Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1256
Views
0
Helpful
2
Replies

Cisco AMP retroactive convictions from LOWRISK to MALICIOUS

talbarado
Level 1
Level 1

‎09-29-2020 05:42 AM

Receiving Cisco AMP retroactive convictions from LOWRISK to MALICIOUS, but the files are not available in AMP/ThreatGrid as a reviewable scanned file, such that the behaviors can be extracted and mitigation be implemented based on that data.

 

Current Workflow:

  1. File passes through Ironport / AMP
  2. Email with file is delivered
  3. AMP retroactively convicts the file
  4. Notification is sent to the team via alert from Ironport
  5. Hash is available in the alert
  6. Team searches for the hash in AMP/Threatgrid – not found
  7. Team retrieves file from endpoint an runs through Threat Grid Sandbox manually. In both cases nothing malicious was found

 

Anyone have any experience with this? 

Labels:
0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎09-29-2020 06:34 AM

What was the threat name?

Look it up here: https://talosintelligence.com/amp-naming

Some threats arent necessarily malicious (*in05 for example)
0 Helpful

talbarado
Level 1
Level 1
In response to Ken Stieers

‎09-29-2020 07:55 AM

Thanks for the insight. Unfortunately this page does not have my particular event listed. It also does not list any IOCs of which we ultimately want to have to find out if there was any nefarious activity during the time of the rating change.  

0 Helpful
Customers Also Viewed These Support Documents