Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1007
Views
0
Helpful
3
Replies

How to query one group in AMP for an IP Address

tom.power1
Level 1
Level 1

‎06-10-2022 10:35 AM

Hi,

In response to a security incident, I would like to query one group of endpoints in AMP (Secure Endpoint) for network connections to a specific IP address.

 

How can I do that in Orbital?


Thanks for your time.

Have a great day.
T

Labels:
0 Helpful
3 Replies 3

nazi.farhadi3171
Level 1
Level 1

‎06-15-2022 10:58 PM - edited ‎06-16-2022 09:39 PM

Thanks for the information, keep sharing this type of info  Marriott Global Source Login

0 Helpful

JennieZhang
Cisco Employee
Cisco Employee

‎07-04-2022 09:18 AM

hello,

as per my understanding, you have an IP address and you want to find out which endpoints has connected to that IP address, is my understanding correct?

have you tried using Threat Response to investigate the IP address?

https://visibility.apjc.amp.cisco.com/

Threat response can investigate on IP addresses, domains, URLs... you can open Threat Response and paste the IP address in the top field and then click 'investigate'.

 

0 Helpful

Troja007
Cisco Employee
Cisco Employee

‎07-07-2022 12:46 AM

Hello @tom.power1 ,
if I understand right, you want to query a group... e.g. like, select a group of endpoints defined in Secure Endpoint, and starting a query for these endpoint only, right?

If I´m not totally wrong, some work is done in this direction. You may ping your Cisco representative for an official statement.

Greetings,
Thorsten

0 Helpful
Customers Also Viewed These Support Documents