Cisco AMP - Performing Event & Prevalence Analysis Through the Secure Endpoint (AMP) Console

This article documents various methods and processes for performing analysis on events and files in the Secure Endpoint (AMP) console. This document is meant to serve as a guide to campus IT administrators utilizing Secure Endpoint (AMP).

Note: Access to the Secure Endpoint (AMP) console is required to perform the analysis steps delineated in this article. Secure Endpoint (AMP) console access is reserved for campus information technology administrators and not campus end users. If you are interested in deploying Secure Endpoint (AMP) and are not an IT administrator, contact cybersecurity@cio.wisc.edu to learn about your options.

  • Analyzing Event Notifications:

      If you receive a notification for an event and you wish to perform analysis on the event:

    1. Log in to the Secure Endpoint (AMP) Console, select the Analysis dropdown, and click Events.

    2. Analysis.png

      Note: There is more than one way to view events occurring on your managed Endpoints. One such way is to use the Events Tab, which allows you to see a quick, tactical breakdown of suspicious events that have occurred recently. Another option is the use the Inbox Tab, which allows for a more structured workflow for addressing events. This article focuses on the Inbox Tab due to the more structured nature of the event analysis workflow through this tab.

    3. Select the Inbox Tab.
      Addtl1.png

      Note that there are three subtabs (Requires Attention, In Progress, Resolved). Events that require your attention will first be displayed in the Requires Attention column. Events are grouped by machine. Select one of the machines to expand it and view corresponding event information.

    4. Analysis1.png

    5. To note that you've begun investigation for a machine select the Begin Work button.
      Analysis3.png

      This will move the machine to the In Progress subtab. Click on the machine to expand the information view again, and begin analysis steps.

      See below for examples of ways to perform analysis and information gathering:


    • Event Analysis:

      1. Log in to the Secure Endpoint (AMP) Console, select the Analysis dropdown, and click Events.

      2. Analysis.png

      3. Select the Inbox Tab.
        Addtl1.png

      4. Select the In Progress Subtab.

      5. Addtl2.png

      6. With the machine information expanded in the In Progress tab, click on the blue Events icon in the bottom right corner.

      7. Analysis4.png

      8. The Events tab will open, and it will be filtered to only show events from the machine you're investigating. Here you can see events that have occurred on the machine recently. Potentially malicious or suspicious events will be denoted by colored tags indicating Secure Endpoint (AMP)'s severity classification of the event.

      9. Analysis5.png

      10. Click on an event to expand the information dropdown to begin your analysis. The following items may be useful for determining if the threat is legitimate:
        1. The File Name will be in bold at the top of the information dropdown. This can often give some insight into what the file claims to be (chrome.exe is often flagged, but it's typically the legitimate chrome installer).

        2. The File Path will be in the information table, and this can lend further insights into what the file is and where it's supposed to live.

        3. The SHA-256 Hash can be quite useful when checked against sites like Virus Total. If you right click the SHA-256 value, the VirusTotal score for the file should appear (unless the file has not yet been uploaded to VirusTotal).

        4. The Current User information is displayed on the Connector Info information subtab, which could help you determine the user logged into the computer at the time of the event.

        5. You can also use the Events page to open the File Trajectory page, which is discussed in further detail below.

        6. For more details on how to perform Event analysis, see the Cisco AMP User Guide.


    • Device Trajectory:

        The device trajectory page can be quite useful as it displays the processes that generate events (or child processes), which can allow you to identify the root cause of an infection.

      1. Log in to the Secure Endpoint (AMP) Console, select the Analysis dropdown, and click Events.

      2. Analysis.png

      3. Select the Inbox Tab.
        Addtl1.png

      4. Select the In Progress Subtab.

      5. Addtl2.png

      6. With the machine information expanded in the In Progress tab, click on the blue Device Trajectory icon in the bottom right.

      7. Analysis6.png

      8. The Device Trajectory page will appear. The Device Trajectory page tracks file, network, and connector events giving you visibility into the events that occurred leading up to and following a compromise.

        The vertical axis of the Device Trajectory page shows a list of files and processes and the horizontal axis represents time. Child processes and files stem from the parent process and are listed on the right hand of the graph. Finally, if you click on the event icons in the detailed processes graph, the right side of the page will display Event Details.

      9. Analysis7.png

      10. Use the sliding date and time bars in the upper timeline window to navigate to the event (evidenced by one or more red dots). You can click on the red dot, and then click on the blue Compromise Events option that appears to view the event in the process detail graph.

