Solved: AMP for endpoint and Threat Grid integration for "Automatic Analysis Submissions"

Warren Sullivan - Corp · ‎07-17-2019

Hi All,

We have just procured numerous Cisco security solutions including;

Firepower 4110 (Multiple)
Cloud Email Secuity
AMP for endpoint
Threat Grid
ISE

Absolutely loving the potential capability this has brought to our organization from a security standpoint, awesome!

I have got AMP up and running with a few test machines, all is looking pretty good.

What i would like to know is, how do i configure AMP to automatically submit files for analysis in Threat Grid?

I can right click on a file/host in AMP and see Threat Grid as an option, i can also see that nothing has been "automatically"uploaded for analysis;

Thanks heaps in advance folks!

Muhammad Awais Khan · ‎07-18-2019

Hi,

You don't need to manually configure it,Its enabled by default. Not all the unknown files will be submitted. Only the low prevalence files may be submitted by AMP if it decided to do so.

View solution in original post

Troja007 · ‎07-19-2019

Hello @Warren Sullivan - Corp,

just to be clear. you also have to activate automatically file upload on the AMP for endpoints console, after you have configured the TG connection.

1) Go to Analysis -> Prevalence.

2) Enable the groups for automatically submission.

Otherwise, no file from the endpoint will automatically uploaded for analysis.

Greetings,

Thorsten

View solution in original post

Francesco Molino · ‎07-17-2019

Hi

If you have your threat grid access, you should have your api key in your administration user window and you should paste it into amp on account/business menu.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Warren Sullivan - Corp · ‎07-17-2019

Hi Fancesco,

I already have it configured, as you can see below;

But what i'm wondering is how do you configure AMP to upload threats for analysis automatically? without user intervention....

Muhammad Awais Khan · ‎07-18-2019

Hi,

You don't need to manually configure it,Its enabled by default. Not all the unknown files will be submitted. Only the low prevalence files may be submitted by AMP if it decided to do so.

bcoverstone · ‎02-09-2024

So I just got into Secure Endpoint and Secure Malware Analytics, and I noticed the "Default Key" in Endpoints doesn't match the API key in Malware Analytics. So I went ahead and pasted the correct key ... now it says that I cannot submit files for analysis again in over 292277024 years. Our sun might explode by then.

Roman Valenta · ‎02-09-2024

Hi,

This issue in most cases was due to expired Threat Grid license and was resolved once the license was renewed and new API was generated.

Also if this is new or renewed license perhaps created today 02/09/2024 I would try regenerate new API Key tomorrow. Please log in as ORG Admin and regenerate the API and then try apply again in the Secure Endpoint portal. If you still run in to a issue please contact Threat Grid provisioning team to verify your license. Cisco Threat Grid Provisioning <tg-provisioning@cisco.com>

Regards,

Roman

Francesco Molino · ‎07-18-2019

Muhammad already replied. I had an issue with a customer with the API connection, that's why I told you to do so. Now in terms of dynamic analysis, AMP will decide it automatically if link is done.