Cisco AMP for Endpoints API

POST /v1/event_streams

Description

Creates a new AMQP messaging resource for events information

When successfully requested, will create a streaming resource accessible using the Advanced Messaging Queue Protocol (AMQP)

The credentials that can be used to connect to this queue are returned in the API response, which includes amqp_credentials hash with keys user_name, password, queue_name, host, port, and proto. You can use these to connect to queue with any client adhering to the AMQP protocol

Other important notes:

  • The passive and durable bits should be set on the queue
  • The protocol is over SSL/TLS. Therefore you should either prefix the uri with amqps:// or explicitly enable TLS on your client
  • This is the only time you will see the password

Example implementation in Ruby:

Client implementation with the bunny gem: 

require 'bunny'

connection_url = "#{amqp_credentials[:proto]}://#{amqp_credentials[:user_name]}:#{amqp_credentials[:password]}@#{amqp_credentials[:host]}:#{amqp_credentials[:port]}"

conn = Bunny.new(connection_url)
conn.start

ch = conn.create_channel
q  = ch.queue(amqp_credentials[:queue_name], :passive => true, :durable => true)
x  = ch.default_exchange

q.subscribe(:block => true) do |delivery_info, metadata, payload|
  puts "Received #{payload}"
end

Please note that you can obtain the information about event stream not only from API response immediately after create action, but via the endpoint GET '/v1/event_streams/' without showing the password.

API Limitations

  • Events have a time-to-live (TTL) of 10 days within each streaming resource
  • limit of 5 active resources across each organization

Show Response Fields

Name Type Description
version String
metadata.links.self String
data.id Integer
data.name String
data.amqp_credentials.user_name String
data.amqp_credentials.password String
data.amqp_credentials.queue_name String
data.amqp_credentials.host String
data.amqp_credentials.port String
data.amqp_credentials.proto String
Write
Preview
Auto Generate

Examples

Creates a new event stream
Creates a new event stream without event types

Creates a new event stream

Request

Requires Authorization 
POST /v1/event_streams
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
content-length: 99

cURL Edit, then copy and paste on your terminal

curl -X POST \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
-H 'content-length: 99' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-d '{"name":"dBoEkqNI","event_type":[1090519054],"group_guid":["a4a983ef-91df-428f-9b08-1e88ec5357df"]}' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/event_streams'
Body
{"name":"dBoEkqNI","event_type":[1090519054],"group_guid":["a4a983ef-91df-428f-9b08-1e88ec5357df"]}

Response

Shortened for readability 

content-type: application/json
transfer-encoding: chunked
status: 201 Created
x-ratelimit-limit: 3000
x-ratelimit-reset: 892
strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2837
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"7611189ed9f4aafe47eb90a08c436d76"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2022-03-18T11:55:11Z

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/event_streams"
    }
  },
  "data": {
    "id": 30098,
    "name": "dBoEkqNI",
    "group_guids": [
      "a4a983ef-91df-428f-9b08-1e88ec5357df"
    ],
    "event_types": [
      1090519054
    ],
    "amqp_credentials": {
      "user_name": "30098-16db5cf986eec6f44422",
      "queue_name": "event_stream_30098",
      "password": "54cb0c57297836e594de1b9810a998ea1844bfb0",
      "host": "export-streaming-lb-int.qa1.immunet.com",
      "port": "443",
      "proto": "amqps"
    }
  }
}

Creates a new event stream without event types

Request

Requires Authorization 
POST /v1/event_streams
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
content-length: 73

cURL Edit, then copy and paste on your terminal

curl -X POST \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
-H 'content-length: 73' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-d '{"name":"rxIJLtls","group_guid":["a4a983ef-91df-428f-9b08-1e88ec5357df"]}' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/event_streams'
Body
{"name":"rxIJLtls","group_guid":["a4a983ef-91df-428f-9b08-1e88ec5357df"]}

Response

Shortened for readability 

content-type: application/json
transfer-encoding: chunked
status: 201 Created
x-ratelimit-limit: 3000
x-ratelimit-reset: 891
strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2836
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"53ee78be16280bf44e9c87b2c4201dab"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2022-03-18T11:55:11Z

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/event_streams"
    }
  },
  "data": {
    "id": 30099,
    "name": "rxIJLtls",
    "group_guids": [
      "a4a983ef-91df-428f-9b08-1e88ec5357df"
    ],
    "amqp_credentials": {
      "user_name": "30099-16db5cf986eec6f44422",
      "queue_name": "event_stream_30099",
      "password": "af67047801b04a5b9763e6a92f2543df9235087a",
      "host": "export-streaming-lb-int.qa1.immunet.com",
      "port": "443",
      "proto": "amqps"
    }
  }
}