topic Re: File Policy - dynamic analysis daily Limit? in Endpoint Security

File Policy - dynamic analysis daily Limit?

evan.chadwick1 — Sat, 09 Mar 2019 01:48:16 GMT

Hi Folks,

is there a daily limit available to be sent for dynamic analysis? If so where is this referenced? Does FMC flag the daily limit reached?

iF any limits please clarify if they are for both

spero

dynamic

Re: File Policy - dynamic analysis daily Limit?

Jetsy Mathew — Fri, 29 Jun 2018 10:22:49 GMT

Hello evan.chadwick1

Are you trying to submit the files to the TG and if so there will be a daily limit for your account for the file submissions. Please check the TG Account for your daily limit.

Regards

Jetsy

Re: File Policy - dynamic analysis daily Limit?

evan.chadwick1 — Thu, 05 Jul 2018 22:40:37 GMT

Just selecting 'dynamic analysis' in the AMP file policy.

I just can not find a document anywhere that mentions anything about daily limits. Firepower never reports when a daily limit is hit either

Re: File Policy - dynamic analysis daily Limit?

evan.chadwick1 — Thu, 05 Jul 2018 23:11:43 GMT

Found some info, questions in red:

When using the Cisco Threat Grid public cloud for file analysis, the file upload limit is set to 200 - even if you have 30 sites and 60 firepower sensors???

files per day by default at the organization level, irrespective of the devices configured. This limit

is shared across all AMP-enabled devices in the organization. If your organization needs more

sample capacity, contact your Cisco sales representative, and inquire about Threat Grid Sample

Packs.

Note If the load on the File Analysis service exceeds capacity, some files may not be analyzed even

if the file type is selected for analysis and the file would otherwise be eligible for analysis. You

will receive an alert when the service is temporarily unable to process files of a particular type. - how where is this seen?

If a file has recently been uploaded from any source, the file will not be uploaded again.- this is not my experience with two separate client sites, i see repeated same Sha being repeatedly sent (have a tac case open and will update)

For File

Analysis results for this file, search for the SHA-256 from the File Analysis reporting page.

Re: File Policy - dynamic analysis daily Limit?

vaibhav.parlekar1 — Sat, 07 Jul 2018 01:58:51 GMT

Hi Evan,

I had been trying to get this information but I have got mixed responses. some said there is no per day limit for the firepower devices and it's only for the endpoints. I am not sure where did you get the no. of 200 files per day. There is no documentation around it. Would be great if some folks from Cisco publish clear information on the same.

Vaibhav

Re: File Policy - dynamic analysis daily Limit?

Marvin Rhoads — Sat, 07 Jul 2018 06:51:26 GMT

You're right that the numbers are not well-published. I thought I had a presentation that summarized them but can't locate it right now. The citation you found is the best thing I've seen publicly available.

(For later readers, it can be found on page 14 of the following:

https://www.cisco.com/c/dam/en/us/td/docs/security/content_security/content_security_general/Content-security-file-reputation-and-analysis-criteria.pdf )

You can choose to store files locally for later submission in the event that your daily limit is exceeded. That would be via the "Capacity Handling" checkbox in the file policy.

You should see if you have/are exceeding your daily limit under Analysis > Files > Captured Files > File Analysis Status (may need to switch from the default workflow). There is a field "Disposition" there that has a value that can be as follows:

Capacity Handled (Rate Limit) — file stored because it could not be submitted due to the maximum number of submissions reached.

Re: File Policy - dynamic analysis daily Limit?

evan.chadwick1 — Wed, 11 Jul 2018 02:45:44 GMT

Thanks for the tips. I can confirm i don't have one message mentioned above that leads to exhaustion of the limit. But when manually trying to upload a captured file, I get a vague message saying 0 out of 1 files failed to upload. i've tested outbound connections from the FMC and also added the optional 32137 port just incase.

If I follow the instructions above with the disposition field present and filter out the following:

!malware, !clean, !unavailable, !unknown

I get nothing.

Would love some definitions/context for:

1/ unavailable

2/ nothing in the disposition column

For the readers, the 'disposition' field mentioned, is not a field shown by default. One needs to click on a column title and then choose to show disposition at the bottom of the list.

