cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
348
Views
5
Helpful
3
Replies
Highlighted
Beginner

Test the functionality of AMP for endpoints

I would like to test/verify that my Cisco AMP for Endpoints is working correctly .

 

It is integrated with Umbrella but when I pull reports, only activity related to other security events is shown (URLs, IPs, e.t.c).

 

If I filter for AMP events - it shows no activity ever - as far back as I can go.  Which means no event has ever happened or it is not working !!

 

Any help is appreciated.

 

Thanks

 

3 REPLIES 3
Highlighted
Cisco Employee

Hello @Mordred36,

AMP for Endpoints console does not show Umbrella Events. Umbrella itself does not generate an "Event". A DNS request does not include detailed endpoint information. How Umbrella is integrated.

  • SecureX: Umbrella should be configured as  a Module. At any time you add an URL to the SecureX Ribbon search, to a casebook and so in, it included the disposition provided by Umbrella.
  • Context Menu: Umbrella is shown up in the context menu. So at any time working in the Device Trajectory or other parts of the UI, you can directly pivot to Umbrella.
  • You can directly block domains from the context menu (if the right API is configured and licensed). 
  • Threat Response gives you all information from Umbrella.

Optional: the Endpoint License includes Cognitivie analytics, where the whole Web Traffic Log is processed. This would generate Events in AMP. The difference here is, Cognitive includes the whole URL. This can be interesting during and investigation.

Example:

Greetings,
Thorsten

 

Highlighted

Hello @Troja007,

Thanks for the quick response.

 

I guess what I am really interested in is Cisco AMPs behavior as an Endpoint AV solution.

 

I am an MSP with several clients who I am monitoring with Cisco Umbrella and AMP. One of them comes and tell me that they had a virus or malware on their computer and asks me to show him that their AMP component is working correctly.

 

How do I do that? As an example - like how you can pull Symantec AV event logs and alert logs.

 

Thanks,

 

 

 

 

Highlighted

Hello @Mordred36

first of all, AMP is an EDR/XDR solution including traditional protection engines.

Enclosed two summary pages for the whole protection and EDR/XDR stack.

AMP_EDR_XDR_1.png AMP_EDR_XDR_2.png


How to check if an endpoit is working correctly. There are several ways to do this.

  • using the local ConnectivityTool.exe 
  • generating a eicar.com test file to see if an event is uploaded to the cloud.
  • Typing a command line to check if this is reported to cloud.
    Example: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -encoded cABpAG4AZwAgAGcAbwBvAGcAbABlAC4AYwBvAG0A
    This is an ecoded powershell command to ping google.com
  •  Checking configured exclusions.
  • Using Orbital Endpoint search to query components of the connector.
  • Checking in UI if all is up-to-date
  • Generating a diagnostic package and analyze the logs using the AMP connector tuning tool: https://github.com/CiscoSecurity/amp-05-windows-tune
  • If you have access to the endpoint, you can use the AMP healthchecker: https://github.com/CiscoSecurity/amp-05-health-checker-windows

If there is a threat not detected, we have to take a deeper look. Such a question can only be answered when having log files, knowing the hash of the file and so on. If you expect something is wrong, the best way in such a case, is to open a TAC Case.

Greetings,
Thorsten

 

This widget could not be displayed.