topic Re: Firepower Dynamic Analysis in Network Security

Firepower Dynamic Analysis

fatalXerror — Fri, 21 Feb 2020 14:35:46 GMT

Hi guys,

I successfully deployed firepower IPS. I'm just wondering what is the use of the button "Associate" in the Dynamic Analysis section?

Thanks

Re: Firepower Dynamic Analysis

Marvin Rhoads — Mon, 30 Oct 2017 12:41:33 GMT

Could you tell us what version you are using and exactly what menu you are looking at?

Re: Firepower Dynamic Analysis

fatalXerror — Sun, 05 Nov 2017 15:18:31 GMT

I am using 6.2.0.2.

Re: Firepower Dynamic Analysis

Marvin Rhoads — Mon, 06 Nov 2017 07:14:04 GMT

...and the menu location you are asking about?

Re: Firepower Dynamic Analysis

fatalXerror — Mon, 06 Nov 2017 16:11:33 GMT

I believed in the AMP section Dynamic Analysis. There you can see connection to Threat Grid and in the right most you can see a chain which is a button name Associate.

I want to know what is the purpose of it?

Re: Firepower Dynamic Analysis

Marvin Rhoads — Tue, 07 Nov 2017 03:33:08 GMT

Ah OK, I understand the question now. That link is for customers who have a Threat Grid subscription as well. It's used to associate your FMC with your Threat Grid account.

Here're the details from the Configuration Guide:

Cisco AMP Threat Grid offers more detailed reporting on analyzed files than is available in the Firepower
Management Center. If your organization has an account in the Cisco AMP Threat Grid public cloud, you
can access the Cisco AMP Threat Grid portal directly to view additional details about files sent for analysis from your managed devices. However, for privacy reasons, file analysis details are available only to the organization that submitted the files. Therefore, before you can view this information, you must associate your Firepower Management Center with the files submitted by its managed devices.

Before You Begin
You must have an account on the Cisco AMP Threat Grid public cloud, and have your account credentials ready.
Procedure
Step 1 Select AMP > Dynamic Analysis Connections.
Step 2 Click in the table row corresponding to the Cisco AMP Threat Grid public cloud.
A Cisco AMP Threat Grid portal window opens.
Step 3 Sign in to the Cisco AMP Threat Grid public cloud.
Step 4 Click Submit Query.
Do not change the default value in the Devices field.
Note
If you have difficulties with this process, contact your Cisco AMP Threat Grid representative at Cisco TAC. It may take up to 24 hours for this change to take effect.
What to Do Next
After the association is activated, see Viewing Dynamic Analysis Results in the Cisco AMP Threat Grid
Public Cloud...

Re: Firepower Dynamic Analysis

fatalXerror — Fri, 10 Nov 2017 11:58:17 GMT

Hi Marvin,

I thought connecting to the AMP cloud doesn't need an account for dynamic analysis of files?

thanks

Re: Firepower Dynamic Analysis

Marvin Rhoads — Fri, 10 Nov 2017 12:00:11 GMT

AMP doesn't. But if you want to make Threat Grid submissions and get the detailed analysis it provides then you do need to associate.

Re: Firepower Dynamic Analysis

fatalXerror — Fri, 10 Nov 2017 12:04:26 GMT

Oh okay so AMP and AMP ThreatGrid are 2 different products?

Re: Firepower Dynamic Analysis

Marvin Rhoads — Fri, 10 Nov 2017 12:08:09 GMT

AMP uses the Threat Grid sandboxing techniques on the back end to provide a file disposition verdict (Malware, Clean, Unknown). That's included with an AMP subscription.

If you want to see details of what a given file does when executed in the sandbox, that's where the Threat Grid subscription comes into play. You can submit files and have them run through a sandbox and get a detailed report of their behavior.

Re: Firepower Dynamic Analysis

vaibhav.parlekar1 — Wed, 15 Nov 2017 03:24:52 GMT

Hi martin,

Thanks for the detailed response on the thread. This is exactly I was looking for. But to clarify once more. If I don't buy the Threat Grid portal license I can still get malware analysis done in threatGrid sandbox with the FireAMP license right?

Post malware analysis I would get a threat score or even to get that I would need the Threat Grid portal license.

The dispositions you talked about are from FireAMP cloud and not from malware analysis as threatgrid only provides threat score and not malware disposition as per documentation.

