Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Cisco AMP

 

The JSA Cisco AMP content extension adds new custom event properties for Cisco AMP.

Note

The Parent Filename custom property was renamed to Parent Process Name in V1.0.1. If you have V1.0.0 of this extension installed, delete Parent Filename before you upgrade to the latest version.

JSA Cisco AMP Content Extensions

JSA Cisco AMP Content Extension V1.0.1 Entire Pack

The following table shows all of the content that is included in JSA Cisco AMP Content Extension V1.0.1.

Table 1: Overview Of JSA Cisco AMP Content Extension V1.0.1

Name

Addition or modification notes

Archived File Disposition

Introduced in V1.0.0.

Archived File SHA256 Hash

Introduced in V1.0.0.

Computer Name

Introduced in V1.0.0.

Disposition

Introduced in V1.0.0.

EventID

Introduced in V1.0.0.

File Directory

Introduced in V1.0.0.

File Extension

Introduced in V1.0.0.

File Hash

Introduced in V1.0.0.

File Path

Introduced in V1.0.0.

Filename

Introduced in V1.0.0.

MD5 Hash

Introduced in V1.0.0.

Parent Disposition

Introduced in V1.0.0.

Parent Process Name

Introduced in V1.0.0. Was called Parent Filename.

Updated name to Parent Process Name in V1.0.1.

Parent Hash

Introduced in V1.0.0.

Parent MD5

Introduced in V1.0.0.

Parent Process ID

Introduced in V1.0.0.

Parent SHA1 Hash

Introduced in V1.0.0.

Parent SHA256 Hash

Introduced in V1.0.0.

Reference Link

Introduced in V1.0.0.

SHA1 Hash

Introduced in V1.0.0.

SHA256 Hash

Introduced in V1.0.0.

Updated in V1.0.1.

Threat name

Introduced in V1.0.0.

(Back to top)The JSA Cisco AMP content extension adds new custom event properties for Cisco AMP.

JSA Cisco AMP Content Extension V1.0.1

The following table shows the custom properties that are new or updated in JSA Cisco AMP Content Extension V1.0.1.

Table 2: Custom Properties in JSA Cisco AMP Content Extension V1.0.1

Name

Optimized

Capture Group

Regex

Parent Process Name

Yes

1

"parent":.*?"file_name":\s*\"([^\"]*)"

SHA256 Hash

Yes

1

"file":.*?"sha256":\s*\"([^\"]*)"

(Back to top)The JSA Cisco AMP content extension adds new custom event properties for Cisco AMP.

JSA Cisco AMP Content Extension V1.0.0

The following table shows the custom properties in the JSA Cisco AMP V1.0.0 content extension.

Table 3: Custom Properties in Cisco AMP V1.0.0 Content Extension

Name

Optimized

Capture Group

Regex

Archived File Disposition

No

1

"archived_file":.*?"disposition":\s*\"([^\"]*)"

Archived File SHA256 Hash

No

1

"archived_file":.*?"sha256":\s*\"([^\"]*)"

Computer Name

No

1

"hostname":\s*"([^\"]*)

Disposition

No

1

"file":.*?"disposition":\s*\"([^\"]*)"

EventID

No

1

"event_type_id":\s*(\d*)

File Directory

Yes

Yes

1

1

"file":.*?"file_path":\s*\"([^\"]*)(?:\\|\/)[^\\\/]*"

"description":"([^\"]*)(?:\\|\/)[^\\\/]*"

File Extension

Yes

1

"file":.*?"file_name":\s*\"[^\"\.]*\.([^\"]*)"

File Hash

Yes

1

"file":.*?"(?:sha256|sha1|md5)":\s*\"([^\"]*)"

File Path

No

No

1

1

"description":"(.*?)"

"file":.*?"file_path":\s*\"([^\"]*)"

Filename

Yes

Yes

1

1

"file":.*?"file_name":\s*\"([^\"]*)"

"description":"(?:.*|\\)\\(.*?)"

MD5 Hash

No

1

"file":.*?"md5":\s*\"([^\"]*)"

Parent Disposition

No

1

"parent":.*?"disposition":\s*\"([^\"]*)"

Parent Filename

No

1

"parent":.*?"file_name":\s*\"([^\"]*)"

Parent Hash

No

1

"parent":.*?"(?:sha256|sha1|md5)":\s*\"([^\"]*)"

Parent MD5

No

1

"parent":.*?"md5":\s*\"([^\"]*)"

Parent Process ID

No

1

"parent":.*?"process_id":\s*(\d*)

Parent SHA1 Hash

No

1

"parent":.*?"sha1":\s*\"([^\"]*)"

Parent SHA256 Hash

No

1

"parent":.*?"sha256":\s*\"([^\"]*)"

Reference Link

No

1

"trajectory":"([^\"]*)\",

SHA1 Hash

No

1

"file":.*?"sha1":\s*\"([^\"]*)"

SHA256 Hash

No

1

"file":.*?"sha256":\s*\"([^\"]*)"

Threat name

Yes

1

"detection":\s*"([^\"]*)

(Back to top)The JSA Cisco AMP content extension adds new custom event properties for Cisco AMP.