Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2880
Views
5
Helpful
1
Replies

Finding The Most Recent User In AMP (Secure Endpoint)

CJ1470
Level 1
Level 1

‎12-27-2021 12:36 PM

I've noticed that you can search by username in AMP and get the devices that the user has logged into (or possibly generated events on). This is also possible in the API. I am wondering if there is any way to do the reverse. Is there any way to find the most recent user of a machine by hostname (preferably from the API) ?

 

I know in some cases, you can check the "current user" field in recent events, but I have found a machine where all of the events list "current user" as "none". Even though all events say none, if you search by the username associated with that machine, AMP is still able to find that machine. AMP has to be storing this information somewhere, but I can't find any mention of how to access this data.

 

Any help would be greatly appreciated.

1 Reply 1

Troja007
Cisco Employee
Cisco Employee

‎01-05-2022 09:58 AM - edited ‎01-05-2022 10:01 AM

Hello @CJ1470,

just some thoughts about the user information included in an endpoint event.

  • You may review the Device Trajectory to see more information
  • Much activity on the endpoint is not done in the user context
  • The easiest way is to start an Orbital query using the catalog query: Last Logged on User Monitoring
    Orbital provides an API as well, where you can generate a job querying all your endpoints.

Greetings,
Thorsten

Preview file
159 KB
0 Helpful
Customers Also Viewed These Support Documents