topic Re: AMP 4 Endpoint questions in Endpoint Security

AMP 4 Endpoint questions

kostasthedelegate — Fri, 05 Mar 2021 12:52:50 GMT

Hello,

I would like to ask some questions about the operation of AMP

1. When upgrading an agent, the reboot after needs to be done with privileged account?

2. Is there a site that hosts IOC xml files?

3. Is there a way for AMP to automatically upload files to threatgrid?

4. The endpoint isolation could be done automatically?

Regards,

Konstantinos

Re: AMP 4 Endpoint questions

Ken Stieers — Fri, 05 Mar 2021 15:45:03 GMT

1. No, user can reboot... and after 7.x, reboot requirements mostly go away.

2. Talosintelligence.com... thou

3. Yes, under Outbreak Controls/Automated Actions. These also show up as Orchestrations in SecureX/Orchestrations

4. Yes, under Outbreak Controls/Automated Actions. These also show up as Orchestrations in SecureX/Orchestrations

Re: AMP 4 Endpoint questions

kostasthedelegate — Mon, 08 Mar 2021 06:26:43 GMT

Good morning!!

Thank you for the answers!

1. So if it does not update with normal user there is a problem.

2. Where exactly? I cannot find an .xml file for IOCs

3. Great! Found it!

4. Found it! I can see that the criteria is only the severity. Is there a way to choose sth else?

Regards,

Konstantinos

Re: AMP 4 Endpoint questions

Troja007 — Thu, 11 Mar 2021 06:30:28 GMT

Hello @kostasthedelegate,
some infos inoline..

Thank you for the answers!

1. So if it does not update with normal user there is a problem.
A: The endpoint upgrade is completely independent from the logged on user... you can also do an upgrade if no user is logged on.

2. Where exactly? I cannot find an .xml file for IOCs
A: Hello, there is not a List of .xml files. If there is a e.g. blog post (example), it includes observavles or IOC information, you can use the SecureX Browser add-on to directly add them to a casebook and to investigate your environment.
The intelligence in the Backend for Cloud IOC generation is constantly updated by Cisco. The IOC information, e.g. on Talos Website, can be used to do additional Threat Hunt and investigations.

3. Great! Found it!
A: great

4. Found it! I can see that the criteria is only the severity. Is there a way to choose sth else?
A: automated actions inside Secure Endpoint Console are always triggered by an IOC. In addition, you can use the API to trigger them from external sources. OR, you can build your personal Orchestration Workflows (SecureX) and trigger them. Orchestration Workflows can also be triggered from external.

Greetins,
Thorsten

.. did some smaller updates to remove typos.