Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
834
Views
0
Helpful
0
Comments

Why do I get no AMP results in CTR with read-only API key and "Act in the name of the Active User" enabled for my module?

diddly
Cisco Employee
Cisco Employee

on ‎07-08-2019 09:21 PM - edited on ‎02-24-2020 10:10 PM by Level 9

Question

When I run a search in AMP4E console, I get results showing that a file was encountered recently by a number of hosts in my environment. When I do the same search in Cisco Threat Response (CTR), no targets are returned, and I get the error message:

 

"There was a client error in the AMP module: API client does not have write access [403]"

AMP error - API key.png

Why is this and how can I fix it?

Answer

This condition is likely due to the combination of an AMP API key that is set as read-only, combined with setting the AMP module in CTR as "Act in the Name of the Active User". When CTR calls AMP for results, a dynamic API key is created using your native credentials, which lacks the privileges to find hosts in the AMP environment.

act in the name of the active user.png

Workaround

You can either:

1. Disable the setting "Act in the Name of the Active User", and you should see all the hosts you're expecting in your query, or

2. Change your AMP API key to read/write.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents