Are there any plans to give the Cisco AMP event source a little more love with regards to the events that it is capable of detecting?
It’d be really nice if this event source (especially it’s Cloud IoC, potential ransomware, and exploit detection events) could be used in conjunction with the Attacker Behavior Analytics alerts, or perhaps have its own alerts, similar to Varonis.
Currently, in order to search events beyond a simple Threat Detected event (which is the least interesting event AMP can trigger on), they must be ingested as unfiltered logs. In order for me to detect/respond to these events I need to leverage the plugin on the InsightConnect side of things to poll for these events, which is somewhat untenable as it currently does not support RegEx matching on the event type. A workflow instance for every event I want to track results in insanely decreased performance on the orchestrator.