05-19-2022 02:31 AM
hi there,
I've enrolled some computers in AMP and now want to "link" computers to users. I've checked the documentation and I haven't found any possible solution.
When I go in Insight in SecureX and see the device, I see a field "Associated user" which is empty. So it seem there must be a way to "Associate" the computer to a user.
thanks in advance
rgds
Giovanni
05-19-2022 03:05 AM - edited 05-19-2022 10:14 PM
Endpoint security is the practice of securing endpoints or entry points of end-user devices such as desktops, laptops, and mobile devices from being exploited by malicious actors and campaigns. Endpoint security systems protect these endpoints on a network or in the cloud from cybersecurity threats.
05-19-2022 04:44 AM
05-19-2022 05:30 AM
I do have Secure Endpoint Advantage.
Would you please give some more hints on how to get this info from orbital ?
txs
ciao
Giovanni
05-19-2022 06:09 AM
05-20-2022 07:50 AM
Hello @ggadaleta
I do have Device Insights enabled with the sources from Cisco Secure Endpoint and Cisco Orbital enabled.
What I am seeing is that the Associated User field is populated from the deduplicated results of the following two Orbital queries:
SELECT username as localUsername FROM users where type == "local";
SELECT user as loggedInUser FROM logged_in_users where user != "";
The Associated User field is not carried over into the Cisco Secure Endpoint console and there is not a quick link between Device Trajectory page and the Device Insights page. There is neither a pivot menu option nor Ribbon option to move to the Device Insights information for that hostname or IP address.
Assuming that the host is online, it would be easier to just hit the "Orbital Query" button from the Device Trajectory page and enter a query for gathering user information or using Orbital in the Ribbon (clicking "Get Endpoints" and select a query for user information) than to jump out to SecureX, select "Insights" and then search for the hostname.
Hopefully future release of the Cisco Secure Endpoint console will include some better options for utilizing the Device Insights Information.
05-20-2022 08:07 AM
Here is the current list of Orbital queries that Device Insights uses for reference.
-- users SELECT username AS localUsername FROM users WHERE type == "local"; -- logged_in_users SELECT user AS loggedInUser FROM logged_in_users WHERE user != ""; -- time SELECT timezone, local_timezone FROM time; -- certificates SELECT common_name, subject, issuer, ca FROM certificates; -- registry SELECT firewall AS "firewall", autoupdate AS "autoupdate", antivirus AS "antivirus", antispyware AS "antispyware", internet_settings AS "internet_settings", windows_security_center_service AS "windows_security_center_service", (SELECT CASE WHEN DATA = 1 THEN "Good" ELSE "Poor" END AS user_account_control FROM registry WHERE PATH = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA" ) AS "user_account_control" FROM windows_security_center; -- windows_security_products SELECT * FROM windows_security_products; -- bitlocker_info SELECT * FROM bitlocker_info -- Win32_DeviceGuard SELECT AvailableSecurityProperties, CodeIntegrityPolicyEnforcementStatus, RequiredSecurityProperties, SecurityServicesConfigured, SecurityServicesRunning, UsermodeCodeIntegrityPolicyEnforcementStatus, VirtualizationBasedSecurityStatus FROM Win32_DeviceGuard; -- drivers SELECT device_id, device_name, description, provider, signed FROM drivers; -- registry SELECT key AS reg_key, path, name, data, DATETIME(mtime, "unixepoch", "UTC") FROM registry WHERE ( key LIKE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sharedaccess\parameters\firewallpolicy\%profile" OR key LIKE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sharedaccess\parameters\firewallpolicy\%profile" OR key LIKE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\%profile" OR key LIKE "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\%profile" ) AND name LIKE "EnableFirewall"; -- system_info SELECT uuid, hostname, hardware_vendor, hardware_model, hardware_version, hardware_serial, computer_name, local_hostname FROM system_info -- registry SELECT name, key, data FROM registry WHERE key LIKE "HKEY_CLASSES_ROOT\Installer\Products\%%" AND ( data LIKE "%%DUO%%" OR data LIKE "%%AMP%%" OR data LIKE "%%AnyConnect%%" ); -- registry SELECT SUBSTR(data, -24, 24) AS sid FROM registry WHERE key = "HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account" AND name == "V";
05-20-2022 08:46 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide