cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1559
Views
0
Helpful
6
Replies

Cisco Threat Grid sample issue

a ali
Level 1
Level 1

Hello,

I have a threat Grid appliance on my network, and we have an issue as there is no sample appearing on Dashboard from the integrated devise, just I need to know how I can check this issue and troubleshooting steps to solve this issue 

6 Replies 6

ben.greenbaum
Cisco Employee
Cisco Employee

Do you have confirmation from the device that it has sent (or attempted to send) samples to the appliance?

how I can confirm this point on Cisco ESA,

we made the integration between ESA and TG but still did not see any sample on TG and after checking the ESA service user on TG I found it active,

>From the ESA gui, make sure your AMP engine logs are enabled and that they're set to Information or higher. Go to System Administration/Log subscriptions, to check that.
Then login to the ESA cli, and grep or tail the AMP log for "File uploaded"

ok thanks for your support but tail AMP will allow me to see if files needs more analysis or is not needed , 

is there any debug to check the connection or integration between ESA end threat Grid 

It will also tell.you if it uploaded it or attempted to. You can get more detail if you put it in debug mode. I suspect you may have to get TAC involved.

hello Ken,

after checking the logs from ESA, I see these messages

Tue Jun 13 10:08:27 2023 Info: Response received for file reputation query from Cloud. File Name = 'CodeRejectedIcon.png', MID = 263840, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = 3bf72ab3f82f14680bb1c246b69a57c4faa99e04b6b01c02fb3e99d7b97622fd, upload_action = Recommended to send the file for analysis, verdict_source = None
Tue Jun 13 10:08:27 2023 Info: Response received for file reputation query from Cloud. File Name = 'CancelledIcon.png', MID = 263840, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = e1740d73848bca2be202ed7885ec1eb42d95404d0ad34b36cb160189ca504508, upload_action = Recommended to send the file for analysis, verdict_source = None
Tue Jun 13 10:09:50 2023 Warning: The File Analysis server is not reachable.
Tue Jun 13 10:11:20 2023 Warning: The File Analysis server is not reachable. The AMP File Analysis server CA certificate has expired or is invalid.
Tue Jun 13 10:12:50 2023 Warning: The File Analysis server is not reachable.

I checked on the certificate between Threat Grid and Cisco ESA and it not expire,