topic Re: End point detection in Endpoint Security

End point detection

neroblaze — Wed, 17 Apr 2024 14:54:41 GMT

I am new to cisco endpoint and will need some help in creating rolling 3 months analysis for end point positive detections

and also analysis for false positive detection.Any help and directions will be deeply appriciated.

Thanks

Re: End point detection

Roman Valenta — Wed, 17 Apr 2024 15:59:06 GMT

I'm not sure what you mean by creating <rolling 3 months analysis> but there is retention policy in place for AMP where we only keep data available to you for 30 days. Anything older than 30 days is automatically purged. If you are looking for some type of reports you can setup custom or browse through built in weekly / monthly reports in your console under Analysis tab

Re: End point detection

Pulkit Mittal — Thu, 18 Apr 2024 02:47:20 GMT

Since you are new to Cisco secure endpoint, I suggest looking at the best practices guides as well.

Secure Endpoint Best Practices Guide - Cisco

Configure and Identify Secure Endpoint Exclusions - Cisco

If you find this useful, please mark it helpful.

Re: End point detection

neroblaze — Tue, 23 Apr 2024 14:42:02 GMT

Hi Roman, thanks for your response. By creating 3 months I mean getting data from the previous 2 months and comparing them to the recent month. Is there a way I can generate a report for detected threat events from February and March ,and then compare them to a report in April? Or the retention policy does not make that possible? Thanks for all the help.

Re: End point detection

neroblaze — Tue, 23 Apr 2024 14:43:59 GMT

Thanks alot for the information

Re: End point detection

Roman Valenta — Tue, 23 Apr 2024 16:16:42 GMT

OK so let me be more specific. You can only browse events under Event tab that will give you all the details such as event names, Device Trajectory, File trajectory, Detection, etc.. for 30 days how ever you can get summarized reports by default Weekly / Monthly under Analysis tab Reports.

Those are available to you and go back for very long time. In my org for example since it was created in 2020 but those reports are very high overview and basic so not sure if that's enough for you. It will contain this info in words and graphical preview.

Example:

Table of Contents
---------------

Connector Status: 444K Files Scanned, 30.7K IPs Scanned
Compromises: 3 New Compromises, 0 Resolved
File Detections: 98 Detections, 47 Quarantines
Network Detections: 0 DFC Detections, 0 Computers Affected, 0 Agentless Global Threat Alerts Events
Threat Root Cause
Low Prevalence Executables: 12 Low Prevalence Executables Analyzed
Vulnerabilities: 2 Vulnerabilities Observed

Re: End point detection

neroblaze — Tue, 23 Apr 2024 16:39:34 GMT

I have seen the summarized reports that can be generated under the analysis tab Reports. They are not really helpful as i am looking for reports for endpoint detections which will allow me to also filter out false positives. I need to get this reports for positive detections and also false positive detections for management. Any ideas are welcome and thanks again.