      11. Analysis9.png

      12. Navigate through the event timeline by scrolling side to side on the Process Detail Graph (the bottom window on the page). You may have to scroll forwards or back in time to see the entire event play out, as clicking on the compromise events option often takes you to just one event in the chain.

      13. Analysis10.png

      14. You can use the Process Detail Graph to perform an analysis of the processes and events that led up to the suspicious event. For example, in the screenshot below, we can see that the autodeployer.exe process begins running, Secure Endpoint (AMP) flags it, stops the process, and quarantines it.

        We can read more about the event in the event details pane on the right-hand side of the graph (this pane appears in the screenshot because the red event icon shaped like a play button is currently selected on the process graph).

      15. Analysis8.png

      16. If the process detail graph is a little too noisy, or you'd just like to reduce the events displayed, you can use the Filters button to filter out processes shown. Simply de-select the items you don't wish to see and select the blue Apply Filters button.

        For example, you may want to cut out all the processes that are known to be benign. See the below screenshot for an example of that configuration.
        Analysis11.png

        Process detail graph with benign processes filtered out:
        Analysis12.png

      17. For more details on using the device trajectory page, see the Cisco AMP User Guide.

    • File Trajectory:

        The File Trajectory shows the life cycle of a file in your environment from the first time it was seen to the last, as well as all computers in the network that have it. Where applicable, the parent that brought the threat into the network is displayed, including any files created or executed by the threat. File trajectory analysis can be a very strong analytical tool.

      1. Log in to the Secure Endpoint (AMP) Console, select the Analysis dropdown, and click Events.

      2. Analysis.png

      3. Select the Inbox Tab.
        Addtl1.png

      4. Select the In Progress Subtab.

      5. Addtl2.png

      6. With the machine information expanded in the In Progress tab, click on the blue Events icon.


      7. Analysis4.png

      8. The Events tab will open, and it will be filtered to only show events from the machine you're investigating. Here you can see events that have occurred on the machine recently. Potentially malicious or suspicious events will be denoted by colored tags indicating Secure Endpoint (AMP)'s severity classification of the issue.

      9. Analysis5.png

      10. Click on an event to expand the information dropdown to begin your analysis.

      11. Right click the Fingerprint (SHA-256) for the suspicious file and select the File Trajectory option to open the File Trajectory page.

      12. Analysis13.png

      13. On the File Trajectory Page you can view the following:


        1. Visibility tells you the first and last time the file was seen on your network.
        2. Entry Point can tell you the machine that the file was first found on.
        3. Expand the File Details to learn more about the file attributes, known names of the file, and how the file was detected.

        4. Analysis14.png

        5. The Trajectory graphic shows how the file interacted with the host machine(s) it was found on.
        6. Event History can tell you when suspicious events occurred and what machines they occurred on.


  • Once you've completed your analysis of the file it is important to mark the issue as resolved. If you're not there already, return to the Analysis -> Inbox -> In Progress table and select the machine name of the investigated machine to expand the information dropdown.

  • Analysis17.png

  • Click the Mark Resolved button on the bottom right of the information dropdown.

  • Prevalence Analysis:

      Prevalence displays files that have been executed across your organization in relation to global executions of those files. This can help you surface previously undetected threats that were only seen by a small number of users. Generally, files executed by a large number of users tend to be legitimate applications, while those executed by only one or two users may be malicious, such as a targeted advanced persistent threat.

    1. Log into the Secure Endpoint (AMP) Console, select the Analysis dropdown, and click the Prevalence option.

    2. PR1.png

    3. Scroll through the line items until you find one of interest. Click on a line item to expand information about the file.

    4. PR5.png

    5. If you find a suspicious item, you can use the Event Analysis, Device Trajectory, and File Trajectory dropdowns in this article to assist you in investigating the file.

    6. Typically, files that have already been analyzed by Secure Endpoint (AMP) will be scored on a scale out of 100. This rating will appear alongside the file name and computer name in the summary bar for the file. Some files, however, won't have been analyzed by Secure Endpoint (AMP) before. If that is the case, you can click the Analyze button on a file to upload the file to Secure Endpoint (AMP).

    7. PR2.png

    8. You can then choose the computer to download the file from and the OS of the VM to be used for analysis. Click the blue Fetch and Send for Analysis button.

    9. PR3.png

    10. The file will be uploaded and sent to the Secure Endpoint (AMP) File Repository. To access the repository, select the Analysis dropdown and click the File Repository option.

    11. PR4.png

    12. Here you can see the analysis status (Available, Requested, Failed) of a file. Click a file to expand more information about the file.

    13. If you would like to do further testing of your own, you can click the Download button to download the file onto your machine. It is suggested to do this on a VM rather than your primary PC.