Cisco AMP improvement?

evan_nichols · September 12, 2020, 12:35am

Are there any plans to give the Cisco AMP event source a little more love with regards to the events that it is capable of detecting?

It’d be really nice if this event source (especially it’s Cloud IoC, potential ransomware, and exploit detection events) could be used in conjunction with the Attacker Behavior Analytics alerts, or perhaps have its own alerts, similar to Varonis.

Currently, in order to search events beyond a simple Threat Detected event (which is the least interesting event AMP can trigger on), they must be ingested as unfiltered logs. In order for me to detect/respond to these events I need to leverage the plugin on the InsightConnect side of things to poll for these events, which is somewhat untenable as it currently does not support RegEx matching on the event type. A workflow instance for every event I want to track results in insanely decreased performance on the orchestrator.

felipe_legorreta · September 16, 2020, 2:40pm

Hey Evan,
Thank you very much for this feedback!
We have already passed this info to our event sources team, but would you be able to provide perhaps some examples?

Thanks!

evan_nichols · September 29, 2020, 1:40pm

Hey Felipe,

Certainly! The Cisco AMP event sources I’d most be interested in the event source polling for are the Cloud IoC, Exploit Prevented, Potential Ransomware and Possible Webshell events, but there are a lot more that would be incredibly useful. The full list of events are here.

How often does this event source poll the API for events? It looks like it’s hourly, but I could be wrong.