Re: AMP Event details

abirajkwilson · ‎08-26-2019

HI All,

There are many event types available in filter tab.Do we have any small definition about the event types example : Cloud IOC,etc

Troja007 · ‎09-01-2019

Hello @abirajkwilson,

not 100% sure what you need in detail.

Cloud IOC: this is not a "static event". The endpoint monitors disk, process and network activity. This activity is processed in the AMP backend and generates the IOC Events. They are different to normal Threat Events. An IOC event indicates a problem with and endpoint you should investigate.

Pleas come back to me if yo have more questions.

Greetings,

Thorsten

abirajkwilson · ‎09-03-2019

HI @Troja007,

the reply you provided was good for Cloud IOC Events. Is there definitions/information(Cisco KB link) available like you have provided(Cloud IOC) for other types of events and subdivisions of events? Detected threats>>Malicious Activity Detection,Exploit prevention,etc IOC>>cloud,multiple infected files,potential dropper infection,etc

Troja007 · ‎09-03-2019

Hello @abirajkwilson,

for Threat Events and the naming, you can take a look here: https://www.talosintelligence.com/amp-naming

Regarding other Events like ExPloit Prevention: What information you need? Or, what information you need to understand the Event?

Just to be sure, you want to have a longer description about any Threat Type? Which information in detail you are looking for. Maybe information how you should handle the information?

Just trying to understand your needs.

Greetings,

Thorsten