Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2587
Views
5
Helpful
3
Replies

AMP EndPoint Security - App Allowing and Exclusions

Amped
Level 1
Level 1

‎03-05-2020 12:58 PM

We are rolling out AMP and have various processes and files flagged as malicious by the tool that are approved to use and we are OK with these items running on our endpoints. We have added the SHA values to Allowed Applications, but noticed the dashboard inbox still sends alerts about these items. As a result we decided to build exclusions based on Process or Threat or Path or a combination to prevent AMP from continuing to scan and flag these In the end none of these methods have worked to prevent these items from continuing to be flagged in the dashboard inbox as requiring attention. Understand there is the ability to mute artifacts on the dashboard, but that does not mute these items from being displayed on the endpoint itself. 

 

Generally looking for a way that we can tell AMP that we are OK with a particular process, file or action and not have it continue to alert about things we have allowed and approved. Otherwise the inbox and alerts are mostly noise and would result in analysts resolving approved apps instead of investigating real threats. 

 

Assume we are missing something here and any help would be appreciated. 

Labels:
0 Helpful
3 Replies 3

Matthew Franks
Cisco Employee
Cisco Employee

‎03-05-2020 01:09 PM

Please take a look at the Best Practices for AMP for Endpoints Exclusions document.  I believe that covers everything you're asking about.

 

Thanks,

Matt

0 Helpful

Amped
Level 1
Level 1
In response to Matthew Franks

‎03-05-2020 01:21 PM

Appreciate the follow up info. We have read this document many times and created various exclusions based on this info, but the alerts for these processes, threats, and files continue to come into the main Dashboard event inbox regardless. 

 

Is there a long delay in applying the exclusions to endpoints? All seems to be setup correctly and we have done this on both Mac and Windows systems and really not seeing any expected results of the events no longer being flagged. Essentially we are trying to tell AMP for Endpoints that these hash values, paths or threats are acceptable and therefore do not want to see them in the inbox. The idea is the inbox only shows threats that we have not allowed and need to further investigate and be aware of. Right now the inbox is mostly things we already allowed and analysts are wasting a lot of time just marking all those resolved every day. 

0 Helpful

Matthew Franks
Cisco Employee
Cisco Employee
In response to Amped

‎03-05-2020 01:33 PM

The exclusions should be updated on the next heartbeat from the connector after you update the policy in the console.  If the exclusions are set up properly, they should not be sent to the dashboard as AMP would either ignore them or consider them Clean.  I would suggest opening a TAC case so someone can review the exclusions with you.  Or, if you prefer, there are some tools available to help you review on your own:

https://github.com/CiscoSecurity/amp-05-windows-tune

https://github.com/CiscoSecurity/amp-05-health-checker-windows

 

Thanks,
Matt

Customers Also Viewed These Support Documents