10-18-2019 02:47 PM - edited 02-20-2020 09:11 PM
Today I had 6 endpoints within 3 hours all quarantine the following file: 8d4fdcb52b32afbcef4450ca88668def9b245a6f7ab2aa26ec3a4324a0b1f461
When I look what was happening with each endpoint in AMP's Device Trajectory I see this:
The event only indicates that the file was "created by chrome.exe". Why doesn't it indicate the IP address that is the source of the malicious file so we can understand how we are being targeted by malware? That would be valuable.
Even when we open a Threat Response investigation enriched with all of Cisco's threat intelligence data and our Sourcefire and Umbrella environment data we get no additional insight as to the origin of the threat other than which 6 endpoints quarantined the file.
How are we supposed to find out the source of exposure to the malicious file if the only information provided is Chrome. That's basically saying "something on the Internet".
10-18-2019 02:56 PM
10-20-2019 02:39 AM
Hello @A.N.Jensen,
the one and only answer for you is not really possible.
As you see, there are many aspects we cannot directly figure out from a single Screenshot. So it will make sense opening a TAC Case to go through the Event and Monitoring Data in your environment.
Greetings,
Thorsten
11-12-2019 12:47 PM
This is the type of data I can see in a demo of Microsoft ATP, this is what I would like to see in AMP events or device trajectory.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide