Re: AMP - How to produce a list of vulnerable software against a list of known affected endpoints?

matty-boy · ‎02-07-2019

Hi all,

Using AMP, I need to produce a report that lists all endpoints against the known software vulnerabilities on those endpoints so they can be upgraded/patched. I need to include the group that the endpoint belongs to (there are many endpoints grouped by country, endpoint type, etc, each group being managed by different IT teams).

Analysis > Vulnerable Software displays a list of all the vulnerable software. Clicking on one of these lists all the CVEs, "observed in groups", and the last observed individual endpoint. What is doesn’t let me see is each and every endpoint affected by that vuln (unless I’m being blind). Same deal if Export to CSV, it only shows that last observed endpoint for each vuln, not all affected endpoints.

"Dashboard > Events > Event Type = Vulnerable Application Detected" does a better job, especially when exported to CSV but it doesn't include the group that the endpoint is a member of. This is a must for me.

Anybody know the best way to achieve this?

Many thanks in advance,

Matt.

AlexPi · ‎02-20-2019

Hello there,

As far as I know the best way to get the result you want is through Dashboard>Events and then lookup for the Event Type you want. As for the Group you should be able to select All Groups or a specific Group from the drop down menu on the right hand side of the Event Type selector.

As far as I know if a Group is not listed here is does not exist.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

matty-boy · ‎02-20-2019

Hi Alex,

Thank you for your reply. I agree that Dashboard>Events is the better way and yes, it is possible to filter by group in the GUI.

What I wanted to do was export ALL vulns for all endpoints in all groups in one go and then have the ability to filter the Excel sheet by group afterwards. Alas, the group field does not appear to be exported so this is not possible.

Our customer has thousands of endpoints/connectors and over 100 groups so exporting each group manually isn't really an option.

Cheers,

Matt.

AlexPi · ‎02-21-2019

Hey Matt,

I asked around in the office as well our other engineer and we both conclude that this cannot be done for the Vulnerability Events. We also experimented from different menus but the desired outcome is not what you are looking for.

I have been using AMP for 3 years, I am not an expert, but I I do not think this can be done through the GUI.

The only other thing that I can think of, is exporting all these events to a Syslog server and then pulling those entries from there. Which considering the size of the logs you are looking at, it might also be the better way of doing so and will offer more detail and flexibility.

Alex P.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

matty-boy · ‎02-21-2019

Hi Alex,

Thanks very much for looking into this, it's very much appreciated!

Cheers,

Matt.

Chekol Retta · ‎09-30-2019

Hello Matt.
I am wondering if you were able to produce a report of vulnerable software for each individual endpoints?

thomas.methlie · ‎10-02-2019

Have you looked into the Vulnerability API?

Seems like you might be able to do something there, though you might have to do some work to process the data you get back

https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fvulnerabilities&api_host=api.amp.cisco.com&api_resource=Vulnerabilities&api_version=v1

Regards,

Thomas