Re: File Policy - dynamic analysis daily Limit?

evan.chadwick1 — Thu, 12 Jul 2018 01:15:20 GMT

In regards to hitting visibility of hitting daily limits. I can not seem to find anything with reporting. I'm having some success with adding Widgets.

Using a custom widget I can get clarity on what files i'm storing and the count of them. And also on File Actions, ie Malware Cloud Lookup and the count, cloud time out and the count. But still not quite on the dynamic.

Anyone?

Re: File Policy - dynamic analysis daily Limit?

evan.chadwick1 — Thu, 26 Jul 2018 22:00:53 GMT

My Conclusion is :

If you are not a paying customer for Threat Grid, the 200 files per day is just a best effort and the Firepower system out of the box is not really designed to display the counters for the 200 files per 24 hours.

If you don't pay for a threat grid allowance, one is best to only select 'local file analysis' in the file policy and just manually upload files for dynamic analysis.

Interested in others thoughts

Re: File Policy - dynamic analysis daily Limit?

emirolyu — Fri, 27 Jul 2018 07:32:55 GMT

Hello Evan,

By default, all AMP-enabled devices (including Firepower) in an organization share a limit of 200 samples per 24 hour period. To increase the limit, there's an additional license to purchase, called Advanced File Analysis packs (formerly Sample Packs). Please refer to Threat Grid Ordering Guide:

https://www.cisco.com/c/en/us/products/collateral/security/amp-threat-grid-cloud/guide-c07-733608.html

The number of "packs" actually needed for a customer is best determined through a PoV or by actively using the solution.

To see the counters of files submitted, Threat Grid has created a slimmed down version of the Cloud Portal (i.e., Entitlements Portal), that displays information surrounding the submissions of each individual AMP-enabled device in an organization. That helps determine if the customer is exceeding the limit of sample submissions allocated to an organization. To request Entitlements Portal access, please connect with your Cisco representative.

Firepower's 'local file analysis' is essentially a static file analysis method on the box itself. It scans files for threats using high-fidelity signature set. This capability also allows Firepower to pre-classify files and determine if submitting them to Threat Grid makes sense (based on the presence of active content, file type, etc). Threat Grid (dynamic analysis in Firepower) is a huge added value to the Firepower customer, therefore I would recommend to leverage it as much as possible.

Re: File Policy - dynamic analysis daily Limit?

Marvin Rhoads — Fri, 27 Jul 2018 08:48:19 GMT

@emirolyu,

That's great to hear about the Entitlements portal. Is this documented in any public- or partner-facing collateral?

Re: File Policy - dynamic analysis daily Limit?

emirolyu — Fri, 27 Jul 2018 13:25:43 GMT

Hello Marvin,

It was mentioned during the Partner VT in May, please refer to the slide 34:

https://salesconnect.cisco.com/open.html?c=366a0ea0-b1fb-4638-b928-cd6126f46b1d

As a gentle reminder, entitlements can also be seen and managed through the full Threat Grid Cloud portal (Administration > View Entitlements; access to this portal requires an additional license, unlike access to the Entitlements only UI). Documentation is available right in the portal as well. Partners can request a trial of the full Threat Grid Cloud portal via Partner Help.

I hope that helps.

Re: File Policy - dynamic analysis daily Limit?

Marvin Rhoads — Fri, 27 Jul 2018 13:54:29 GMT

Perfect - thanks!

I missed the delivery of that presentation since I was joining remotely from 15 time zones away. 🙂

Re: File Policy - dynamic analysis daily Limit?

CiscoBrownBelt — Fri, 30 Jun 2023 16:23:36 GMT

@Marvin Rhoads @demir I know old post but have question sort of on subject: Status for dynamic analysis on some of my events is "Device Not Activated". What device is it referring to and how to I get it activated?

Re: File Policy - dynamic analysis daily Limit?

Marvin Rhoads — Fri, 30 Jun 2023 16:30:12 GMT

@CiscoBrownBelt are you integrating events from FMC into your Secure Endpoint / AMP console?

Re: File Policy - dynamic analysis daily Limit?

CiscoBrownBelt — Wed, 05 Jul 2023 18:23:57 GMT

Yes that is correct I am trying to.