Initialize the Cisco AMP Beat

Prerequisites

• The Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.

• You have the required keys: Cisco Client ID and API Key.

• The following port is open:

  Direction	Port	Protocol	Source
  Outbound	443	HTTPS	ciscoampbeat

  
  

Initialize the Beat

1. Confirm the Open Collector is running:

   ./lrctl status
   

   You should see the open_collector and metrics as shown in the following graphic:
   

   If the Open Collector is not running correctly, see the

   Troubleshoot the Open Collector

   topic in the Open Collector Installation and User Guide.

   
   

2. Start the beat:

   ./lrctl ciscoampbeat start
   

   
   

3. Enter the following details:

   The Cisco AMP Client ID and API key are saved in encrypted format.

   1. Cisco AMP Client ID:
      

   2. Cisco AMP API Key:
      

   3. URL Address for preferred region: 
      

      It’s important to note that the API is location-based and varies depending on where your AMP instance resides.

      Currently, three regions exist:

      • U.S.: api.amp.cisco.com

      • Asia, Pacific, Japan & China: api.apjc.amp.cisco.com

      • Europe: api.eu.amp.cisco.com

   4. Event types:
      

      The default value of Event Types is ALL.

       User can provide multiple Event Type IDs with comma:
      
      For more information on specific Event type IDs, see https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv0%2Fevent_types&api_host=api.amp.cisco.com&api_resource=Event+Type&api_version=v0.

   The configuration has been saved and the service has been started successfully.

4. Check the status of the service:

   ./lrctl ciscoampbeat status
   

   

Default Config Values for CiscoAMPBeat: