Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Daniel Pauler
    @Skypex_AT_twitter
    However, it seems there are no messages published to the queue not matter what filters I use
    If I dont specify groups and event_types, everything should be published to this event stream, right?
    I also noticed that it is not possible to delete event_streams, no matter if you use the amp-04-delete-event-stream or the CURL from the API doc
    Matthew Franks
    @mafranks
    I tested deleting the event streams. There was a 10-15 minute delay, but the stream was deleted.
    For the streaming events, were you generating events after creating the stream?
    maugertg
    @maugertg
    @Skypex_AT_twitter correct if you don't specify groups or event types it should be all events for all groups. Do you have events in the console that are not demo data events?
    the demo data events do not make it into any event stream. There is also a good example consumer in Python made by one of the AMP for Endpoint engineers here https://github.com/samsonnguyen/pika_bootstrap
    As Matt noted, there can be quite a delay in deleting event streams. They go into a que and depending on system load there can be a delay. I've seen it up to two hours but this is extremely rare. I'd wager ~80% of the time it is processed within 30 seconds or less.
    Daniel Pauler
    @Skypex_AT_twitter
    Alright, thanks @mafranks , maybe I was just not patient enough... But my streams are still there, even now - anyway I will try again tomorrow.
    Yes, I was downloading EICAR files to trigger events, they are in the console but not in the queue
    maugertg
    @maugertg
    those should definatly show up. pro-tip another easy way to generate "Threat Detected" events is to put a PDF on a Simple Custom Detection list and then extract the PDF from a password protected zip you can also use https://mysite.science.uottawa.ca/rsmith43/Zombies.pdf in place of eicar
    Daniel Pauler
    @Skypex_AT_twitter
    @maugertg thank you for input, I will check this out, but I think I did already - I was looking into the code of the Splunk app and the class there looks familiar :D
    maugertg
    @maugertg
    hahaha yeah that Pika Bootstrap is the base for the consumer in the Splunk app
    Daniel Pauler
    @Skypex_AT_twitter
    Oh, cool I will try the PDF trick as well!
    Many thanks!
    Matthew Franks
    @mafranks
    If you don't see any events on it tomorrow, shoot me a message and I can look at the stream.
    maugertg
    @maugertg
    if you want to generate LOTS of events this PDF is extremely useful https://www.cafe-encounter.net/p521/a-very-small-editable-pdf-for-testing
    you can modify it programatically to generate hundres of unique PDFs all less than 1KB
    just put the SHA256s on an SCD list and you're off to the races
    Daniel Pauler
    @Skypex_AT_twitter
    So, I have cloned and adapted the sample code that @maugertg recommended. Thats great, because there is a lot of logging :)
    However, I am listening to a queue with no filters and it cannot see anything
    Could it be some sort of licence issue? We have only an AMP for Endpoints Essentials licence
    Matthew Franks
    @mafranks
    No, the API doesn't require Advantage. Can you PM me the stream ID?
    Adam Johnson
    @johnosn

    Does Anyone happen to have a "Key" for what the fields for exclusions in the policy xml means?
    For instance here is what I think I can figure out from making Windows process exclusions:

    PROCESS EXCLUSIONS
    File Scan Exclusion(2,3)|Has Hash(0,1)|Hash Value|Path|Exclusion Type(0,1,4,12,16,48)

    File Scan Exclusion
    2 = True
    3 = FALSE

    Has Hash
    0 = False
    1 = True

    Exclusion Type
    0 = File scan w/o Child Processes
    1 = File scan w/ Child Processes
    4 = System Process w/o Child Processes
    12 = System Process w/ Child Processes
    16 = Malicous Activity w/o Child Processes
    48 = Malicous Activity w/ Child Processes

    WINDOWS Process Exclusions
    01 File scan - hash only - no child process <item>2|1|0000000000000000000000000000000000000000000000000000000000000001||0|</item>
    02 File scan - hash only - with child process <item>2|1|0000000000000000000000000000000000000000000000000000000000000002||1|</item>
    03 File scan - hash & path - no child process <item>2|1|0000000000000000000000000000000000000000000000000000000000000003|c:\Path\03|0|</item>
    04 File scan - hash & path - with child process <item>2|1|0000000000000000000000000000000000000000000000000000000000000004|c:\Path\04|1|</item>
    05 File scan - path only - no child process <item>2|0||c:\Path\05|0|</item>
    06 File scan - path only - with child process <item>2|0||c:\Path\06|1|</item>

    11 Malicous Activity - hash only - no child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000011||16|</item>
    12 Malicous Activity - hash only - with child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000012||48|</item>
    13 Malicous Activity - hash & path - no child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000013|c:\Path\13|16|</item>
    14 Malicous Activity - hash & path - with child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000014|c:\Path\14|48|</item>
    15 Malicous Activity - path only - no child process <item>3|0||c:\Path\15|16|</item>
    16 Malicous Activity - path only - with child process <item>3|0||c:\Path\16|48|</item>

