Finding The Most Recent User In AMP (Secure Endpoint)

CJ1470 — Mon, 27 Dec 2021 20:36:11 GMT

I've noticed that you can search by username in AMP and get the devices that the user has logged into (or possibly generated events on). This is also possible in the API. I am wondering if there is any way to do the reverse. Is there any way to find the most recent user of a machine by hostname (preferably from the API) ?

I know in some cases, you can check the "current user" field in recent events, but I have found a machine where all of the events list "current user" as "none". Even though all events say none, if you search by the username associated with that machine, AMP is still able to find that machine. AMP has to be storing this information somewhere, but I can't find any mention of how to access this data.

Any help would be greatly appreciated.

Re: Finding The Most Recent User In AMP (Secure Endpoint)

Troja007 — Wed, 05 Jan 2022 18:01:30 GMT

Hello @CJ1470,

just some thoughts about the user information included in an endpoint event.

You may review the Device Trajectory to see more information
Much activity on the endpoint is not done in the user context
The easiest way is to start an Orbital query using the catalog query: Last Logged on User Monitoring
Orbital provides an API as well, where you can generate a job querying all your endpoints.

Greetings,
Thorsten

topic Re: Finding The Most Recent User In AMP (Secure Endpoint) in Endpoint Security

Finding The Most Recent User In AMP (Secure Endpoint)

Re: Finding The Most Recent User In AMP (Secure Endpoint)