Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1124
Views
0
Helpful
6
Replies

Cisco Threat Grid sample issue

a ali
Level 1
Level 1

‎06-10-2023 01:03 PM

Hello,

I have a threat Grid appliance on my network, and we have an issue as there is no sample appearing on Dashboard from the integrated devise, just I need to know how I can check this issue and troubleshooting steps to solve this issue 

Labels:
0 Helpful
6 Replies 6

ben.greenbaum
Cisco Employee
Cisco Employee

‎06-12-2023 09:55 AM

Do you have confirmation from the device that it has sent (or attempted to send) samples to the appliance?

0 Helpful

a ali
Level 1
Level 1
In response to ben.greenbaum

‎06-12-2023 11:00 AM

how I can confirm this point on Cisco ESA,

we made the integration between ESA and TG but still did not see any sample on TG and after checking the ESA service user on TG I found it active,

0 Helpful

Ken Stieers
VIP
VIP
In response to a ali

‎06-12-2023 12:47 PM

>From the ESA gui, make sure your AMP engine logs are enabled and that they're set to Information or higher. Go to System Administration/Log subscriptions, to check that.
Then login to the ESA cli, and grep or tail the AMP log for "File uploaded"

0 Helpful

a ali
Level 1
Level 1
In response to Ken Stieers

‎06-12-2023 03:41 PM

ok thanks for your support but tail AMP will allow me to see if files needs more analysis or is not needed , 

is there any debug to check the connection or integration between ESA end threat Grid 

0 Helpful

Ken Stieers
VIP
VIP
In response to a ali

‎06-12-2023 03:54 PM

It will also tell.you if it uploaded it or attempted to. You can get more detail if you put it in debug mode. I suspect you may have to get TAC involved.
0 Helpful

a ali
Level 1
Level 1
In response to Ken Stieers

‎06-13-2023 05:16 AM

hello Ken,

after checking the logs from ESA, I see these messages

Tue Jun 13 10:08:27 2023 Info: Response received for file reputation query from Cloud. File Name = 'CodeRejectedIcon.png', MID = 263840, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = 3bf72ab3f82f14680bb1c246b69a57c4faa99e04b6b01c02fb3e99d7b97622fd, upload_action = Recommended to send the file for analysis, verdict_source = None
Tue Jun 13 10:08:27 2023 Info: Response received for file reputation query from Cloud. File Name = 'CancelledIcon.png', MID = 263840, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = e1740d73848bca2be202ed7885ec1eb42d95404d0ad34b36cb160189ca504508, upload_action = Recommended to send the file for analysis, verdict_source = None
Tue Jun 13 10:09:50 2023 Warning: The File Analysis server is not reachable.
Tue Jun 13 10:11:20 2023 Warning: The File Analysis server is not reachable. The AMP File Analysis server CA certificate has expired or is invalid.
Tue Jun 13 10:12:50 2023 Warning: The File Analysis server is not reachable.

I checked on the certificate between Threat Grid and Cisco ESA and it not expire, 

0 Helpful
Customers Also Viewed These Support Documents