Understand Update Events in Secure Endpoint for Group Deletions

Available Languages

Download Options

  • PDF     (149.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (241.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (116.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 24, 2024
Document ID:222489

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how Secure Endpoint audit logs recorded both update and delete events when empty groups were deleted.

    Problem

    The update events in this image display a new group ID for machines or workstations, even though these workstations are not visible on the AMP console computer page. These update events are associated with the user email of the person who logged in to perform the deletion, which could lead to client confusion about what occurred. In some cases, 30-40 update events can be generated after deleting an empty group.

    Update and Delete Events Generated on Audit Log

    Solution

    This is an expected behavior. The machine or computer hostnames seen in the audit log update events during the deletion of empty groups belong to devices that were once part of those groups but are now inactive. These machines were automatically removed from the console after 90 days of inactivity, but they remained part of the group in the backend.

    When the group is deleted, these inactive machines are moved to the default group, which triggers the update events. Unfortunately, since these computers are inactive, they do not appear in the console, which is why they cannot be found when searching under computers.

    To obtain a complete list of inactive machines that are still assigned to a group, you need to reach out to the TAC, as this information cannot be retrieved via the Secure Endpoint portal.

    Revision History

    Revision Publish Date Comments
    1.0
    24-Oct-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Ajay Raj
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products