Question
Why am I receiving timeout messages when I conduct queries in Cisco Threat Response (CTR)?
I see, "2 of 3 enrichments complete with 1 Alert"
When I open the alert, it says, "There was a timeout in the 'AMP for Endpoints' module. Retrieved 55 computers, processed AMP events from 10 of 55 computers."
![]()
Answer
This may happen occasionally on large AMP deployments. Here's what's happening: CTR implements a 60 second limit for all enrichments, and will wait for that period of time to retrieve results from any enrichment, including AMP, Umbrella, etc.
What the error message above communicates is that one or more of the investigated observables were seen on 55 computers, but AMP only returned details for 10 of them before the window expired.
We are exploring a model for long-running enrichments returning progressive results. CTR will also truncate results to a maximum number of sightings per observable per module. As our integrating products APIs become more performant and tuned to CTR use cases, we will continue to expand the scope of what CTR is capable of ingesting, aggregating, and displaying to the user.
Workaround
For exhaustive information during an investigation, go to the original sources. In this case, since you know which observable had the hits, and timed out, you can easily pivot on that observable into AMP.