    21 System Process - hash only - no child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000021||4|</item>
    22 System Process - hash only - with child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000022||12|</item>
    23 System Process - hash & path - no child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000023|c:\Path\23|4|</item>
    24 System Process - hash & path - with child process <item>3|1|0000000000000000000000000000000000000000000000000000000000000024|c:\Path\24|12|</item>
    25 System Process - path only - no child process <item>3|0||c:\Path\25|4|</item>
    26 System Process - path only - with child process <item>3|0||c:\Path\26|12|</item>

    Matthew Franks
    @mafranks
    @johnosn there is no published key for these values but your values do appear to be accurate according to the same tests I've conducted previously.
    Adam Johnson
    @johnosn
    AMP_Process_Exclusions.zip
    Here is a mostly complete version of the python code I was working on. I still need to create a requirements.txt and readme.md file yet. But it will output a couple of csv files with statistics on file and process exclusions along with a copy of the policy.xml file. It also prints a the csv data to the screen along with a caution for policies with 90-100 process exclusions and a warning for policies with over 100 process exclusions.
    If anyone has the ability to test it out, let me know if it works on more than just my environment.
    Dennis Perto
    @PertoDK_twitter
    Skærmbillede 2020-05-20 kl. 12.50.58.png
    While using the event stream I sometimes get vulnerable applications. Please include the name and version on all CVEs assigned to the vulnerability, and not just the first one. Or else name and version should be in a parent object covering all of them.
    Adam Johnson
    @johnosn
    AMP_Policy_Exclusions.zip

    Here is the more final version of my AMP Exclusion Stats code. DocStrings have been updated, requirements.in and requirements.txt files have been added, README.md has been added, and the main portion of the code has been optimized to use 10 work threads to speed up the scripts execution (hurray for multi-threaded Python scripts).

    Having done that I am thinking about writing a script that could parse through multiple sfc.exe.log from several computers with the same policy and provide a count for the number of times each exclusion listed in the policy.xml file has been used.

    Adam Johnson
    @johnosn
    Posted here https://github.com/johnosn/amp-05-policy-exclusion-stats
    Dennis Perto
    @PertoDK_twitter
    Skærmbillede_2020-05-29_kl__09_29_36.png
    Is it possible to fetch the “File Details” from the AMP/TR/TG API?
    maugertg
    @maugertg
    Sadly, it is not. There is a feature request for it though
    Dennis Perto
    @PertoDK_twitter
    Alright. Thanks :)
    Matthew Franks
    @mafranks
    image.png
    Seems to be working just fine @johnosn
    Although, I did get an error when installing the requirements.
    ERROR: astroid 2.3.1 has requirement six==1.12, but you'll have six 1.14.0 which is incompatible.
    Couldn't seem to resolve it but everything still worked.
    image.png
    Dennis Perto
    @PertoDK_twitter
    Is there any information on the roadmap about AMP for Endpoints getting both a block- and an alert list for SHA256 and IP addresses? Of cause supported by API. Today we only have the block SHA256 functionality over the API.
    maugertg
    @maugertg
    I'm certain it's an existing FR I know i've been asking for it for a long time. Do not believe it has made it to the roadmap yet though
    Adam Johnson
    @johnosn
    Has anyone else experienced the Cisco Orbital Query API taking several minutes to accept a query when the query is looking to gather data when the 'os' is specified as windows?
    I am trying to automate submitting Cisco Orbital queries based on data from the Cisco Talos osquery_queries repository. If I specify a single host, the query submission takes only a couple seconds. However, if I let the query use the os specified in the Cisco Talos query data it takes several minutes to submit the query.
    Submit Talos Queries To Orbital Code
    Next question, does anyone know how to specify the Remote Data Store (RDS) when submitting a query to Orbital? I would like the results of the queries above to automatically move to my SIEM for easier analysis.
    malnguyen
    @malnguyen
    is this room still active anyone?
    Dennis Perto
    @PertoDK_twitter
    Not since Michael Auger left.
    Alison King
    @A.King_gitlab

    Hi, Since the AMP connector update to 7.5.1.20833 the Diag_Analyzer_v1_03.exe has stopped creating the Summary file.
    I logged a ticket with Cisco TAC support but they tell me that it is outside of TAC scope of support.
    I was using Diag_Analyzer_v1_03.exe to identify exclusions that I needed to create during our AMP rollout to servers.
    Now I am stuck because the tool doesn't work and Cisco say they don't support it.

    What does everyone else do when rolling out AMP for the first time to servers.

    I have an Audit policy applied to the servers currently, but it seems like I am stuck at this point because I can't move them to a protect policy as we have had several incidents where lack of exclusions has caused processes to hang.

    Does anyone have any advise?

    Matthew Franks
    @mafranks
    Hey Alison, I worked on that tool with another guy as a side project a while ago. I dont have time this week but if you file an issue on the repo with details about the problem i can take a look when i have some time and try to fix it.
    3 replies
    Alison King
    @A.King_gitlab
    Hi @mafranks Thank you for fixing this , I am now able to get the summary file from my 7.5.5 connector clients.