I am using 6.2.0.2. 

...and the menu location you are asking about?

I believed in the AMP section Dynamic Analysis. There you can see connection to Threat Grid and in the right most you can see a chain which is a button name Associate.

I want to know what is the purpose of it?

Ah OK, I understand the question now. That link is for customers who have a Threat Grid subscription as well. It's used to associate your FMC with your Threat Grid account.

Here're the details from the Configuration Guide:

Cisco AMP Threat Grid offers more detailed reporting on analyzed files than is available in the Firepower
Management Center. If your organization has an account in the Cisco AMP Threat Grid public cloud, you
can access the Cisco AMP Threat Grid portal directly to view additional details about files sent for analysis from your managed devices. However, for privacy reasons, file analysis details are available only to the organization that submitted the files. Therefore, before you can view this information, you must associate your Firepower Management Center with the files submitted by its managed devices.

Before You Begin
You must have an account on the Cisco AMP Threat Grid public cloud, and have your account credentials ready.
Procedure
Step 1 Select AMP > Dynamic Analysis Connections.
Step 2 Click in the table row corresponding to the Cisco AMP Threat Grid public cloud.
A Cisco AMP Threat Grid portal window opens.
Step 3 Sign in to the Cisco AMP Threat Grid public cloud.
Step 4 Click Submit Query.
Do not change the default value in the Devices field.
Note
If you have difficulties with this process, contact your Cisco AMP Threat Grid representative at Cisco TAC. It may take up to 24 hours for this change to take effect.
What to Do Next
After the association is activated, see Viewing Dynamic Analysis Results in the Cisco AMP Threat Grid
Public Cloud...

Hi Marvin,

I thought connecting to the AMP cloud doesn't need an account for dynamic analysis of files?

thanks

AMP doesn't. But if you want to make Threat Grid submissions and get the detailed analysis it provides then you do need to associate.

Oh okay so AMP and AMP ThreatGrid are 2 different products?

AMP uses the Threat Grid sandboxing techniques on the back end to provide a file disposition verdict (Malware, Clean, Unknown). That's included with an AMP subscription.

If you want to see details of what a given file does when executed in the sandbox, that's where the Threat Grid subscription comes into play. You can submit files and have them run through a sandbox and get a detailed report of their behavior.

Hi martin,

Thanks for the detailed response on the thread. This is exactly I was looking for. But to clarify once more. If I don't buy the Threat Grid portal license I can still get malware analysis done in threatGrid sandbox with the FireAMP license right?

Post malware analysis I would get a threat score or even to get that I would need the Threat Grid portal license.

The dispositions you talked about are from FireAMP cloud and not from malware analysis as threatgrid only provides threat score and not malware disposition as per documentation.

Would be great if you can elaborate and clarify my doubts.

thanks in advance.

Vaibhav

Perhaps the following presentation may be useful to you:

https://www.cisco.com/c/dam/en/us/products/collateral/security/amp-threat-grid-appliances/integration-premium.pdf

It explains how Threat Grid submissions done as an integral part of AMP differ from those with the Threat Grid Premium Subscription. 

The full Cisco Threat Grid service provides customers with a full complement of capabilities, above and beyond basic static and dynamic analysis capabilities that are available through Cisco AMP solutions (such as Cisco AMP for Endpoints, AMP for Networks, and AMP for Content). Enhanced capabilities include deep analytics and results such as process mapping and registry analysis, network connections, videos of malware execution in the environment, the ability to interact with the running sample, and API access if applicable. Batch feeds of analyzed intelligence data are also available along with the ability to create custom feeds from the broader set of Threat Grid data.

Thanks a lot martin for sharing the link.

However this document has raised few questions in my head.

There is a license called as sample pack as well in the document. I understand that this is to increase the limit of files that can be submitted to threatgrid cloud for analysis. So without this what is the limit of no. of files that can be sent with fireamp license on our FTD appliances. Is the limit based on the model of the firewall and is documented anywhere. I could not find any information stating that there is a limit to the files that can sent via amp license on the firewall. I have seen the reports on the firewall with amp license and it shows analysis report as well without this license.

my 2nd question is it mentions about premium threat intelligence feeds. how is that different from the Talos threat intelligence feeds we are getting under security intelligence by default.

Do you have any info on the same. Would be great to know if there any significant advantage on having this license over amp license that we already have.

vaibhav

Hi All,

Any take on this one.

Vaibhav

If you have AMP for Endpoints the daily file submissions limit (per 24 hour sliding window) is 200 files.

If you need more details about how the functionality differs for a full threat Grid subscription I suggest you contact a Cisco partner in your region with Master security specialization. They can arrange a detailed briefing and possibly a Proof of Value demonstration tailored to your specific environment.

(edit 11-21-2018: corrected to 200 files per day)