Cisco AMP
The JSA Cisco AMP content extension adds new custom event properties for Cisco AMP.
The Parent Filename custom property was renamed to Parent Process Name in V1.0.1. If you have V1.0.0 of this extension installed, delete Parent Filename before you upgrade to the latest version.
JSA Cisco AMP Content Extensions
JSA Cisco AMP Content Extension V1.0.1 Entire Pack
The following table shows all of the content that is included in JSA Cisco AMP Content Extension V1.0.1.
Table 1: Overview Of JSA Cisco AMP Content Extension V1.0.1
Name | Addition or modification notes |
|---|---|
Archived File Disposition | Introduced in V1.0.0. |
Archived File SHA256 Hash | Introduced in V1.0.0. |
Computer Name | Introduced in V1.0.0. |
Disposition | Introduced in V1.0.0. |
EventID | Introduced in V1.0.0. |
File Directory | Introduced in V1.0.0. |
File Extension | Introduced in V1.0.0. |
File Hash | Introduced in V1.0.0. |
File Path | Introduced in V1.0.0. |
Filename | Introduced in V1.0.0. |
MD5 Hash | Introduced in V1.0.0. |
Parent Disposition | Introduced in V1.0.0. |
Parent Process Name | Introduced in V1.0.0. Was called Parent Filename. Updated name to Parent Process Name in V1.0.1. |
Parent Hash | Introduced in V1.0.0. |
Parent MD5 | Introduced in V1.0.0. |
Parent Process ID | Introduced in V1.0.0. |
Parent SHA1 Hash | Introduced in V1.0.0. |
Parent SHA256 Hash | Introduced in V1.0.0. |
Reference Link | Introduced in V1.0.0. |
SHA1 Hash | Introduced in V1.0.0. |
SHA256 Hash | Introduced in V1.0.0. Updated in V1.0.1. |
Threat name | Introduced in V1.0.0. |
(Back to top)The JSA Cisco AMP content extension adds new custom event properties for Cisco AMP.
JSA Cisco AMP Content Extension V1.0.1
The following table shows the custom properties that are new or updated in JSA Cisco AMP Content Extension V1.0.1.
Table 2: Custom Properties in JSA Cisco AMP Content Extension V1.0.1
Name | Optimized | Capture Group | Regex |
|---|---|---|---|
Parent Process Name | Yes | 1 | "parent":.*?"file_name":\s*\"([^\"]*)" |
SHA256 Hash | Yes | 1 | "file":.*?"sha256":\s*\"([^\"]*)" |
(Back to top)The JSA Cisco AMP content extension adds new custom event properties for Cisco AMP.
JSA Cisco AMP Content Extension V1.0.0
The following table shows the custom properties in the JSA Cisco AMP V1.0.0 content extension.
Table 3: Custom Properties in Cisco AMP V1.0.0 Content Extension
Name | Optimized | Capture Group | Regex |
|---|---|---|---|
Archived File Disposition | No | 1 | "archived_file":.*?"disposition":\s*\"([^\"]*)" |
Archived File SHA256 Hash | No | 1 | "archived_file":.*?"sha256":\s*\"([^\"]*)" |
Computer Name | No | 1 | "hostname":\s*"([^\"]*) |
Disposition | No | 1 | "file":.*?"disposition":\s*\"([^\"]*)" |
EventID | No | 1 | "event_type_id":\s*(\d*) |
File Directory | Yes Yes | 1 1 | "file":.*?"file_path":\s*\"([^\"]*)(?:\\|\/)[^\\\/]*" "description":"([^\"]*)(?:\\|\/)[^\\\/]*" |
File Extension | Yes | 1 | "file":.*?"file_name":\s*\"[^\"\.]*\.([^\"]*)" |
File Hash | Yes | 1 | "file":.*?"(?:sha256|sha1|md5)":\s*\"([^\"]*)" |
File Path | No No | 1 1 | "description":"(.*?)" "file":.*?"file_path":\s*\"([^\"]*)" |
Filename | Yes Yes | 1 1 | "file":.*?"file_name":\s*\"([^\"]*)" "description":"(?:.*|\\)\\(.*?)" |
MD5 Hash | No | 1 | "file":.*?"md5":\s*\"([^\"]*)" |
Parent Disposition | No | 1 | "parent":.*?"disposition":\s*\"([^\"]*)" |
Parent Filename | No | 1 | "parent":.*?"file_name":\s*\"([^\"]*)" |
Parent Hash | No | 1 | "parent":.*?"(?:sha256|sha1|md5)":\s*\"([^\"]*)" |
Parent MD5 | No | 1 | "parent":.*?"md5":\s*\"([^\"]*)" |
Parent Process ID | No | 1 | "parent":.*?"process_id":\s*(\d*) |
Parent SHA1 Hash | No | 1 | "parent":.*?"sha1":\s*\"([^\"]*)" |
Parent SHA256 Hash | No | 1 | "parent":.*?"sha256":\s*\"([^\"]*)" |
Reference Link | No | 1 | "trajectory":"([^\"]*)\", |
SHA1 Hash | No | 1 | "file":.*?"sha1":\s*\"([^\"]*)" |
SHA256 Hash | No | 1 | "file":.*?"sha256":\s*\"([^\"]*)" |
Threat name | Yes | 1 | "detection":\s*"([^\"]*) |
(Back to top)The JSA Cisco AMP content extension adds new custom event properties for Cisco AMP.