Meraki support told us security center doesn't log AMP (but will log IDS)

LV_MW_MSP
Getting noticed

Meraki support told us security center doesn't log AMP (but will log IDS)

We all know at times Meraki AMP will block items and not log it on the security center, this is well known. However this time we had a customer push us to get why this happened, and Meraki support told us that the security center will log IDS, but not the advanced malware protection (AMP).

 

Just figured I would share and see if anyone else came to this conclusion, and if you did, why wouldn't they want to log AMP blocks? Would be nice for reporting to show the customers more things we are preventing + troubleshooting.

 

 

6 REPLIES 6
MerakiDave
Meraki Employee
Meraki Employee

I'd ask them to clarify with the product team.  In the Network Wide > Alerts page, there is an alert checkbox for when malware is blocked, and another checkbox for when malware was actually downloaded, you get the alert in retrospect that it wasn't known at the time, but it's known now that a downloaded file is malware.  AMP events don't show up as a filter option in the Network Wide > Event log, while IDS/IPS events do, perhaps that's what they are referring to.  But I'd expect Security Center to (perhaps internally) log AMP events for up to a month for use within Security Center itself.  Perhaps with the massive amount of malware activity, it would generate too much noise and wash out other events in the actual event log?  But in that case I'd agree it should still be there in the event log, it would be simple enough to use an event type ignore filter.  

ChrisKemsley
Meraki Alumni (Retired)
Meraki Alumni (Retired)

That seems to conflict completely with the information presented below which shows that malware or AMP is reported on in the security center;

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Advanced_Malware_Protect...)

 

 

Cmiller
Building a reputation

Try the link again.. showing dead for me


I have never seen AMP logs in the user event log. I have had a Meraki support agent view an AMP log before but I don't think we as users have access to that. Sure would be a great feature for CMNA or Meraki masters to have 😉
ChrisKemsley
Meraki Alumni (Retired)
Meraki Alumni (Retired)

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Advanced_Malware_Protect...)

 

Sorry the ')" in the previous post was cut off. I don't believe it's posted to the user event logs - its all in the security center.

ChrisKemsley
Meraki Alumni (Retired)
Meraki Alumni (Retired)

And it's still not putting that in at the end - open the link and add a ')' at the end. Not sure why that didn't paste...
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels