Meraki

rhamersley · ‎Jul 14 2023

Has any changes been made to Meraki AMP to block some of Microsoft security updates for this month. First time encountering Microsoft security updates being blocked by AMP.

#

Timeslice

action

dest_ip

dest_port

disposition

eventcount

mac

name

sha256

src_ip

src_port

url

1

07/14/2023 09:31:28 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

53601

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?e3af382994298...

2

07/14/2023 09:31:23 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

57537

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?3c00f3ac30e0c...

3

07/14/2023 09:31:12 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

57508

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?b1333292a8f47...

4

07/14/2023 09:29:37 AM EDT

block

80

malicious

1

GA_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

49986

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?f58235544e96a...

5

07/14/2023 09:29:23 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

53531

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?93973fae5b121...

6

07/14/2023 09:29:23 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

53532

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?0dcc104a67523...

7

07/14/2023 09:29:19 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

58044

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?f19273b530388...

8

07/14/2023 09:29:18 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

58042

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?f0309c6b70dec...

9

07/14/2023 09:28:51 AM EDT

block

80

malicious

1

EP_FW01

9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

Removed

53389

http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0a309cb7-a9a1-4f87-9ac4-...

10

07/14/2023 09:28:51 AM EDT

block

80

malicious

1

EP_FW01

9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

Removed

53388

http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0a309cb7-a9a1-4f87-9ac4-...

11

07/14/2023 09:28:48 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

53375

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?de31690b9ad2a...

12

07/14/2023 09:28:48 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

53380

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?aa7691569af69...

13

07/14/2023 09:28:47 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

53373

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?d0c65cf44df00...

14

07/14/2023 09:28:46 AM EDT

block

80

malicious

1

EP_FW01

9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

Removed

53372

http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0a309cb7-a9a1-4f87-9ac4-...

15

07/14/2023 09:28:02 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

61485

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?48a97999ec95b...

16

07/14/2023 09:28:02 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

61472

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?412ea57d31e4b...

17

07/14/2023 09:28:01 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

61471

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?e98a5752b2b0f...

18

07/14/2023 09:26:55 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

53468

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?868996573b5fa...

19

07/14/2023 09:26:29 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

51605

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?bb0d0bc092c66...

20

07/14/2023 09:26:22 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

51560

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?d8d8185aeb647...

21

07/14/2023 09:26:21 AM EDT

block

80

malicious

1

EP_FW01

ebf3e7290b8fd1e5509caa69335251f22b61baf3f9ff87b4e8544f3c1fea279d

Removed

51554

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?3d6c8b90751c8...

0AK13Y · ‎Jul 17 2023

Go ahead and created an allow rule in Security & SD-WAN > Threat Protection for Cisco AMP. I'd also validate that this isn't a proxy and that the traffic comes from a trusted source (MIM). This is not expected for Cisco AMP; I've never seen it happen with the over 250 sites we manage.

Agilico · ‎Mar 20 2024

Hi rhamersley

This might be a silly question but how do you find the report you posted? We are having programs blocked and I can't find how to view this.

Cheers

0AK13Y · ‎Mar 20 2024

@Agilico The security report can be found in the portal Organizations > Security Center. Make sure to refine your search based on the MX that is blocking the traffic. You can Download an export to a CSV file as well.

Content filtering blocks are a bit more difficult to track down, I normally use a syslog server or packet capture for more granular details when troubleshooting these events

Agilico · ‎Mar 21 2024

@0AK13Y Thanks for this. I have had a look at that report but it only shows snort rule blocks, not URLs like above. I have also tried to download packet captures in Wireshark format for a particular server but it shows no data?! Very confused!

0AK13Y · ‎Mar 21 2024

You’re likely selecting the incorrect interface to run a packet capture on. Give support a call, they will be eager to help you out.

Meraki

Community

AMP blocking Microsoft Security Updates

AMP blocking Microsoft Security Updates