Definitions

• Malware is any software running on your computer that has some sort of malicious intent.  For example, ransomware, data theft, credential phishing or other activity that you don't want and that may be criminal in nature.
• Endpoint is simply a computing device.  It can refer to any networked device that can run the AMP client, but mostly it refers to user workstations (laptop or desktop computers), servers, or instrument computers.
• Spirion is another tool offered by Cybersecurity.  It scans endpoints on which it is installed for data patterns in files that could represent restricted information (e.g. social security numbers).  It has its own console to which you should also have access if you have cybersecurity duties in your job role.
• BigFix (aka TEM) is our primary endpoint management tool.  Endpoints with the BigFix client report to a central console and provide data on networking, installed software, running services, and so on.  We can also use to to remotely push updates and other software to endpoints.
• CSOC (CyberSecurity Operations Center) is the group within the Office of Cybersecurity charged with the task of monitoring campus IT infrastructure for malicious activity, investigating events, and other cybersecurity tasks.  They have access to all campus endpoints in AMP and will contact designated individuals in a department if they see anything unusual that has not been addressed by the department.

Contacts

• John DeMuth, 608-262-8125 or jmdemuth@wisc.edu
• Chris Spencer, 608-262-9477 or caspencer@wisc.edu
• UW-Madison Office of Cybersecurity, cybersecurity@cio.wisc.edu

The CSOC Email

The message you get will usually follow this example, with changes to specific information.  This example was taken from a recent alert.

About the Event:

The Office of Cybersecurity, while reviewing our daily security logs, identified a device on your network, that was flagged for malware by Palo Alto.

Device IP: 128.104.113.152
MAC: ac1a3db227d0
Network/Subnet: PHARM-RENNEBOHM-HALL

Actions to take:

Determine if device is compromised - If possible, please run a full AV scan and share the results.
Reply within 1 business day:

Whether device is hosting Restricted or Sensitive data 
Remediation plans 
Action(s) taken

Event Impact/Details:

Device IP: 128.104.113.152
Alert: PA URL Filtering
Suricata/Palo Alto Category: Malware
Please visit https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC for additional explanation of the URL category

Number of Alerts: 122
Time Stamp: Jul 22, 2025 @ 15:58:35 UTC
URL: mindcloak[.]com/

Was AMP installed on the device: No
AMP Alert Results: N/A
AMP Hostname: N/A

CSV Attached: YES

References / KBs:
https://policy.wisc.edu/library/UW-504

You are receiving this email because you are listed as a MIST Contact or in WiscNIC as a technical contact for the above IP range. If this is incorrect, please let us know.

Identify the Endpoint

You don't usually get the endpoint name from the CSOC, so you will have to use other tools to link the given IP address with an actual endpoint.  Here's what usually works.

1. Look up the IP address in AANTS
   1. Use the NetWatch tool to determine which switch port last saw the IP address.  Usually the following parameters will give you what you need.
      
      
      
   2. Days to search:  just the number of days to go back when searching.  The default '5' will be sufficient in most cases, or just enter something reasonable.  In this example, the investigation wasn't able to happen until several days after the email came, so we entered '10' just to make sure we search enough records.
      
      
   3. Devices: since you won't know which switch last saw the IP address, select "All" here.
      
      
   4. You can leave "Buildings" unselected unless you have a good reason not to.
      
      
   5. Enter the IP address in the "IP Address" box and click "Submit"
      
      
2. If AANTS is able to find anything, it will output something like this.
   
   
   1. The Date/Time may not correlate exactly with the date/time in the alert, but as long as it's within a few days (as is the case here), we can be reasonably sure this is the right switch port.  In rare cases you may see more that one switch port reporting the same IP address.  This can happen if you select a large number of days to search for, or if the IP lease renewed very recently.  Go with the record matching the MAC address in the email.
      
      
   2. The MAC address should correlate to the MAC in the email.  In this case, it does.  If it does not, you may want to increase or decrease the number of days to search.
      
      
   3. You can see that the IP was most recently seen on switch s-pharm-1303-2-access on port Gi1/0/13.  You can click on the port link to get details on the port.
      
