30g39a2d-b213-4p89-91z5-32a13x28o1v7/traje

ctory","group":"https://api.amp.cisco.com/v1/group

s/zzzzZZZZ-zzzz-ZZZZ-ZZZZ-zzzzZZZZ-zzzz"}},"

file":{ "disposition":"Blacklisted","file_name":"

filename. pdf or virus.pdf","file_path":"C:\\","identity":{ "sha256":"sha:256","sha1":"sha:1","md5":"md5"},

"parent":{"process_id":9917,"disposition":

"Clean", "file_name":"virus.exe","identity":

{"sha256": "sha:256","sha1"

:"sha:1","md5":"md5"}}}}