Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1041
Views
0
Helpful
4
Replies

FTD File Policy

fatalXerror
Level 5
Level 5

‎04-25-2019 05:11 AM - edited ‎02-21-2020 09:04 AM

Hi Guys,

I believed AMP Cloud and ThreatGrid are 2 different solutions but I would like to know if FTD can submit a file for dynamic analysis for both solution?

Thanks

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-25-2019 09:00 AM

AMP Cloud uses the ThreatGrid service for disposition of unknown verdict files. If you only have AMP for Networks then you have a limit of 200 files daily and you only get the disposition - not the ability to see all of the behavioral indicators and replay the sandbox sessions.

A full Threatgrid subscription adds those abilities as well as the full TG dashboard and ability to analyze files independently of your AMP for Networks (or AMP for Endpoints) etc. subscription entitlement.

0 Helpful

fatalXerror
Level 5
Level 5
In response to Marvin Rhoads

‎04-26-2019 12:52 AM

Hi @Marvin Rhoads,

I have a "Malware" license and I read in the documentation that if I have Malware license it will automatically include the capability for AMP Cloud and ThreatGrid?

 

Let us say, the file does have an "unknown" disposition, how will the FTD behave for that file? Will FTD sends it to the AMP Cloud or ThreatGrid or both?

 

Thanks

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fatalXerror

‎04-26-2019 07:29 AM

How an unknown disposition file is handled depends on what you have specified in the policy. If you elect to send unknown files to the cloud, they go to the AMP cloud. AMP cloud in turn uses ThreatGrid on the backend to analyze the file's behavior. The disposition is then returned to Firepower from AMP cloud.

 

Firepower does not interact directly with ThreatGrid. As of 6.4, there is Firepower integration with Cisco Threat Response (CTR). So both Firepower and ThreatGrid (and AMP for Endpoints and Umbrella and ESA etc.) can all be seen from within the CTR investigations console. 

0 Helpful

fatalXerror
Level 5
Level 5
In response to Marvin Rhoads

‎04-29-2019 04:35 AM

Hi @Marvin Rhoads, thank you for this clarification.

Technically, if I choose Dynamic Analysis as the action for an unknown disposition FTD will still send it to the AMP cloud and not the ThreatGrid? But why there is a direct integration between FTD and the ThreatGrid under the Dynamic Analysis section in the FMC, what is the use of that?

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card