When I run a search in AMP4E console, I get results showing that a file was encountered recently by a number of hosts in my environment. When I do the same search in Cisco Threat Response (CTR), no targets are returned, and I get the error message:
"There was a client error in the AMP module: API client does not have write access "
Why is this and how can I fix it?
This condition is likely due to the combination of an AMP API key that is set as read-only, combined with setting the AMP module in CTR as "Act in the Name of the Active User". When CTR calls AMP for results, a dynamic API key is created using your native credentials, which lacks the privileges to find hosts in the AMP environment.
You can either:
1. Disable the setting "Act in the Name of the Active User", and you should see all the hosts you're expecting in your query, or
I have an ISP in Australia that requires VLAN 100 to connect to the Internet. This is pure data. It is Australia's NBN system. They have handed us a .252 Public IP to use on our Firewall with a default route to the upstream router they are using for...
If you are just starting with Threat Response for the first time, use our quick start guides for Umbrella, Email Security, or Firepower. You can also check out our module configuration videos on YouTube and the in-product configuration details.
If you own AMP for Endpoints, you can manage users within the AMP dashboard. If you have other Cisco products, you can manage users at https://castle.amp.cisco.com/my/users.
Learn more about Threat Response here, or check out other FAQs here.