Cisco AMP
The JSA DSM for Cisco Advanced Malware Protection (Cisco AMP) collects event logs from your Cisco AMP for Endpoints platform. The DSM for Cisco AMP uses the RabbitMQ protocol.
To integrate AMP with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA Console:
Note:You need JSA 2014.8 Patch 9 (2014.8.20170726184122) or later to install the RabbitMQ Protocol
Protocol Common RPM
DSMCommon RPM
Centrify Identity Platform DSM RPM
RabbitMQ Protocol RPM
Cisco AMP DSM RPM
Create a Cisco AMP Client ID and API key. Alternatively, you can request access to an already created event stream from your administrator.
Create a Cisco AMP event stream.
Add a Cisco AMP log source on the JSA Console for a user to manage the Cisco AMP event stream.
Cisco AMP DSM Specifications
The following table describes the specifications for the Cisco AMP DSM.
Specification |
Value |
---|---|
Manufacturer |
Cisco |
DSM |
Cisco AMP |
RPM name |
DSM-CiscoAMP-JSA_version-build_number.noarch.rpm |
Supported versions |
N/A |
Protocol |
RabbitMQ |
Event format |
Cisco AMP |
Recorded event types |
All security events Note:
Network traffic is supported only for Data Flow Control (DCF) events. |
Automatically discovered? |
No |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
Creating a Cisco AMP Client ID and API Key for Event Queues
A Cisco AMP administrator must create a Client ID and an API key in the Cisco AMP for Endpoints portal. These keys are used to manage queues.
If you do not have administrator privileges, request the Client ID and API key values from your administrator. If you want JSA to automatically manage the event stream, you need these values when you configure a log source in JSA.
-
Log in to the Cisco AMP for Endpoints portal as an administrator.
Click Accounts > API Credentials.
In the API Credentials pane, click New API Credential.
-
In the Application name field, type a name, and then select Read & Write.
You must have read & write access to manage event streams on your Cisco AMP for Endpoints platform.
Click Create.
-
From the API Key Details section, copy of the values for the 3rd Party API Client ID and the API Key. You need these values to manage queues.
Creating a Cisco AMP Event Stream
The Cisco AMP for Endpoints API returns the Advanced Message Queuing Protocol (AMQP) credentials in several Cisco AMP for Endpoints API query responses.
-
Download the curl command line tool from curl.download website
You can run the curl command on your Cisco server or JSA Console.
-
To create a Cisco AMP event stream, type one of the following command. You need the parameter values when you configure a log source in JSA.
This command can run on any device. It does not need to run on the Event Collector.
Note:Due to formatting issues, paste the queries into a text editor and then remove any carriage return or line feed characters
Example 1: Default API call to get all Event IDs and all Group GUIDs in a single event stream.
curl -X POST -H 'accept: application/json' \-H 'content-type: application/json' \-H 'accept: application/json' \-H 'accept-encoding: identity' --compressed \-H 'Accept-Encoding: gzip, deflate' \-d '{"name":"<STREAMNAME>"}' \-u <CLIENTID:APIKEY> \'https://api.amp.cisco.com/v1/ event_streams
Example 2: API call with multiple defined Event IDs and Group GUIDs
curl -X POST -H 'accept: application/json' \-H 'content-type: application/json' \-H 'accept: application/json' \-H 'accept-encoding: identity' --compressed \- H 'Accept-Encoding: gzip, deflate' \-d '{"name":"<STREAMNAME>", \"event_type": [1090519105, 1090519102,553648199,1090519112], \"group_guid":["0a00a0aa-0000-000aa000- 0a0aa0a0aaa0","aa00a0aa-0000-000a-a000-0a0aa0a0aaa0"]}' \-u <CLIENTID:APIKEY> \'https:// api.amp.cisco.com/v1/event_streams'
Example 3: API call with a single defined Event ID and Group GUID.
curl -X POST -H 'accept: application/json' \-H 'content-type: application/json' \- H 'accept: application/json' \-H 'accept-encoding: identity' --compressed \-H 'Accept- Encoding: gzip, deflate' \-d '{"name":"<STREAMNAME>", \"event_type": [1090519112], \"group_guid":["aa00a0aa-0000-000a-a000-0a0aa0a0aaa0"]}' \-u <CLIENTID:APIKEY> \'https:// api.amp.cisco.com/v1/event_streams'
When you input the query, the following values must be configured:
-
<STREAMNAME> is a name of your choosing for the event stream.
-
<group_guid> is the group GUID that you want to use to link to the <0a00a0aa-0000-000a000aa000- 0a0aa0a0aaa0> event stream. You can consult your Cisco AMP API to find a group GUID value, or you can leave this value blank.
-
<CLIENTID:APIKEY> is the Client ID and the API key that you created.
