I would like to test/verify that my Cisco AMP for Endpoints is working correctly .
It is integrated with Umbrella but when I pull reports, only activity related to other security events is shown (URLs, IPs, e.t.c).
If I filter for AMP events - it shows no activity ever - as far back as I can go. Which means no event has ever happened or it is not working !!
Any help is appreciated.
AMP for Endpoints console does not show Umbrella Events. Umbrella itself does not generate an "Event". A DNS request does not include detailed endpoint information. How Umbrella is integrated.
Optional: the Endpoint License includes Cognitivie analytics, where the whole Web Traffic Log is processed. This would generate Events in AMP. The difference here is, Cognitive includes the whole URL. This can be interesting during and investigation.
Thanks for the quick response.
I guess what I am really interested in is Cisco AMPs behavior as an Endpoint AV solution.
I am an MSP with several clients who I am monitoring with Cisco Umbrella and AMP. One of them comes and tell me that they had a virus or malware on their computer and asks me to show him that their AMP component is working correctly.
How do I do that? As an example - like how you can pull Symantec AV event logs and alert logs.
first of all, AMP is an EDR/XDR solution including traditional protection engines.
Enclosed two summary pages for the whole protection and EDR/XDR stack.
How to check if an endpoit is working correctly. There are several ways to do this.
If there is a threat not detected, we have to take a deeper look. Such a question can only be answered when having log files, knowing the hash of the file and so on. If you expect something is wrong, the best way in such a case, is to open a TAC Case.