We all know at times Meraki AMP will block items and not log it on the security center, this is well known. However this time we had a customer push us to get why this happened, and Meraki support told us that the security center will log IDS, but not the advanced malware protection (AMP).
Just figured I would share and see if anyone else came to this conclusion, and if you did, why wouldn't they want to log AMP blocks? Would be nice for reporting to show the customers more things we are preventing + troubleshooting.
I'd ask them to clarify with the product team. In the Network Wide > Alerts page, there is an alert checkbox for when malware is blocked, and another checkbox for when malware was actually downloaded, you get the alert in retrospect that it wasn't known at the time, but it's known now that a downloaded file is malware. AMP events don't show up as a filter option in the Network Wide > Event log, while IDS/IPS events do, perhaps that's what they are referring to. But I'd expect Security Center to (perhaps internally) log AMP events for up to a month for use within Security Center itself. Perhaps with the massive amount of malware activity, it would generate too much noise and wash out other events in the actual event log? But in that case I'd agree it should still be there in the event log, it would be simple enough to use an event type ignore filter.
That seems to conflict completely with the information presented below which shows that malware or AMP is reported on in the security center;
Sorry the ')" in the previous post was cut off. I don't believe it's posted to the user event logs - its all in the security center.