Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1446
Views
25
Helpful
3
Replies

AMP 4 Endpoint questions

kostasthedelegate
Level 4
Level 4

‎03-05-2021 04:52 AM

Hello, 

 

I would like to ask some questions about the operation of AMP

 

1. When upgrading an agent, the reboot after needs to be done with privileged account?

2. Is there a site that hosts IOC xml files?

3. Is there a way for AMP to automatically upload files to threatgrid?

4. The endpoint isolation could be done automatically?

 

Regards, 

Konstantinos

Labels:
3 Replies 3

Ken Stieers
VIP
VIP

‎03-05-2021 07:45 AM

1. No, user can reboot... and after 7.x, reboot requirements mostly go away.

2. Talosintelligence.com... thou

3. Yes, under Outbreak Controls/Automated Actions. These also show up as Orchestrations in SecureX/Orchestrations

4. Yes, under Outbreak Controls/Automated Actions. These also show up as Orchestrations in SecureX/Orchestrations


kostasthedelegate
Level 4
Level 4
In response to Ken Stieers

‎03-07-2021 10:26 PM

Good morning!!

 

Thank you for the answers!

1. So if it does not update with normal user there is a problem. 

2. Where exactly? I cannot find an .xml file for IOCs

3. Great! Found it!

4. Found it! I can see that the criteria is only the severity. Is there a way to choose sth else?

 

Regards, 

Konstantinos

Troja007
Cisco Employee
Cisco Employee
In response to kostasthedelegate

‎03-07-2021 11:57 PM - edited ‎03-10-2021 10:30 PM

Hello @kostasthedelegate,
some infos inoline..
 

Thank you for the answers!

1. So if it does not update with normal user there is a problem. 
A: The endpoint upgrade is completely independent from the logged on user... you can also do an upgrade if no user is logged on.

2. Where exactly? I cannot find an .xml file for IOCs
A: Hello, there is not a List of .xml files. If there is a e.g. blog post (example), it includes observavles or IOC information, you can use the SecureX Browser add-on to directly add them to a casebook and to investigate your environment. 
The intelligence in the Backend for Cloud IOC generation is constantly updated by Cisco. The IOC information, e.g. on Talos Website, can be used to do additional Threat Hunt and investigations.

3. Great! Found it!
A: great

4. Found it! I can see that the criteria is only the severity. Is there a way to choose sth else?
A: automated actions inside Secure Endpoint Console are always triggered by an IOC. In addition, you can use the API to trigger them from external sources. OR, you can build your personal Orchestration Workflows (SecureX) and trigger them. Orchestration Workflows can also be triggered from external.

 

Greetins,
Thorsten

 

.. did some smaller updates to remove typos.

Customers Also Viewed These Support Documents