topic Test the functionality of AMP for endpoints in Endpoint Security

Test the functionality of AMP for endpoints

Mordred36 — Thu, 22 Oct 2020 16:14:30 GMT

I would like to test/verify that my Cisco AMP for Endpoints is working correctly .

It is integrated with Umbrella but when I pull reports, only activity related to other security events is shown (URLs, IPs, e.t.c).

If I filter for AMP events - it shows no activity ever - as far back as I can go. Which means no event has ever happened or it is not working !!

Any help is appreciated.

Thanks

Re: Test the functionality of AMP for endpoints

Troja007 — Fri, 23 Oct 2020 06:07:01 GMT

Hello @Mordred36,

AMP for Endpoints console does not show Umbrella Events. Umbrella itself does not generate an "Event". A DNS request does not include detailed endpoint information. How Umbrella is integrated.

SecureX: Umbrella should be configured as a Module. At any time you add an URL to the SecureX Ribbon search, to a casebook and so in, it included the disposition provided by Umbrella.
Context Menu: Umbrella is shown up in the context menu. So at any time working in the Device Trajectory or other parts of the UI, you can directly pivot to Umbrella.
You can directly block domains from the context menu (if the right API is configured and licensed).
Threat Response gives you all information from Umbrella.

Optional: the Endpoint License includes Cognitivie analytics, where the whole Web Traffic Log is processed. This would generate Events in AMP. The difference here is, Cognitive includes the whole URL. This can be interesting during and investigation.

Example:

Domain www.xyz.com --> Reputation is good, maybe suspicious
URL www.xyz.com/URL_patch/file --> The URL is marked as malicious

Greetings,
Thorsten

Re: Test the functionality of AMP for endpoints

Mordred36 — Fri, 23 Oct 2020 13:42:03 GMT

Hello @Troja007,

Thanks for the quick response.

I guess what I am really interested in is Cisco AMPs behavior as an Endpoint AV solution.

I am an MSP with several clients who I am monitoring with Cisco Umbrella and AMP. One of them comes and tell me that they had a virus or malware on their computer and asks me to show him that their AMP component is working correctly.

How do I do that? As an example - like how you can pull Symantec AV event logs and alert logs.

Thanks,

Re: Test the functionality of AMP for endpoints

Troja007 — Thu, 29 Oct 2020 18:58:41 GMT

Hello @Mordred36,

first of all, AMP is an EDR/XDR solution including traditional protection engines.

Enclosed two summary pages for the whole protection and EDR/XDR stack.

How to check if an endpoit is working correctly. There are several ways to do this.

using the local ConnectivityTool.exe
generating a eicar.com test file to see if an event is uploaded to the cloud.
Typing a command line to check if this is reported to cloud.
Example: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -encoded cABpAG4AZwAgAGcAbwBvAGcAbABlAC4AYwBvAG0A
This is an ecoded powershell command to ping google.com
Checking configured exclusions.
Using Orbital Endpoint search to query components of the connector.
Checking in UI if all is up-to-date
Generating a diagnostic package and analyze the logs using the AMP connector tuning tool: https://github.com/CiscoSecurity/amp-05-windows-tune
If you have access to the endpoint, you can use the AMP healthchecker: https://github.com/CiscoSecurity/amp-05-health-checker-windows

If there is a threat not detected, we have to take a deeper look. Such a question can only be answered when having log files, knowing the hash of the file and so on. If you expect something is wrong, the best way in such a case, is to open a TAC Case.

Greetings,
Thorsten