topic Re: Mail from AMP in Endpoint Security https://community.cisco.com/t5/endpoint-security/mail-from-amp/m-p/4439811#M6267 <P>If the IP is&nbsp;205[.]185[.]216[.]42, it is a false positive.</P><P>&nbsp;</P><P>If it were real, I'd dig into which app/process did the communication using the Trajectory.&nbsp; &nbsp;Figure out what app it is, if it's not something that you know is good, convict it so that AMP shuts it down.&nbsp; For example if its a file your user downloaded, or a fileless process started from Word or Excel... you'd kill that process and track down how it got in.&nbsp;</P><P>&nbsp;</P> Tue, 27 Jul 2021 18:41:12 GMT Ken Stieers 2021-07-27T18:41:12Z Mail from AMP https://community.cisco.com/t5/endpoint-security/mail-from-amp/m-p/4439804#M6266 <P>Hello</P><P>&nbsp;</P><P>I received this mail</P><P>&nbsp;</P><P>Secure Endpoint observed the following compromise matching your subscription named <STRONG>Real Time Incidents.</STRONG></P><TABLE><TBODY><TR><TD><P>Compromise State</P></TD><TD><P>Requires Attention</P></TD></TR><TR><TD><P>Hostname</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>Group</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>Operating System</P></TD><TD><P>Windows 10 Enterprise</P></TD></TR><TR><TD><P>Policy</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>Connector Version</P></TD><TD><P>7.3.15.20174</P></TD></TR><TR><TD><P>Internal IP</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>Install Date</P></TD><TD><P>2018-03-26 15:00:25 UTC</P></TD></TR><TR><TD><P>External IP</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>Connector GUID</P></TD><TD>&nbsp;</TD></TR></TBODY></TABLE><H2>Related Events (3 compromise events (spanning 2 minutes))</H2><TABLE><TBODY><TR><TD><TABLE><TBODY><TR><TD><P>Type</P></TD><TD><P>DFC Threat Detected</P></TD></TR><TR><TD><P>IP</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>Date</P></TD><TD><P>2021-07-27 16:27:28 UTC</P></TD></TR></TBODY></TABLE></TD></TR><TR><TD><TABLE><TBODY><TR><TD><P>Type</P></TD><TD><P>DFC Threat Detected</P></TD></TR><TR><TD><P>IP</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>Date</P></TD><TD><P>2021-07-27 16:28:43 UTC</P></TD></TR></TBODY></TABLE></TD></TR><TR><TD><TABLE><TBODY><TR><TD><P>Type</P></TD><TD><P>DFC Threat Detected</P></TD></TR><TR><TD><P>IP</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>Date</P></TD><TD><P>2021-07-27 16:29:25 UTC</P></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P><P>What could I do?</P><P>&nbsp;</P><P>Thanks and regards,&nbsp;</P><P>Konstantinos</P> Tue, 27 Jul 2021 18:33:30 GMT https://community.cisco.com/t5/endpoint-security/mail-from-amp/m-p/4439804#M6266 kostasthedelegate 2021-07-27T18:33:30Z Re: Mail from AMP https://community.cisco.com/t5/endpoint-security/mail-from-amp/m-p/4439811#M6267 <P>If the IP is&nbsp;205[.]185[.]216[.]42, it is a false positive.</P><P>&nbsp;</P><P>If it were real, I'd dig into which app/process did the communication using the Trajectory.&nbsp; &nbsp;Figure out what app it is, if it's not something that you know is good, convict it so that AMP shuts it down.&nbsp; For example if its a file your user downloaded, or a fileless process started from Word or Excel... you'd kill that process and track down how it got in.&nbsp;</P><P>&nbsp;</P> Tue, 27 Jul 2021 18:41:12 GMT https://community.cisco.com/t5/endpoint-security/mail-from-amp/m-p/4439811#M6267 Ken Stieers 2021-07-27T18:41:12Z