cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AMP disposition

SOLVED
Highlighted
Here to help

AMP disposition

We have an MX68 in production and recently started receiving syslog messages with event ype "security_filtering_file_scanned" stating that a file download was blocked.  The associated domains AND file hashes are not listed malicious from other online sources.  Below is one of the parsed logs.

 

"dst_ip": "XXXXXXXX",
"@version": "1",
"@timestamp": "2020-05-20T09:51:26.319Z",
"client_mac": "XXXXXXXXXX",
"log_type": "security_event",
"url": "http://officecdn.microsoft.com.edgesuite.net/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114/Office/Data/v32...",
"src_ip": "XXXXXXXX",
"host": "XXXXXXXX",
"epoch": "1589968286.289412569",
"dst_port": "80",
"src_port": "50830",
"sec_type": "security_filtering_file_scanned",
"hostname": "XXXXXXXXX",
"enc": "sha256",
"disposition": "malicious",
"hash": "a14c085acbc26c3c9dce99c8955c95c3d0db2fd5ecc4741b4735b6c50d55cdb7",
"action": "block"

 

 

 

How does AMP cloud determine the download is malicious?  Is it the URL or the file hash?

 

Side note, we don't see any record of these security events in "Security & SD-WAN > Security Center" or "Network Wide > Event Log".  We only get the syslog messages saying these file downloads were blocked.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Head in the Cloud

Re: AMP disposition

It is in fact the hash that‘s considered malicious because of its „features“ when being fed into Threat Grid

View solution in original post

2 REPLIES 2
Highlighted
Head in the Cloud

Re: AMP disposition

It is in fact the hash that‘s considered malicious because of its „features“ when being fed into Threat Grid

View solution in original post

Here to help

Re: AMP disposition

I finally received a similar response from Meraki support.  Thanks for the quick reply!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.