Why am I receiving timeout messages when I conduct queries in Cisco Threat Response (CTR)?
I see, "2 of 3 enrichments complete with 1 Alert"
When I open the alert, it says, "There was a timeout in the 'AMP for Endpoints' module. Retrieved 55 computers, processed AMP events from 10 of 55 computers."
This may happen occasionally on large AMP deployments. Here's what's happening: CTR implements a 60 second limit for all enrichments, and will wait for that period of time to retrieve results from any enrichment, including AMP, Umbrella, etc. What the error message above communicates is that one or more of the investigated observables were seen on 55 computers, but AMP only returned details for 10 of them before the window expired.
We are exploring a model for long-running enrichments returning progressive results. CTR will also truncate results to a maximum number of sightings per observable per module. As our integrating products APIs become more performant and tuned to CTR use cases, we will continue to expand the scope of what CTR is capable of ingesting, aggregating, and displaying to the user.
For exhaustive information during an investigation, go to the original sources. In this case, since you know which observable had the hits, and timed out, you can easily pivot on that observable into AMP.
Hi All, I am faced with a very strange problem. My internal network contains IPs from 172.16.X.X subnet. I want to block a certain IP from appearing in traceroute(this IP belongs to an uplink hosted in my own AS) and I can easily do things anyone sug...
Hello, I would like to know if it's possible to obtain the serial numbers of ASAs through Cisco CSM, I ask this because our office has 200 firewalls managed by CSM and this labor is complicated when accessing one by one.CSM version: 4.20.0 Thank...
Hi guys,I am replacing my ASR 1001 with ASR 1001-x, however the crypto isakmp command doesn't seem to work. When i type crypto ? i do not get isakmp in the options, therefore can't go ahead with the getvpn configurations, can anyone help me here? Tha...
Guys, this should be a simple problem, if I could just find the right documentation!I have a Meraki MX67, with a site-to-site VPN linking to a hub Meraki MX84 HA pair. I have client PCs successfully doing IEEE802.1x authentication on the MX67, using an IS...
I have a ISE environment witch is integrated with AD. I inherited this from 2 past engineers. This being said there are many sites that are attached and use different AD groups to add and remove permisions to different types of network appliances. Is ther...