cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

"There was a timeout in the 'AMP for Endpoints'" module in Cisco Threat Response

441
Views
0
Helpful
0
Comments

Question

Why am I receiving timeout messages when I conduct queries in Cisco Threat Response (CTR)?

I see, "2 of 3 enrichments complete with 1 Alert"

 

When I open the alert, it says, "There was a timeout in the 'AMP for Endpoints' module. Retrieved 55 computers, processed AMP events from 10 of 55 computers."

Answer

This may happen occasionally on large AMP deployments. Here's what's happening: CTR implements a 60 second limit for all enrichments, and will wait for that period of time to retrieve results from any enrichment, including AMP, Umbrella, etc. We are exploring a model for long-running enrichments returning progressive results. CTR will also truncate results to a maximum number of sightings per observable per module. As our integrating products APIs become more performant and tuned to CTR use cases, we will continue to expand the scope of what CTR is capable of ingesting, aggregating, and displaying to the user.

Workaround

For exhaustive information during an investigation, go to the original sources. In this case, since you know which observable had the hits, and timed out, you can easily pivot on that observable into AMP.