Would be great if you can elaborate and clarify my doubts.

thanks in advance.

Vaibhav

Re: Firepower Dynamic Analysis

Marvin Rhoads — Wed, 15 Nov 2017 11:34:35 GMT

Perhaps the following presentation may be useful to you:

https://www.cisco.com/c/dam/en/us/products/collateral/security/amp-threat-grid-appliances/integration-premium.pdf

It explains how Threat Grid submissions done as an integral part of AMP differ from those with the Threat Grid Premium Subscription.

The full Cisco Threat Grid service provides customers with a full complement of capabilities, above and beyond basic static and dynamic analysis capabilities that are available through Cisco AMP solutions (such as Cisco AMP for Endpoints, AMP for Networks, and AMP for Content). Enhanced capabilities include deep analytics and results such as process mapping and registry analysis, network connections, videos of malware execution in the environment, the ability to interact with the running sample, and API access if applicable. Batch feeds of analyzed intelligence data are also available along with the ability to create custom feeds from the broader set of Threat Grid data.

Re: Firepower Dynamic Analysis

vaibhav.parlekar1 — Wed, 15 Nov 2017 23:50:04 GMT

Thanks a lot martin for sharing the link.

However this document has raised few questions in my head.

There is a license called as sample pack as well in the document. I understand that this is to increase the limit of files that can be submitted to threatgrid cloud for analysis. So without this what is the limit of no. of files that can be sent with fireamp license on our FTD appliances. Is the limit based on the model of the firewall and is documented anywhere. I could not find any information stating that there is a limit to the files that can sent via amp license on the firewall. I have seen the reports on the firewall with amp license and it shows analysis report as well without this license.

my 2nd question is it mentions about premium threat intelligence feeds. how is that different from the Talos threat intelligence feeds we are getting under security intelligence by default.

Do you have any info on the same. Would be great to know if there any significant advantage on having this license over amp license that we already have.

vaibhav

Re: Firepower Dynamic Analysis

vaibhav.parlekar1 — Fri, 17 Nov 2017 19:59:56 GMT

Hi All,

Any take on this one.

Vaibhav

Re: Firepower Dynamic Analysis

Marvin Rhoads — Wed, 21 Nov 2018 03:14:40 GMT

If you have AMP for Endpoints the daily file submissions limit (per 24 hour sliding window) is 200 files.

If you need more details about how the functionality differs for a full threat Grid subscription I suggest you contact a Cisco partner in your region with Master security specialization. They can arrange a detailed briefing and possibly a Proof of Value demonstration tailored to your specific environment.

(edit 11-21-2018: corrected to 200 files per day)

Re: Firepower Dynamic Analysis

vaibhav.parlekar1 — Tue, 21 Nov 2017 23:29:08 GMT

thanks marvin,

By the way i was referring to AMP on the FTD firewalls and not AMP for endpoints.

Vaibhav

Re: Firepower Dynamic Analysis

staffaccount — Sun, 01 Jul 2018 21:47:43 GMT

where does Cisco Mention the 100 Files, and is this per license, for eg if you have an Active pair of Firewalls runnings Firepower, do you 100 x 2 per 24 hours.

How does Firepower indicate when the 100 file limit is exceeded? Is it via the word of 'unknown' as a classification type?

Re: Firepower Dynamic Analysis

Ed Padilla Jr — Wed, 21 Nov 2018 00:31:54 GMT

Is this information for FireAMP for Networks, file submission to the threatgrid? We already have a threatgrid. But we are not getting the expected results.

Re: Firepower Dynamic Analysis

Marvin Rhoads — Wed, 21 Nov 2018 03:17:46 GMT

Sorry the correct number is currently 200. See the link I posted on 11/152017. It is 200 for your organization. You need to purchase ThreatGrid Analysis packs to exceed that number.

When you exceed it you will get a warning message in your FMC. If you're not a current ThreatGrid customer, you can also request access to a mini-ThreatGrid portal if you want to see exactly how many files are being submitted.

Re: Firepower Dynamic Analysis

Ed Padilla Jr — Wed, 21 Nov 2018 03:28:04 GMT

Even if I am using FireAMP for Networks? With previous conversations with Cisco support it only works the sandboxing with FireAMP for endpoints . We have access to the ThreatGrid but we submit files manually.

Ed