topic Re: Cisco AMP Custom Reports in Endpoint Security

Cisco AMP Custom Reports

zaheer.jahangir1 — Sat, 09 Mar 2019 01:44:33 GMT

Hi,

Well I am looking for AMP custom reports, basic thing that I am looking for is a list/count of endpoints including servers which were infected also even if they were quarantined later but I need the list of infected sytems, I am not able to get such a monthly report, can AMP generate such report or not.
Please let me know

Re: Cisco AMP Custom Reports

Shiprock523 — Tue, 28 Nov 2017 17:06:32 GMT

Also, how can I get a list of the current exclusions exported from my existing policy so that I can make sure that I have everything. Also, is there any way to back up the policy in case I want to revert?

Thanks,

Re: Cisco AMP Custom Reports

IvanCdC — Wed, 29 Nov 2017 10:28:28 GMT

Hello Zaheer,

Reports feature it's a weekly report from most notorious actions "as-is", meaning there is no possibility to customize what can be sent in them.

If you would wish to have granular information about it I would sugget you to use the Events filtering, you can find this in:

Analysis -> Events

There you will have the possibility to configure exactly what events you want to see, with the time visibility included, then you can subscribe to these events immediately (digest), one e-mail per event, hourly, daily, weekly and monthly.

I believe for your purposes now you would want to use monthly reports.

You have also the ability to export these reports to csv should the case come.

If this wouldn't be enough, I would suggest you to use the API, you can find further reference information here: https://api-docs.amp.cisco.com/

Let us know if you would need further assistance.

Regards!

Re: Cisco AMP Custom Reports

IvanCdC — Wed, 29 Nov 2017 11:01:08 GMT

Hello Shiprock,

To your first question, if you would like to see what were the changes / updates done to your exclusions you can go to:

Management -> Exclusions -> View Changes (on each exclusion)

That will show you all info related to that specific exclusion list including modifications done on it.

To see the list of items in the exclusion just click on EDIT and you will see all values there, however if what you would like to see is that exclusion is properly implemented to the policy then you can go to:

Management -> Policies -> Download XML from the selected policy.

Once you get the .xml file you can check for <exclusions> tag, you will find there all paths defined in your exclusion attached to that policy.

As for the second question, there is possibility to duplicate the policy from the menu:

Management -> Policies -> Duplicate from the selected policy.

It is not a backup feature strictly but may help you to debug / test.

You can also click on View Changes, you will be displayed with all recent changes affecting that policy so you will know exactly what was the last thing modified.

Let us know if you would need further assistance.

Regards!

Re: Cisco AMP Custom Reports

MaSeelig — Wed, 24 Jan 2018 09:11:49 GMT

Hi, helpful answer, thx!

New Question 😉 Can I create a new exclusion list by copy or "upload" a complete list or have I to create every single exclusion new?

Re: Cisco AMP Custom Reports

goranunified — Thu, 17 Oct 2019 19:32:32 GMT

Is there are 3rd party reporting tool via API which we can use to provide a combined report for AMP and Umbrella for the customer. Like an executive summary report?

Re: Cisco AMP Custom Reports

Troja007 — Sun, 20 Oct 2019 09:43:52 GMT

Hello @goranunified,

Cisco provides several splunk apps for long term monitoring. You can take a look here: https://www.cisco.com/c/dam/m/en_us/products/security/technical-alliance-partners/core/assets/splunk-overview.pdf

You can add Umbrella and AMP Data to splunk and generate the combined Reports you need.

Hope this helps,

Greetings,

Thorsten

Re: Cisco AMP Custom Reports

goranunified — Mon, 21 Oct 2019 00:54:54 GMT

Thank you @Troja007 much appreciated.