We are currently looking in to this issue internally and investigating the event as it seems to be FP event triggered by Behavioral Protection.

Can you guys please confirm the connector version on which you receiving this alert?

Started seeing this shortly after upgrading to 8.2.1.21612.

Thanks that's what I thought just wanted to be sure. Based on the response in our internal ticket at this time we believe this is only affecting AMP Version: 8.2.1.21612. The likely reason appears to be a BP build issue which we are working to resolve as soon as possible. I will  keep you guys updated once anything new comes up.

I look up the escalation ticket and as of this morning the team that is working on this reported that they are still working in the back end to sort it out this issue. As of right now this would be most likely mitigated with new BP signature update.

As more cases arrived we got some data to provide them including some artifacts as well so hopefully the resolution will be soon. I will let you guys know once I know little bit more than this.

As far for 8.1.7.21585 we did got couple cases regarding this release as well and since this is related to newer BP signature update it's expected.

Thank you guys for your patience we are staying on top of this and trying to resolve this matter as soon as we can.

Hey Guys I just checked my home PC with 8.2.x installed and I noticed my last event was on 9/12 since then there was 3 BP signature updates and no more events. The latest one has serial # 11044. If anyone still receiving these alerts can you please check your BP definition on the machine that still reports this issue?

You can do that via CMD line just navigate to the AMP directory and run : ampcli posture

C:\WINDOWS\system32>cd C:\Program Files\Cisco\AMP\8.2.1.21612

C:\Program Files\Cisco\AMP\8.2.1.21612>ampcli posture
{"agent_uuid":"cxxxxxe-4294-8xx5-f306xxxxxxea9","connected":true,"connector_version":"8.2.1","engines":[{"definitions":[{"last_successful_update":1694717388,"name":"Tetra","timestamp":1694698347,"version":91242}],"enabled":true,"name":"Tetra"},{"enabled":true,"name":"Spero"},{"enabled":true,"name":"Ethos"},{"definitions":[{"name":"BP","timestamp":1694717956,"version":11044}],"enabled":true,"name":"BP"},{"definitions":[{"name":"SCS","timestamp":1694717910,"version":11044}],"enabled":true,"name":"SCS"}],"last_scan":1694703038,"last_scan_status":true,"protect_file_mode":true,"protect_process_mode":true,"running":true}
C:\Program Files\Cisco\AMP\8.2.1.21612>

Then look for the line:

"name":"BP","timestamp":1694717956,"version":11044 << ------------------

Nobody yet responded to our escalation ticket but I guess its due to different time zone that these guys work in based on the time they usually respond back.