https://community.cisco.com/t5/network-security/amp-alert-cutoff/m-p/3085602#M1014928 <P>We receive AMP alerts frequently for malware attached to e-mail. &nbsp;We aren't concerned so much about that malware because our filter is excellent at dropping those messages. &nbsp;However, the alerts don't tell us enough information because they're cut off. &nbsp;This is what we get:</P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">&lt;*- Network Based Retrospective at Tue Aug&nbsp; 1 16:13:57 2017 UTC -*&gt;&nbsp;</SPAN></P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">Sha256: f0d4ec15201ff5115cefeb3f29d523506fdd641807c0660689a9259f11bdc347</SPAN></P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">Disposition: Malware</SPAN></P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">Threat name: N/A</SPAN></P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">&nbsp;</SPAN></P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">&lt;*- Network Based Retrospective</SPAN></P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">From "&lt;hostname&gt;" at Tue</SPAN></P> <P></P> <P>It cuts off after the day of the week. &nbsp;It'd be nice if we could get the rest of the information in the e-mail so we can quickly determine if we should be concerned or not.</P> <P>Is this a known issue? &nbsp;Any suggestions on fixing it? &nbsp;We're on FMC 6.0.1.3, build 1054.</P> <P>Thanks!</P> <P></P> <P></P> Tue, 12 Mar 2019 13:28:42 GMT Trevor Walraven 2019-03-12T13:28:42Z https://community.cisco.com/t5/network-security/amp-alert-cutoff/m-p/3085602#M1014928 <P>We receive AMP alerts frequently for malware attached to e-mail. &nbsp;We aren't concerned so much about that malware because our filter is excellent at dropping those messages. &nbsp;However, the alerts don't tell us enough information because they're cut off. &nbsp;This is what we get:</P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">&lt;*- Network Based Retrospective at Tue Aug&nbsp; 1 16:13:57 2017 UTC -*&gt;&nbsp;</SPAN></P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">Sha256: f0d4ec15201ff5115cefeb3f29d523506fdd641807c0660689a9259f11bdc347</SPAN></P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">Disposition: Malware</SPAN></P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">Threat name: N/A</SPAN></P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">&nbsp;</SPAN></P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">&lt;*- Network Based Retrospective</SPAN></P> <P style="padding-left: 30px;"><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">From "&lt;hostname&gt;" at Tue</SPAN></P> <P></P> <P>It cuts off after the day of the week. &nbsp;It'd be nice if we could get the rest of the information in the e-mail so we can quickly determine if we should be concerned or not.</P> <P>Is this a known issue? &nbsp;Any suggestions on fixing it? &nbsp;We're on FMC 6.0.1.3, build 1054.</P> <P>Thanks!</P> <P></P> <P></P> Tue, 12 Mar 2019 13:28:42 GMT https://community.cisco.com/t5/network-security/amp-alert-cutoff/m-p/3085602#M1014928 Trevor Walraven 2019-03-12T13:28:42Z https://community.cisco.com/t5/network-security/amp-alert-cutoff/m-p/3085603#M1014951 <P>Hi Trevor,</P> <P></P> <P>This new retrospective malware event represents a disposition change for all files detected in the last week that have the same SHA-256 hash value. For that reason, these events contain limited information: the date and time the Firepower Management Center was notified of the disposition change, the new disposition, the SHA-256 hash value of the file, and the threat name. They do not contain IP addresses or other contextual information.</P> <P></P> <P>That's something known. Let us know for any query.</P> <P>Regards,</P> <P>Dv</P> Thu, 03 Aug 2017 14:43:18 GMT https://community.cisco.com/t5/network-security/amp-alert-cutoff/m-p/3085603#M1014951 Dinesh Verma 2017-08-03T14:43:18Z