Why am I receiving timeout messages when I conduct queries in Cisco Threat Response (CTR)?
I see, "2 of 3 enrichments complete with 1 Alert"
When I open the alert, it says, "There was a timeout in the 'AMP for Endpoints' module. Retrieved 55 computers, processed AMP events from 10 of 55 computers."
This may happen occasionally on large AMP deployments. Here's what's happening: CTR implements a 60 second limit for all enrichments, and will wait for that period of time to retrieve results from any enrichment, including AMP, Umbrella, etc. We are exploring a model for long-running enrichments returning progressive results. CTR will also truncate results to a maximum number of sightings per observable per module. As our integrating products APIs become more performant and tuned to CTR use cases, we will continue to expand the scope of what CTR is capable of ingesting, aggregating, and displaying to the user.
For exhaustive information during an investigation, go to the original sources. In this case, since you know which observable had the hits, and timed out, you can easily pivot on that observable into AMP.
Hi All Having a weird spontaneous issue on some WIndows PC's that are setup for 802.1x. After a complete bootup, ISE logs show that the PC is doing MAB authentication and are failing as expected. If I unplug the network cable and reconnec...
Hi, How to nat all ip's from lan to one public for access to internet?Is command correct without "pat-pool" ? . i dont want to get exhausted message. ASA version 9.10 object network obj-public host 126.96.36.199object network obj-lan&nb...
After installing AMP for Endpoints we started having issues with the Data Model function in Excel. It will not create the data model if Exploit Prevention is enabled. It either causes excel to hang or gives an error message. Could not loa...
I would like have my two connection profiles "DefaultWEBVPNGroup" and "Azure_MFA" use SAML authentication. And I have already configured both certificates in the ASA. But I just realized in the SAML idp, I only can configure one "trustpoint idp" to&n...