AMPv2

Cisco Advanced Malware Protection software is designed to prevent, detect, and help remove threats in an efficient manner from computer systems. Threats can take the form of software viruses and other malware such as ransomware, worms, Trojans, spyware, adware, and fileless malware.

Endpoint · Cisco AMP

Configuration parameters

  • server_url — Server URL (required)
  • credentials — Third Party API Client ID (required)
  • insecure — Trust any certificate (not secure)
  • integrationReliability — Source Reliability (required)
  • proxy — Use system proxy settings
  • max_fetch — Maximum incidents to fetch.
  • include_null_severities — Fetch incidents with severity = null
  • incident_severities — Incident severity to fetch.
  • first_fetch — First fetch time
  • event_types — Event types
  • incidentType — Incident type
  • isFetch — Fetch incidents
  • create_relationships — Create relationships

Commands (31)

  • cisco-amp-app-trajectory-query-list

    Retrieve app_trajectory queries for a given IOS bundle ID.

  • cisco-amp-computer-activity-list

    Fetch a list of computers that have observed files with a given file name. Provides the ability to search all computers across an organization for any events or activities associated with a file or network operation, and returns computers matching those criteria. There is a hard limit of 5000 historical entries searched.

  • cisco-amp-computer-delete

    Deletes a specific computer with given connector_guid.

  • cisco-amp-computer-isolation-create

    Request isolation for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.

  • cisco-amp-computer-isolation-delete

    Request isolation stop for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.

  • cisco-amp-computer-isolation-feature-availability-get

    Performs a feature availability request on a computer. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.

  • cisco-amp-computer-isolation-get

    Returns a fine-grained isolation status for a computer. The available flag is set to true if isolation can be performed on the computer. Status will be set to one of - not_isolated, pending_start, isolated and pending_stop. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.

  • cisco-amp-computer-list

    Fetch computers to show information about them. Can be filtered by a variety of criteria.

  • cisco-amp-computer-move

    Moves a computer to a group with the given connector_guid and group_guid.

  • cisco-amp-computer-trajectory-list

    Provides a list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP console.

  • cisco-amp-computer-user-activity-list

    Fetch a list of computers that have observed activity by the given username.

  • cisco-amp-computer-user-trajectory-list

    Fetch a specific computer's trajectory with a given connector GUID and filter for events with user name activity.

  • cisco-amp-computer-vulnerabilities-list

    Provides a list of vulnerabilities observed on a specific computer. The vulnerabilities can be filtered to show only vulnerable applications observed for a specific time range.

  • cisco-amp-event-list

    Fetch a list of events that can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria, and each selection of a criteria is logically ORed. This is analogous to the Events view on the FireAMP Console.

  • cisco-amp-event-type-list

    Fetches a list of event types. Events are identified and filtered by a unique ID.

  • cisco-amp-file-list-item-create

    Creates a file list item with a given SHA-256 for a specific file list with a given file_list_guid.

  • cisco-amp-file-list-item-delete

    Deletes a file list item with a given SHA-256 and associated to a file list with a given file_list_guid.

  • cisco-amp-file-list-item-list

    Returns a list of items for a particular file_list. file_list_guid must be provided to retrieve these items. A particular item can be returned by providing a SHA-256.

  • cisco-amp-file-list-list

    Returns a particular file list for application blocking or simple custom detection. file_list_guid must be provided to retrieve information about a particular file_list. Can fetch an application_blocking or simple_custom_detection file list. Defaults to application_blocking.

  • cisco-amp-group-create

    Creates a new group along with a group name or description.

  • cisco-amp-group-delete

    Destroys a group with a given GUID.

  • cisco-amp-group-list

    Provides information about groups in an organization.

  • cisco-amp-group-parent-update

    Converts an existing group to a child of another group or an existing child group to a root group (that is, one with no parent groups).

  • cisco-amp-group-policy-update

    Updates a group to a given policy and returns all the policies in that group.

  • cisco-amp-indicator-list

    Show information about indicators.

  • cisco-amp-license-get

    Get license information about the tenant such as number of connectors registered, tier level, licensed seats count etc.

  • cisco-amp-policy-list

    Gets information about policies by filtering with a product and name of a specific policy with a policy_guid.

  • cisco-amp-version-get

    Get API version.

  • cisco-amp-vulnerability-list

    Fetch a list of vulnerabilities. This is analogous to the Vulnerable Software view on the AMP for Endpoints Console. The list can be filtered to show only the vulnerable programs detected for a specific time range. Provide a list of computers on which the vulnerability has been observed with given SHA-256. The list item contains a summary of information on the vulnerability, including: application name and version, SHA-256 value for the executable file, connectors on which the vulnerable application was observed and the most recent CVSS score. IMPORTANT: computers key returns information about the last 1000 Connectors on which the vulnerable application was observed.

  • endpoint

    Returns information about an endpoint.

  • file

    Runs reputation on files.