topic Re: AMP Identity Persistence in Endpoint Security

AMP Identity Persistence

ITandCoffee — Fri, 21 Feb 2020 05:09:02 GMT

Hi all,

A couple of quick questions regarding identity persistence. When a computer is re-imaged and is not yet joined to our domain, will AMP still identify it using the MAC address and UUID to reinstall the endpoint connector? What about for remote computers that are not on our internal network, but running a VPN? What if their VPN is disabled and they are simply connected to the internet?

Thanks!

Re: AMP Identity Persistence

jesutorr@cisco.com — Thu, 16 May 2019 16:23:46 GMT

Hi,

Thanks for contacting Cisco Community, My name is Uriel Torres from the Advanced Threat Solutions team, You can configure identity persistence as the following.

By policy across policy
By MAC across policy
By policy across business
By MAC across business

I always recommend use:

By policy across the business
By MAC across business

For the first question, if you install AMP in a machine without the domain with the following and this configuration:

Hostname: Machine1

Mac Address: 0e:12:5a:d7:15:11

Identity persistence configuration: Identity persistence by hostname across the business.

Connector UUID: fac4e17e-bf66-4786-94ed-e63ed61033a6

Then if you add the following domain: example.com

You will have the following hostname: Machine1.example.com

Whit this configuration the information will be the following.

Hostname: Machine1.example.com

Mac Address: 0e:12:5a:d7:15:11

Identity persistence configuration: Identity persistence by hostname across business.

Connector UUID: e0857bde-2ce0-4ebd-8eb7-b32b52979c27

As you can see the UUID changes because the hostname has been changed, in this moment you will have 2 different machines registered on the cloud, if we look for a pattern the only concept that is the same is the MAC address, for this situation it will be better have "Identity Persistence By MAC across business"

With the same example of Machine 1 after adding the domain to the hostname even if the UUID changes the computer won't be duplicated because the MAC address will be the same.

**********

About the second inquiry, you can install the AMP connector with a simple internet connection.

Best regards,

Re: AMP Identity Persistence

ITandCoffee — Thu, 16 May 2019 19:18:17 GMT

Thanks for the information Uriel! How does the console find PCs? For example, if a computer is re-imaged and first connects to a network that is not part of our domain, will the console reinstall the endpoint connector? I would imagine not (I would think the machine would need to be connected to our internal network), but I'm just trying to gain a better understanding of how identity persistence works or how/where it scans for PCs.

Thanks again!

Re: AMP Identity Persistence

Troja007 — Mon, 03 Jun 2019 11:43:45 GMT

Hello @ITandCoffee ,

after the feature is enabled in the UI, you can choose how a system is identified again after re-imaging.

Here some more info how the settings are working (copied from the AMP help)

None: Connector logs are not synchronized with new Connector installs under any circumstance.
By MAC Address across Business: New Connectors look for the most recent Connector that has the same MAC address to synchronize with across all policies in the business that have Identity Synchronization set to a value other than None.
By MAC Address across Policy: New Connectors look for the most recent Connector that has the same MAC address to synchronize with within the same policy.
By Host name across Business: New Connectors look for the most recent Connector that has the same host name to synchronize with across all policies in the business that have Identity Synchronization set to a value other than None.
By Host name across Policy: New Connectors look for the most recent Connector that has the same hostname to synchronize with within the same policy.

Hope this gives you some better understanding into the feature.

Cheers,

Thorsten

Re: AMP Identity Persistence

TylerFromPIH — Mon, 03 Feb 2020 20:17:32 GMT

Hello,

To jump on this thread, I am having a similar issue but do not see the "Identity Persistence" option in the policy area, nor do i see an option to enable/disable it. Where can i check to see what identity persistence settings I have, and where can i go to change them?

Re: AMP Identity Persistence

Troja007 — Tue, 04 Feb 2020 16:52:59 GMT

Hello @TylerFromPIH,

this feature is not enabled by default. You have to open a TAC case to enable the feature.

Greetings,

Thorsten