cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AMP disposition

SOLVED
Highlighted
Here to help

AMP disposition

We have an MX68 in production and recently started receiving syslog messages with event ype "security_filtering_file_scanned" stating that a file download was blocked.  The associated domains AND file hashes are not listed malicious from other online sources.  Below is one of the parsed logs.

 

"dst_ip": "XXXXXXXX",
"@version": "1",
"@timestamp": "2020-05-20T09:51:26.319Z",
"client_mac": "XXXXXXXXXX",
"log_type": "security_event",
"url": "http://officecdn.microsoft.com.edgesuite.net/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114/Office/Data/v32...",
"src_ip": "XXXXXXXX",
"host": "XXXXXXXX",
"epoch": "1589968286.289412569",
"dst_port": "80",
"src_port": "50830",
"sec_type": "security_filtering_file_scanned",
"hostname": "XXXXXXXXX",
"enc": "sha256",
"disposition": "malicious",
"hash": "a14c085acbc26c3c9dce99c8955c95c3d0db2fd5ecc4741b4735b6c50d55cdb7",
"action": "block"

 

 

 

How does AMP cloud determine the download is malicious?  Is it the URL or the file hash?

 

Side note, we don't see any record of these security events in "Security & SD-WAN > Security Center" or "Network Wide > Event Log".  We only get the syslog messages saying these file downloads were blocked.

1 ACCEPTED SOLUTION

Accepted Solutions
Head in the Cloud

Re: AMP disposition

It is in fact the hash that‘s considered malicious because of its „features“ when being fed into Threat Grid

View solution in original post

2 REPLIES 2
Head in the Cloud

Re: AMP disposition

It is in fact the hash that‘s considered malicious because of its „features“ when being fed into Threat Grid

View solution in original post

Highlighted
Here to help

Re: AMP disposition

I finally received a similar response from Meraki support.  Thanks for the quick reply!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.