Just selecting 'dynamic analysis' in the AMP file policy.

I just can not find a document anywhere that mentions anything about daily limits. Firepower never reports when a daily limit is hit either

Found some info, questions in red:

When using the Cisco Threat Grid public cloud for file analysis, the file upload limit is set to 200 - even if you have 30 sites and 60 firepower sensors???

files per day by default at the organization level, irrespective of the devices configured. This limit

is shared across all AMP-enabled devices in the organization. If your organization needs more

sample capacity, contact your Cisco sales representative, and inquire about Threat Grid Sample

Packs.

Note If the load on the File Analysis service exceeds capacity, some files may not be analyzed even

if the file type is selected for analysis and the file would otherwise be eligible for analysis. You

will receive an alert when the service is temporarily unable to process files of a particular type. - how where is this seen?

If a file has recently been uploaded from any source, the file will not be uploaded again.- this is not my experience with two separate client sites, i see repeated same Sha being repeatedly sent (have a tac case open and will update)

For File

Analysis results for this file, search for the SHA-256 from the File Analysis reporting page.

Hi Evan,

I had been trying to get this information but I have got mixed responses. some said there is no per day limit for the firepower devices and it's only for the endpoints. I am not sure where did you get the no. of 200 files per day. There is no documentation around it. Would be great if some folks from Cisco publish clear information on the same.

Vaibhav

You're right that the numbers are not well-published. I thought I had a presentation that summarized them but can't locate it right now. The citation you found is the best thing I've seen publicly available.

(For later readers, it can be found on page 14 of the following:

https://www.cisco.com/c/dam/en/us/td/docs/security/content_security/content_security_general/Content-security-file-reputation-and-analysis-criteria.pdf )

You can choose to store files locally for later submission in the event that your daily limit is exceeded. That would be via the "Capacity Handling" checkbox in the file policy.

You should see if you have/are exceeding your daily limit under Analysis > Files > Captured Files > File Analysis Status (may need to switch from the default workflow). There is a field "Disposition" there that has a value that can be as follows:

Capacity Handled (Rate Limit) — file stored because it could not be submitted due to the maximum number of submissions reached.

Thanks for the tips. I can confirm i don't have one message mentioned above that leads to exhaustion of the limit. But when manually trying to upload a captured file, I get a vague message saying 0 out of 1 files failed to upload. i've tested outbound connections from the FMC and also added the optional 32137 port just incase.

If I follow the instructions above with the disposition field present and filter out the following:

!malware, !clean, !unavailable, !unknown

I get nothing.

Would love some definitions/context for:

1/ unavailable

2/ nothing in the disposition column

For the readers, the 'disposition' field mentioned, is not a field shown by default. One needs to click on a column title and then choose to show disposition at the bottom of the list.

In regards to hitting visibility of hitting daily limits. I can not seem to find anything with reporting. I'm having some success with adding Widgets.

Using a custom widget I can get clarity on what files i'm storing and the count of them. And also on File Actions, ie Malware Cloud Lookup and the count, cloud time out and the count. But still not quite on the dynamic.

Anyone?

My Conclusion is :

If you are not a paying customer for Threat Grid, the 200 files per day is just a best effort and the Firepower system out of the box is not really designed to display the counters for the 200 files per 24 hours.

If you don't pay for a threat grid allowance, one is best to only select 'local file analysis' in the file policy and just manually upload files for dynamic analysis.

Interested in others thoughts

@emirolyu,

That's great to hear about the Entitlements portal. Is this documented in any public- or partner-facing collateral?

Hello Marvin, 

It was mentioned during the Partner VT in May, please refer to the slide 34:

https://salesconnect.cisco.com/open.html?c=366a0ea0-b1fb-4638-b928-cd6126f46b1d 

As a gentle reminder, entitlements can also be seen and managed through the full Threat Grid Cloud portal (Administration > View Entitlements; access to this portal requires an additional license, unlike access to the Entitlements only UI). Documentation is available right in the portal as well. Partners can request a trial of the full Threat Grid Cloud portal via Partner Help.

I hope that helps.

Perfect - thanks!

I missed the delivery of that presentation since I was joining remotely from 15 time zones away. :)

@CiscoPurpleBelt are you integrating events from FMC into your Secure Endpoint / AMP console?