cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

516
Views
0
Helpful
1
Replies
Trevor Walraven
Beginner

AMP Alert Cutoff

We receive AMP alerts frequently for malware attached to e-mail.  We aren't concerned so much about that malware because our filter is excellent at dropping those messages.  However, the alerts don't tell us enough information because they're cut off.  This is what we get:

<*- Network Based Retrospective at Tue Aug  1 16:13:57 2017 UTC -*> 

Sha256: f0d4ec15201ff5115cefeb3f29d523506fdd641807c0660689a9259f11bdc347

Disposition: Malware

Threat name: N/A

 

<*- Network Based Retrospective

From "<hostname>" at Tue

It cuts off after the day of the week.  It'd be nice if we could get the rest of the information in the e-mail so we can quickly determine if we should be concerned or not.

Is this a known issue?  Any suggestions on fixing it?  We're on FMC 6.0.1.3, build 1054.

Thanks!

1 REPLY 1
Dinesh Verma
Cisco Employee

Hi Trevor,

This new retrospective malware event represents a disposition change for all files detected in the last week that have the same SHA-256 hash value. For that reason, these events contain limited information: the date and time the Firepower Management Center was notified of the disposition change, the new disposition, the SHA-256 hash value of the file, and the threat name. They do not contain IP addresses or other contextual information.

That's something known. Let us know for any query.

Regards,

Dv

Content for Community-Ad