      
3. Port details:
   
   
   1. Verify the switch/port information and the MAC address.  Note that in this case the MAC address is not the same as reported in the email or in Netwatch.  This is because some offices and labs use VoIP phones, and it's those MAC addresses that usually appear here.  
      
      
   2. You can verify the MAC address in the email and in Netwatch by seeing if it's allowed in our MAC filter in IPAM:
      
      If the comment is worded correctly, "pass through" indicates a MAC address for a dock.  You will also get the endpoint name, BUT comments in IPAM may not always be updated.  You will still want to verify using BigFix as mentioned in step 4.
      
      
   3. You can also try to correlate IP and MAC addresses by checking the lease in IPAM:
      
      
      
   4. You should have enough information to try to identify the endpoint.
      1. You can use the room number reported in the Port Details and look it up in our directory.  From there you can get the occupant(s), and look up their login name in BigFix to get the endpoint name, or visit the office to get the name from the endpoint itself
         
         
      2. If the room number points to a lab or other shared space, you can use the IP address and MAC address to identify the correct endpoint.  You will have to visit that space and turn on and look at each endpoint until you find the right one.  Using the Jack ID can help narrow this down quickly.
         
         
4. Other comments
   1. You could try finding the IP in BigFix, but if the endpoint was used on VLAN 327 and then used remotely, BigFix will likely record only the remote IP address (usually 192.168.x.y).  You would then not be able to find the IP reported in the email.  
      
      
   2. If the IP reported is on the campus wireless network, you most likely won't be able to find it using the method above.  Even if you search the MAC address in Netwatch, it probably won't direct you to a specific port that is associated with a particular data jack and room number.
      
      
   3. Likewise, if the email reports a 192.168.x.y address, it might be difficult to track to a specific endpoint.

Composing the Reply

Once you determine the endpoint name (in this case it was SOP4XL3MS3), you can use that in our various consoles to compose your reply to the email.  

1. Was the Endpoint Hosting Sensitive/Restricted Data?
   You can try to answer this in three ways.
   1. Use the Spirion (aka "Identity Finder") console to see what it has found.  Note that Spirion can record lots of data that it thinks is sensitive or restricted, and mostly it looks for data that appears to be social security or credit card numbers.  It can be tedious going through all the data, and some of it will be false positives or inconclusive.
      
      
   2. You can ask the user directly if they work with this kind of data.
      
      
   3. You can also make an educated guess.   This method is not recommended, but might work if 1 and 2 seem impractical.  An endpoint that is used by a program assistant or lab employee is not likely to host this data, whereas an endpoint used by faculty known to work with human subjects or health data could very well host this data.  If you suspect the later, you will certainly want to follow up using steps 1 and 2.
      
      
2. Remediation Plans/Actions Taken
   These can be hard to separate, but when you have the endpoint name you can take the following steps.
   
   1. Go into the AMP/CiscoSE console and initiate a scan on the endpoint (Management -> Computers -> filter on endpoint name).
      
      1. You want to run a full file scan.  When the scan starts, it should appear in the Events for the endpoint.  The scan results will also appear in the Events for the endpoint.  Most full file scans complete in an hour or two.
         
         
      2. Note that you could try filtering on Internal or External IP.  This might be another good way to identify the endpoint.
         
         
   2. If the AMP scan does find malware, you'll probably need to report what it found and what you were able to do.  If AMP was able to quarantine the malware - super!  Report that!  If it couldn't quarantine and you had to remove it using other methods, you would report that too.  Sometimes in the past we've even had to report that we're removing the endpoint from the network and reimaging it.
      
      
3. Other Things to Consider
   1. It's OK to make an initial reply saying what you know so far (since they do usually want a response in one business day), and then a follow up when the scan completes.
      
      
   2. Sometimes you may find interesting things if you look at the firewall traffic log for the IP address.
      
      
   3. It can also be interesting and instructive to research the URL given in the email to see what others have found.
      
      
   4. Finally, if you think this is a false positive, don't be afraid to make that comment.  Sometimes Palo Alto might not have complete or correct information about things.