A security analyst discovers that an endpoint was infected by a file that initially received a 'clean' disposition from Cisco AMP. The analyst needs to identify all other endpoints that executed the same file and examine their trajectory. Which approach should be used to find these endpoints in the AMP console?
Searching by SHA-256 provides a list of all endpoints that have encountered the file, enabling trajectory analysis.
Why this answer
Option A is correct because Cisco AMP maintains a global file disposition database that maps SHA-256 hashes to all endpoints that have ever executed or stored that file. By searching for the file's SHA-256 hash in the AMP console, the analyst can instantly retrieve a list of all endpoints with that file, including those that received a 'clean' disposition before the file was later classified as malicious. This leverages AMP's cloud-based telemetry and file reputation system, enabling rapid identification of all affected systems without requiring additional scans or manual correlation.
Exam trap
Cisco often tests the distinction between searching for a file's SHA-256 hash (which directly lists all endpoints with that file) and using retrospective scans or IOC scanning, which serve different purposes and do not provide a simple list of affected endpoints.
How to eliminate wrong answers
Option B is wrong because manually checking the Device Trajectory of the infected endpoint and correlating with other endpoints is inefficient and error-prone; Device Trajectory shows events for a single endpoint, not a cross-endpoint view, and the analyst would need to manually check each endpoint's trajectory, which is impractical in a large environment. Option C is wrong because the IOC scanning feature scans for indicators of compromise (e.g., IP addresses, domains, registry keys) based on predefined rules, not for a specific file's SHA-256 hash; it is designed for threat hunting using IOCs, not for locating all endpoints that executed a particular file. Option D is wrong because retrospective security scans in AMP are used to re-evaluate files that were previously seen and may have changed disposition, but they do not directly list all endpoints that executed the file; instead, they apply updated analysis to files already in the AMP cloud, and the results are typically viewed via the file's analysis page, not by scanning all endpoints with the hash.