AMP disposition

Solved
MFisher
Here to help

AMP disposition

We have an MX68 in production and recently started receiving syslog messages with event ype "security_filtering_file_scanned" stating that a file download was blocked.  The associated domains AND file hashes are not listed malicious from other online sources.  Below is one of the parsed logs.

 

"dst_ip": "XXXXXXXX",
"@version": "1",
"@timestamp": "2020-05-20T09:51:26.319Z",
"client_mac": "XXXXXXXXXX",
"log_type": "security_event",
"url": "http://officecdn.microsoft.com.edgesuite.net/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114/Office/Data/v32...",
"src_ip": "XXXXXXXX",
"host": "XXXXXXXX",
"epoch": "1589968286.289412569",
"dst_port": "80",
"src_port": "50830",
"sec_type": "security_filtering_file_scanned",
"hostname": "XXXXXXXXX",
"enc": "sha256",
"disposition": "malicious",
"hash": "a14c085acbc26c3c9dce99c8955c95c3d0db2fd5ecc4741b4735b6c50d55cdb7",
"action": "block"

 

 

 

How does AMP cloud determine the download is malicious?  Is it the URL or the file hash?

 

Side note, we don't see any record of these security events in "Security & SD-WAN > Security Center" or "Network Wide > Event Log".  We only get the syslog messages saying these file downloads were blocked.

1 Accepted Solution
CptnCrnch
Kind of a big deal
Kind of a big deal

It is in fact the hash that‘s considered malicious because of its „features“ when being fed into Threat Grid

View solution in original post

2 Replies 2
CptnCrnch
Kind of a big deal
Kind of a big deal

It is in fact the hash that‘s considered malicious because of its „features“ when being fed into Threat Grid

I finally received a similar response from Meraki support.  Thanks for the quick reply!

Get notified when there are additional replies to this discussion.