If you are in the Asia Pacific Japan and China (APJC) region, change
'https://api.amp.cisco.com/ v1/event_streams'
to'https://api.apjc.amp.cisco.com/v1/event_streams'
.If you are in the European region, change
'https://api.amp.cisco.com/v1/event_streams'
to'https://api.eu.amp.cisco.com/v1/event_streams'
.Sample Query Response:
{ "version":"v1.2.0", "metadata":{ "links":{ "self":"https://api.amp.cisco.com/v1/event_streams" } }, "data":{ "id":2216, "name":"STREAMNAME", "group_guids":[ "0a00a8aa-0000-000a-a000-0a0aa0a0aaa0" ], "event_types":[ 553648130, 554696714 ], "amqp_credentials":{ "user_name":"1116-aa00a0000000000000a0", "queue_name":"event_stream_1116", "password":"0a0aa00a0a0aa000000a0000aa0000aa0a00000a", "host":"export-streaming.amp.cisco.com", "port":"443", "proto":"https" } } }
Each log source can accept a single stream regardless of the number of event types or group_guids requested in the stream. If the Cisco AMP API accepts the request and returns the stream connection information, you can connect to that information.
For more information, see Cisco documentation.
-
Configure a log source in JSA for a user to manage the Cisco AMP event stream.
Cisco AMP Event Stream Configuration
Configure a log source in JSA to manage a specific event stream that you want JSA to collect events from.
To connect to a specific Cisco AMP event stream, you also need to have access to the Advanced Message Queuing Protocol (AMQP) credentials that are provided by the Cisco AMP for Endpoints API.
The Cisco AMP for Endpoints API is used to manage event streams. For more information about supported queries to manage the Cisco AMP for Enpoint API.
If an issue occurs while you use the Cisco AMP for Endpoints API, contact your Cisco administrator for assistance.
The following table describes the parameters that require specific values to collect events from the Cisco AMP for Endpoints API by using the RabbitMQ protocol:
Parameter |
Description |
---|---|
Log Source type |
Cisco AMP |
Protocol Configuration |
RabbitMQ |
Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have more than one Cisco AMP log source that is configured, you might want to identify the first log source as CiscoAMP1, the second log source as CiscoAMP2 and so on. |
Event Format |
You must select Cisco AMP. |
IP or Hostname |
The IP address or host name that is used for the Cisco AMP for Endpoints API event stream. You can find the IP or host name in the AMQP credentials field. |
Port |
The port that is used for the Cisco AMP for Endpoints API event stream. You can find the port number in the AMQP credentials field. |
Queue |
The queue name that is used for the Cisco AMP for Endpoints API event stream. You can find the queue name value in the AMQP credentials. |
Username |
The user name that is used for the Cisco AMP for Endpoints API event stream. You can find the user name value in the AMQP credentials field. |
Password |
The password that is used for the Cisco AMP for Endpoints API event stream. You can find the password value in the AMQP credentials field. |
EPS Throttle |
The upper limit for the maximum number of events per second (EPS). The default is 5000. |
Automatically Acquire Server Certificate(s) |
Select Yes for JSA to automatically download the server certificate and begin trusting the target server. |
Cisco AMP Sample event message
The following table describes the specifications for the Cisco AMP DSM.
Event Name |
Low-level category |
Sample log message |
---|---|---|
Threat Detected |
MIsc Malware |
{"id":2833634772994537203,"timestamp":1283352936,"tim estamp_nanoseconds":193372272,"date":"2030-10-29T17:1 1:20+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Sim ple_Custom_Detection","detection_id":"192317311379951 3612","connector_guid":"zzzzZZZZ-zzzz-ZZZZ-ZZZZzzzzZZZZ- zzzz","group_guids":["(zzzzZZZZ-zzzz-ZZZZZZZZ- zzzzZZZZ-zzzz)"],"computer": {"connector_guid":"(zzzzZZZZ-zzzz-ZZZZ-ZZZZ-zzzzZZZZzzzz)"," hostname":"example","external_ip":"192.0.2.0" ,"user":"pqrsDSP@Cisco- DSC","active":true,"network_addresses": [{"ip":"192.0.2.111","mac":"00-00-5E-00-00-00"}],"lin ks":{"computer":"https://api.amp.cisco.com/v1/ computers/zzzzZZZZ-zzzz-ZZZZ-ZZZZ-zzzzZZZZzzzz"," trajectory":"https://api.amp.cisco.com/v1/ computers/30g39a2d-b213-4p89-91z5-32a13x28o1v7/ trajectory","group":"https://api.amp.cisco.com/v1/ groups/zzzzZZZZ-zzzz-ZZZZ-ZZZZ-zzzzZZZZzzzz"}}," file": {"disposition":"Blacklisted","file_name":"filename.pd f or virus.pdf","file_path":"C:\\","identity": {"sha256":"sha:256","sha1":"sha:1","md5":"md5"},"pare nt": {"process_id":9917,"disposition":"Clean","file_name": "virus.exe","identity": {"sha256":"sha:256","sha1":"sha:1","md5":"md5"}}}} |