AMPv2
Cisco Advanced Malware Protection software is designed to prevent, detect, and help remove threats in an efficient manner from computer systems. Threats can take the form of software viruses and other malware such as ransomware, worms, Trojans, spyware, adware, and fileless malware.
Endpoint · Cisco AMP
Configuration parameters
server_url— Server URL (required)credentials— Third Party API Client ID (required)insecure— Trust any certificate (not secure)integrationReliability— Source Reliability (required)proxy— Use system proxy settingsmax_fetch— Maximum incidents to fetch.include_null_severities— Fetch incidents with severity = nullincident_severities— Incident severity to fetch.first_fetch— First fetch timeevent_types— Event typesincidentType— Incident typeisFetch— Fetch incidentscreate_relationships— Create relationships
Commands (31)
-
cisco-amp-app-trajectory-query-listRetrieve app_trajectory queries for a given IOS bundle ID.
-
cisco-amp-computer-activity-listFetch a list of computers that have observed files with a given file name. Provides the ability to search all computers across an organization for any events or activities associated with a file or network operation, and returns computers matching those criteria. There is a hard limit of 5000 historical entries searched.
-
cisco-amp-computer-deleteDeletes a specific computer with given connector_guid.
-
cisco-amp-computer-isolation-createRequest isolation for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.
-
cisco-amp-computer-isolation-deleteRequest isolation stop for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.
-
cisco-amp-computer-isolation-feature-availability-getPerforms a feature availability request on a computer. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.
-
cisco-amp-computer-isolation-getReturns a fine-grained isolation status for a computer. The available flag is set to true if isolation can be performed on the computer. Status will be set to one of - not_isolated, pending_start, isolated and pending_stop. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.
-
cisco-amp-computer-listFetch computers to show information about them. Can be filtered by a variety of criteria.
-
cisco-amp-computer-moveMoves a computer to a group with the given connector_guid and group_guid.
-
cisco-amp-computer-trajectory-listProvides a list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP console.
-
cisco-amp-computer-user-activity-listFetch a list of computers that have observed activity by the given username.
-
cisco-amp-computer-user-trajectory-listFetch a specific computer's trajectory with a given connector GUID and filter for events with user name activity.
-
cisco-amp-computer-vulnerabilities-listProvides a list of vulnerabilities observed on a specific computer. The vulnerabilities can be filtered to show only vulnerable applications observed for a specific time range.
-
cisco-amp-event-listFetch a list of events that can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria, and each selection of a criteria is logically ORed. This is analogous to the Events view on the FireAMP Console.
-
cisco-amp-event-type-listFetches a list of event types. Events are identified and filtered by a unique ID.
-
cisco-amp-file-list-item-createCreates a file list item with a given SHA-256 for a specific file list with a given file_list_guid.
-
cisco-amp-file-list-item-deleteDeletes a file list item with a given SHA-256 and associated to a file list with a given file_list_guid.
-
cisco-amp-file-list-item-listReturns a list of items for a particular file_list. file_list_guid must be provided to retrieve these items. A particular item can be returned by providing a SHA-256.
-
cisco-amp-file-list-listReturns a particular file list for application blocking or simple custom detection. file_list_guid must be provided to retrieve information about a particular file_list. Can fetch an application_blocking or simple_custom_detection file list. Defaults to application_blocking.
-
cisco-amp-group-createCreates a new group along with a group name or description.
-
cisco-amp-group-deleteDestroys a group with a given GUID.
-
cisco-amp-group-listProvides information about groups in an organization.
-
cisco-amp-group-parent-updateConverts an existing group to a child of another group or an existing child group to a root group (that is, one with no parent groups).
-
cisco-amp-group-policy-updateUpdates a group to a given policy and returns all the policies in that group.
-
cisco-amp-indicator-listShow information about indicators.
-
cisco-amp-license-getGet license information about the tenant such as number of connectors registered, tier level, licensed seats count etc.
-
cisco-amp-policy-listGets information about policies by filtering with a product and name of a specific policy with a policy_guid.
-
cisco-amp-version-getGet API version.
-
cisco-amp-vulnerability-listFetch a list of vulnerabilities. This is analogous to the Vulnerable Software view on the AMP for Endpoints Console. The list can be filtered to show only the vulnerable programs detected for a specific time range. Provide a list of computers on which the vulnerability has been observed with given SHA-256. The list item contains a summary of information on the vulnerability, including: application name and version, SHA-256 value for the executable file, connectors on which the vulnerable application was observed and the most recent CVSS score. IMPORTANT: computers key returns information about the last 1000 Connectors on which the vulnerable application was observed.
-
endpointReturns information about an endpoint.
-
fileRuns reputation on files.