Re: Cisco AMP Custom Reports

zaheer.jahangir1 · ‎10-03-2017

Hi,

Well I am looking for AMP custom reports, basic thing that I am looking for is a list/count of endpoints including servers which were infected also even if they were quarantined later but I need the list of infected sytems, I am not able to get such a monthly report, can AMP generate such report or not.
Please let me know

Shiprock523 · ‎11-28-2017

Also, how can I get a list of the current exclusions exported from my existing policy so that I can make sure that I have everything. Also, is there any way to back up the policy in case I want to revert?

Thanks,

IvanCdC · ‎11-29-2017

Hello Shiprock,

To your first question, if you would like to see what were the changes / updates done to your exclusions you can go to:

Management -> Exclusions -> View Changes (on each exclusion)

That will show you all info related to that specific exclusion list including modifications done on it.

To see the list of items in the exclusion just click on EDIT and you will see all values there, however if what you would like to see is that exclusion is properly implemented to the policy then you can go to:

Management -> Policies -> Download XML from the selected policy.

Once you get the .xml file you can check for <exclusions> tag, you will find there all paths defined in your exclusion attached to that policy.

As for the second question, there is possibility to duplicate the policy from the menu:

Management -> Policies -> Duplicate from the selected policy.

It is not a backup feature strictly but may help you to debug / test.

You can also click on View Changes, you will be displayed with all recent changes affecting that policy so you will know exactly what was the last thing modified.

Let us know if you would need further assistance.

Regards!

MaSeelig · ‎01-24-2018

Hi, helpful answer, thx!

New Question ;-) Can I create a new exclusion list by copy or "upload" a complete list or have I to create every single exclusion new?

IvanCdC · ‎11-29-2017

Hello Zaheer,

Reports feature it's a weekly report from most notorious actions "as-is", meaning there is no possibility to customize what can be sent in them.

If you would wish to have granular information about it I would sugget you to use the Events filtering, you can find this in:

Analysis -> Events

There you will have the possibility to configure exactly what events you want to see, with the time visibility included, then you can subscribe to these events immediately (digest), one e-mail per event, hourly, daily, weekly and monthly.

I believe for your purposes now you would want to use monthly reports.

You have also the ability to export these reports to csv should the case come.

If this wouldn't be enough, I would suggest you to use the API, you can find further reference information here: https://api-docs.amp.cisco.com/

Let us know if you would need further assistance.

Regards!

goranunified · ‎10-17-2019

Is there are 3rd party reporting tool via API which we can use to provide a combined report for AMP and Umbrella for the customer. Like an executive summary report?

Troja007 · ‎10-20-2019

Hello @goranunified,

Cisco provides several splunk apps for long term monitoring. You can take a look here: https://www.cisco.com/c/dam/m/en_us/products/security/technical-alliance-partners/core/assets/splunk-overview.pdf

You can add Umbrella and AMP Data to splunk and generate the combined Reports you need.

Hope this helps,

Greetings,

Thorsten

goranunified · ‎10-20-2019

Thank you @Troja007 much appreciated.