Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Cisco AMP

The JSA DSM for Cisco Advanced Malware Protection (Cisco AMP) collects event logs from your Cisco AMP for Endpoints platform. The DSM for Cisco AMP uses the RabbitMQ protocol.

To integrate AMP with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA Console:

    Note:

    You need JSA 2014.8 Patch 9 (2014.8.20170726184122) or later to install the RabbitMQ Protocol

    • Protocol Common RPM

    • DSMCommon RPM

    • Centrify Identity Platform DSM RPM

    • RabbitMQ Protocol RPM

    • Cisco AMP DSM RPM

  2. Create a Cisco AMP Client ID and API key. Alternatively, you can request access to an already created event stream from your administrator.

  3. Create a Cisco AMP event stream.

  4. Add a Cisco AMP log source on the JSA Console for a user to manage the Cisco AMP event stream.

Cisco AMP DSM Specifications

The following table describes the specifications for the Cisco AMP DSM.

Table 1: Cisco AMP DSM Specifications

Specification

Value

Manufacturer

Cisco

DSM

Cisco AMP

RPM name

DSM-CiscoAMP-JSA_version-build_number.noarch.rpm

Supported versions

N/A

Protocol

RabbitMQ

Event format

Cisco AMP

Recorded event types

All security events

Note:

Network traffic is supported only for Data Flow Control (DCF) events.

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

(https://api-docs.amp.cisco.com/)

Creating a Cisco AMP Client ID and API Key for Event Queues

A Cisco AMP administrator must create a Client ID and an API key in the Cisco AMP for Endpoints portal. These keys are used to manage queues.

If you do not have administrator privileges, request the Client ID and API key values from your administrator. If you want JSA to automatically manage the event stream, you need these values when you configure a log source in JSA.

  1. Log in to the Cisco AMP for Endpoints portal as an administrator.

  2. Click Accounts > API Credentials.

  3. In the API Credentials pane, click New API Credential.

  4. In the Application name field, type a name, and then select Read & Write.

    You must have read & write access to manage event streams on your Cisco AMP for Endpoints platform.

  5. Click Create.

  6. From the API Key Details section, copy of the values for the 3rd Party API Client ID and the API Key. You need these values to manage queues.

Creating a Cisco AMP Event Stream

The Cisco AMP for Endpoints API returns the Advanced Message Queuing Protocol (AMQP) credentials in several Cisco AMP for Endpoints API query responses.

  1. Download the curl command line tool from curl.download website

    You can run the curl command on your Cisco server or JSA Console.

  2. To create a Cisco AMP event stream, type one of the following command. You need the parameter values when you configure a log source in JSA.

    This command can run on any device. It does not need to run on the Event Collector.

    Note:

    Due to formatting issues, paste the queries into a text editor and then remove any carriage return or line feed characters

    Example 1: Default API call to get all Event IDs and all Group GUIDs in a single event stream.

    Example 2: API call with multiple defined Event IDs and Group GUIDs

    Example 3: API call with a single defined Event ID and Group GUID.

    When you input the query, the following values must be configured:

    • <STREAMNAME> is a name of your choosing for the event stream.

    • <group_guid> is the group GUID that you want to use to link to the <0a00a0aa-0000-000a000aa000- 0a0aa0a0aaa0> event stream. You can consult your Cisco AMP API to find a group GUID value, or you can leave this value blank.

    • <CLIENTID:APIKEY> is the Client ID and the API key that you created.

    If you are in the Asia Pacific Japan and China (APJC) region, change 'https://api.amp.cisco.com/ v1/event_streams' to 'https://api.apjc.amp.cisco.com/v1/event_streams'.

    If you are in the European region, change 'https://api.amp.cisco.com/v1/event_streams' to 'https://api.eu.amp.cisco.com/v1/event_streams'.

    Sample Query Response:

    Each log source can accept a single stream regardless of the number of event types or group_guids requested in the stream. If the Cisco AMP API accepts the request and returns the stream connection information, you can connect to that information.

    For more information, see Cisco documentation.

