AMP disposition

SOLVED
MFisher
Here to help

AMP disposition

We have an MX68 in production and recently started receiving syslog messages with event ype "security_filtering_file_scanned" stating that a file download was blocked.  The associated domains AND file hashes are not listed malicious from other online sources.  Below is one of the parsed logs.

 

"dst_ip": "XXXXXXXX",
"@version": "1",
"@timestamp": "2020-05-20T09:51:26.319Z",
"client_mac": "XXXXXXXXXX",
"log_type": "security_event",
"url": "http://officecdn.microsoft.com.edgesuite.net/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114/Office/Data/v32...",
"src_ip": "XXXXXXXX",
"host": "XXXXXXXX",
"epoch": "1589968286.289412569",
"dst_port": "80",
"src_port": "50830",
"sec_type": "security_filtering_file_scanned",
"hostname": "XXXXXXXXX",
"enc": "sha256",
"disposition": "malicious",
"hash": "a14c085acbc26c3c9dce99c8955c95c3d0db2fd5ecc4741b4735b6c50d55cdb7",
"action": "block"

 

 

 

How does AMP cloud determine the download is malicious?  Is it the URL or the file hash?

 

Side note, we don't see any record of these security events in "Security & SD-WAN > Security Center" or "Network Wide > Event Log".  We only get the syslog messages saying these file downloads were blocked.

1 ACCEPTED SOLUTION
CptnCrnch
Kind of a big deal
Kind of a big deal

It is in fact the hash that‘s considered malicious because of its „features“ when being fed into Threat Grid

View solution in original post

2 REPLIES 2
CptnCrnch
Kind of a big deal
Kind of a big deal

It is in fact the hash that‘s considered malicious because of its „features“ when being fed into Threat Grid

I finally received a similar response from Meraki support.  Thanks for the quick reply!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels