Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1247
Views
0
Helpful
3
Replies

File signature in Ironport logs

adam.kus1
Level 1
Level 1

‎04-06-2017 12:24 AM

Hi,

Is it possible to get attached file signature within Ironport logs? Just like within Sourcefire logs which presents file hashes.

I am just wondering if there is any correlation possibility between those two log sources.

Labels:
0 Helpful
3 Replies 3

dmccabej
Cisco Employee
Cisco Employee

‎04-06-2017 08:22 AM

Hello,

Are you referring to the SHA information? The easiest way to review this would be within the AMP logs or Message Tracking.

For example, you could run something like this from the CLI :

grep -it "sha256" amp

Thanks!

-Dennis M.

0 Helpful

adam.kus1
Level 1
Level 1
In response to dmccabej

‎04-06-2017 10:22 PM

Hi,

thanks for the reply. 

My question refers to SIEM monitoring correlations possibilities - Is it possible to configure Ironport logging system in such way, it put the file signature into its log automatically, so I can use those information to build some correlations SIEM monitoring rules?

I think it isn't possible but I want to make sure with someone who have more experiences with Ironport.

regards

Adam 

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee
In response to adam.kus1

‎04-07-2017 05:39 AM

If you are running latest GD release (10.0.1-087)(or even 10.0.0-203), you can syslog off your AMP logs now, allowing you to pipe them directly to SIEM.

Also, if you purchased the premium cloud subscription for Threat Grid, you have the ability to access feeds, API...

-Robert

Cheers,
Robert Sherwin
0 Helpful
Customers Also Viewed These Support Documents