CiscoAMP Deprecated

Deprecated. Use Cisco AMP v2 instead.

Endpoint · Cisco AMP (Deprecated)

Configuration parameters

  • server_url — Server URL (required)
  • credentials — Third Party API Client ID (required)
  • insecure — Trust any certificate (not secure)
  • integrationReliability — Source Reliability (required)
  • proxy — Use system proxy settings
  • max_fetch — Maximum incidents to fetch.
  • incident_severities — Incident severity to fetch.
  • first_fetch — First fetch time
  • event_types — Event types
  • incidentType — Incident type
  • isFetch — Fetch incidents

Commands (30)

  • cisco-amp-app-trajectory-query-list

    Retrieve app_trajectory queries for a given IOS bundle ID.

  • cisco-amp-computer-activity-list

    Fetch a list of computers that have observed files with a given file name. Provides the ability to search all computers across an organization for any events or activities associated with a file or network operation, and returns computers matching those criteria. There is a hard limit of 5000 historical entries searched.

  • cisco-amp-computer-delete

    Deletes a specific computer with given connector_guid.

  • cisco-amp-computer-isolation-create

    Request isolation for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.

  • cisco-amp-computer-isolation-delete

    Request isolation stop for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.

  • cisco-amp-computer-isolation-feature-availability-get

    Performs a feature availability request on a computer. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.

  • cisco-amp-computer-isolation-get

    Returns a fine-grained isolation status for a computer. The available flag is set to true if isolation can be performed on the computer. Status will be set to one of - not_isolated, pending_start, isolated and pending_stop. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.

  • cisco-amp-computer-list

    Fetch computers to show information about them. Can be filtered by a variety of criteria.

  • cisco-amp-computer-move

    Moves a computer to a group with the given connector_guid and group_guid.

  • cisco-amp-computer-trajectory-list

    Provides a list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP console.

  • cisco-amp-computer-user-activity-list

    Fetch a list of computers that have observed activity by the given username.

  • cisco-amp-computer-user-trajectory-list

    Fetch a specific computer's trajectory with a given connector GUID and filter for events with user name activity.

  • cisco-amp-computer-vulnerabilities-list

    Provides a list of vulnerabilities observed on a specific computer. The vulnerabilities can be filtered to show only vulnerable applications observed for a specific time range.

  • cisco-amp-event-list

    Fetch a list of events that can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria, and each selection of a criteria is logically ORed. This is analogous to the Events view on the FireAMP Console.

  • cisco-amp-event-type-list

    Fetches a list of event types. Events are identified and filtered by a unique ID.

  • cisco-amp-file-list-item-create

    Creates a file list item with a given SHA-256 for a specific file list with a given file_list_guid.

  • cisco-amp-file-list-item-delete

    Deletes a file list item with a given SHA-256 and associated to a file list with a given file_list_guid.

  • cisco-amp-file-list-item-list

    Returns a list of items for a particular file_list. file_list_guid must be provided to retrieve these items. A particular item can be returned by providing a SHA-256.

  • cisco-amp-file-list-list

    Returns a particular file list for application blocking or simple custom detection. file_list_guid must be provided to retrieve information about a particular file_list. Can fetch an application_blocking or simple_custom_detection file list. Defaults to application_blocking.

  • cisco-amp-group-create

    Creates a new group along with a group name or description.

  • cisco-amp-group-delete

    Destroys a group with a given GUID.

  • cisco-amp-group-list

    Provides information about groups in an organization.

  • cisco-amp-group-parent-update

    Converts an existing group to a child of another group or an existing child group to a root group (that is, one with no parent groups).

  • cisco-amp-group-policy-update

    Updates a group to a given policy and returns all the policies in that group.

  • cisco-amp-indicator-list

    Show information about indicators.

  • cisco-amp-policy-list

    Gets information about policies by filtering with a product and name of a specific policy with a policy_guid.

  • cisco-amp-version-get

    Get API version.

  • cisco-amp-vulnerability-list

    Fetch a list of vulnerabilities. This is analogous to the Vulnerable Software view on the AMP for Endpoints Console. The list can be filtered to show only the vulnerable programs detected for a specific time range. Provide a list of computers on which the vulnerability has been observed with given SHA-256. The list item contains a summary of information on the vulnerability, including: application name and version, SHA-256 value for the executable file, connectors on which the vulnerable application was observed and the most recent CVSS score. IMPORTANT: computers key returns information about the last 1000 Connectors on which the vulnerable application was observed.

  • endpoint

    Returns information about an endpoint.

  • file

    Runs reputation on files.