Configure a log source in JSA for a user to manage the Cisco AMP event stream.

Cisco AMP Event Stream Configuration

Configure a log source in JSA to manage a specific event stream that you want JSA to collect events from.

To connect to a specific Cisco AMP event stream, you also need to have access to the Advanced Message Queuing Protocol (AMQP) credentials that are provided by the Cisco AMP for Endpoints API.

The Cisco AMP for Endpoints API is used to manage event streams. For more information about supported queries to manage the Cisco AMP for Enpoint API.

Note:

If an issue occurs while you use the Cisco AMP for Endpoints API, contact your Cisco administrator for assistance.

The following table describes the parameters that require specific values to collect events from the Cisco AMP for Endpoints API by using the RabbitMQ protocol:

Table 2: RabbitMQ Protocol Log Source Parameters

Parameter

Description

Log Source type

Cisco AMP

Protocol Configuration

RabbitMQ

Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have more than one Cisco AMP log source that is configured, you might want to identify the first log source as CiscoAMP1, the second log source as CiscoAMP2 and so on.

Event Format

You must select Cisco AMP.

IP or Hostname

The IP address or host name that is used for the Cisco AMP for Endpoints API event stream. You can find the IP or host name in the AMQP credentials field.

Port

The port that is used for the Cisco AMP for Endpoints API event stream. You can find the port number in the AMQP credentials field.

Queue

The queue name that is used for the Cisco AMP for Endpoints API event stream. You can find the queue name value in the AMQP credentials.

Username

The user name that is used for the Cisco AMP for Endpoints API event stream. You can find the user name value in the AMQP credentials field.

Password

The password that is used for the Cisco AMP for Endpoints API event stream. You can find the password value in the AMQP credentials field.

EPS Throttle

The upper limit for the maximum number of events per second (EPS). The default is 5000.

Automatically Acquire Server Certificate(s)

Select Yes for JSA to automatically download the server certificate and begin trusting the target server.

Cisco AMP Sample event message

The following table describes the specifications for the Cisco AMP DSM.

Table 3: Cisco AMP DSM Specifications

Event Name

Low-level category

Sample log message

Threat Detected

MIsc Malware

{"id":2833634772994537203,"timestamp":1283352936,"tim
estamp_nanoseconds":193372272,"date":"2030-10-29T17:1
1:20+00:00","event_type":"Threat
Detected","event_type_id":1090519054,"detection":"Sim
ple_Custom_Detection","detection_id":"192317311379951
3612","connector_guid":"zzzzZZZZ-zzzz-ZZZZ-ZZZZzzzzZZZZ-
zzzz","group_guids":["(zzzzZZZZ-zzzz-ZZZZZZZZ-
zzzzZZZZ-zzzz)"],"computer":
{"connector_guid":"(zzzzZZZZ-zzzz-ZZZZ-ZZZZ-zzzzZZZZzzzz)","
hostname":"example","external_ip":"192.0.2.0"
,"user":"pqrsDSP@Cisco-
DSC","active":true,"network_addresses":
[{"ip":"192.0.2.111","mac":"00-00-5E-00-00-00"}],"lin
ks":{"computer":"https://api.amp.cisco.com/v1/
computers/zzzzZZZZ-zzzz-ZZZZ-ZZZZ-zzzzZZZZzzzz","
trajectory":"https://api.amp.cisco.com/v1/
computers/30g39a2d-b213-4p89-91z5-32a13x28o1v7/
trajectory","group":"https://api.amp.cisco.com/v1/
groups/zzzzZZZZ-zzzz-ZZZZ-ZZZZ-zzzzZZZZzzzz"}},"
file":
{"disposition":"Blacklisted","file_name":"filename.pd
f or virus.pdf","file_path":"C:\\","identity":
{"sha256":"sha:256","sha1":"sha:1","md5":"md5"},"pare
nt":
{"process_id":9917,"disposition":"Clean","file_name":
"virus.exe","identity":
{"sha256":"sha:256","sha1":"sha:1","md5":"md5"}}}}