Cisco AMP v2
Cisco AMP Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
Cisco Advanced Malware Protection software is designed to prevent, detect, and help remove threats in an efficient manner from computer systems. Threats can take the form of software viruses and other malware such as ransomware, worms, Trojans, spyware, adware, and fileless malware. This integration was integrated and tested with version 1 of CiscoAMP.
#
Configure Cisco AMP Secure Endpoint on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for Cisco AMP Secure Endpoint.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL True 3rd Party API Client ID True API Key True Trust any certificate (unsecure) False Use system proxy False Maximum incidents to fetch. Maximum number of incidents per fetch. The maximum is 200. False Incident severity to fetch. False First fetch time First alert created date to fetch. e.g., "1 min ago","2 weeks ago","3 months ago" False Event types Comma-separated list of Event Type IDs. False Create relationships Create relationships between indicators as part of Enrichment. False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
cisco-amp-computer-listFetch computers to shows information about them. Can be filtered by a variety of criteria.
#
Base Commandcisco-amp-computer-list
#
InputArgument Name | Description | Required |
---|---|---|
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
connector_guid | The connector GUID for a specific computer. | Optional |
hostname | Comma-separated list of host names to filter by (has auto complete capabilities). | Optional |
internal_ip | Internal IP to filter by. | Optional |
external_ip | External IP to filter by. | Optional |
group_guid | Comma-separated list of group GUIDs to filter by. | Optional |
last_seen_within | Time range to filter by. | Optional |
last_seen_over | Time range to filter over by. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.Computer.connector_guid | String | GUID of the connector. |
CiscoAMP.Computer.hostname | String | Host's name. |
CiscoAMP.Computer.windows_processor_id | String | Windows processor ID. |
CiscoAMP.Computer.active | Boolean | Whether the computer is active. |
CiscoAMP.Computer.connector_version | String | Version of the connector. |
CiscoAMP.Computer.operating_system | String | Operating system of the computer. |
CiscoAMP.Computer.os_version | String | Operating system version. |
CiscoAMP.Computer.internal_ips | String | List of internal IPs. |
CiscoAMP.Computer.external_ip | String | External IP. |
CiscoAMP.Computer.group_guid | String | GUID of the group. |
CiscoAMP.Computer.install_date | Date | Installation date. |
CiscoAMP.Computer.is_compromised | Boolean | Whether the computer is compromised. |
CiscoAMP.Computer.demo | Boolean | Whether the computer is a demo. |
CiscoAMP.Computer.network_addresses.mac | String | List of MAC addresses. |
CiscoAMP.Computer.network_addresses.ip | String | List of IP addresses. |
CiscoAMP.Computer.policy.guid | String | GUID of the policy. |
CiscoAMP.Computer.policy.name | String | Name of the policy. |
CiscoAMP.Computer.groups.guid | String | GUID of the group. |
CiscoAMP.Computer.groups.name | String | Name of the group. |
CiscoAMP.Computer.last_seen | Date | Last date seen. |
CiscoAMP.Computer.faults | String | Faults. |
CiscoAMP.Computer.isolation.available | Boolean | Whether the isolation is available. |
CiscoAMP.Computer.isolation.status | String | Status of the isolation. |
CiscoAMP.Computer.orbital.status | String | Status of the orbital. |
Endpoint.Hostname | String | The hostname of the endpoint. |
Endpoint.ID | String | The endpoint's identifier. |
Endpoint.IPAddress | String | The endpoint's IP address. |
Endpoint.OS | String | The endpoint's operating system. |
Endpoint.OSVersion | String | The endpoint's operating system's version. |
Endpoint.Status | String | The status of the endpoint (online/offline). |
Endpoint.MACAddress | String | The endpoint's MAC address. |
Endpoint.Vendor | String | The integration name of the endpoint vendor. |
#
Command example!cisco-amp-computer-list limit=5
#
Context Example#
Human Readable Output#
Results
Current Item Count Index Items Per Page Total 5 0 5 32 #
Computer Information
Host Name Connector GUID Operating System External IP Group GUID Policy GUID Demo_AMP 22d4a486-1732-4f8b-9a6f-18f172fe7af0 Windows 10 (Build 10.0.19044.1466) IP bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 91c7894d-dd69-4a21-8cf6-5ebfc57ef4df Demo_AMP_Exploit_Prevention 113c1a8e-8e66-409e-92a8-41b7d586be5d Windows 10 (Build 10.0.19044.1466) IP 6ed80412-0739-42c1-8f6d-32fb51b3f894 1a352c59-793b-44f3-b8f9-0ddd354057bc Demo_AMP_Exploit_Prevention_Audit 93f395a2-e31f-4022-b1dd-afb16e093b8d Windows 10 (Build 10.0.19044.1466) IP 5b1857e3-ba49-46cf-9bf1-0cad6b5ecd18 a599bf5b-2cb7-4a5b-90bd-d0199e2ccd67 Demo_AMP_Intel d6f49c17-9721-4c5b-a04f-32ba30be36a0 Windows 10 (Build 10.0.19043.1202) IP fedd82f8-c74f-49f4-a463-e576d3beee92 be84e169-0830-4b95-915b-1e203a82ed58 Demo_AMP_MAP_FriedEx 9a2abee8-b988-473b-9e99-a7abe6d068a5 Windows 10 (Build 10.0.19044.1466) IP 6ed80412-0739-42c1-8f6d-32fb51b3f894 1a352c59-793b-44f3-b8f9-0ddd354057bc
#
cisco-amp-computer-trajectory-listProvides a list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP console.
#
Base Commandcisco-amp-computer-trajectory-list
#
InputArgument Name | Description | Required |
---|---|---|
connector_guid | The connector GUID for a specific computer. | Required |
query_string | Freeform query string which currently accepts an: IP address, SHA-256, or URL. | Optional |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 5000. | Optional |
limit | Number of total results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.ComputerTrajectory.connector_guid | String | GUID of the connector. |
CiscoAMP.ComputerTrajectory.id | String | Event's ID. |
CiscoAMP.ComputerTrajectory.timestamp | Number | Event's timestamp. |
CiscoAMP.ComputerTrajectory.timestamp_nanoseconds | Number | Event's timestamp in nano seconds. |
CiscoAMP.ComputerTrajectory.date | Date | Event's date. |
CiscoAMP.ComputerTrajectory.event_type | String | Event's type. |
CiscoAMP.ComputerTrajectory.event_type_id | Number | Event's type ID. |
CiscoAMP.ComputerTrajectory.group_guids | String | Group GUID. |
CiscoAMP.ComputerTrajectory.severity | String | Event's severity. |
CiscoAMP.ComputerTrajectory.detection | String | Event's detection. |
CiscoAMP.ComputerTrajectory.detection_id | String | Event's detection ID. |
CiscoAMP.ComputerTrajectory.file.disposition | String | Disposition of the file. |
CiscoAMP.ComputerTrajectory.file.file_name | String | Name of the file. |
CiscoAMP.ComputerTrajectory.file.file_path | String | Path to the file. |
CiscoAMP.ComputerTrajectory.file.file_type | String | Type of the file. |
CiscoAMP.ComputerTrajectory.file.identity.sha256 | String | File's SHA-256. |
CiscoAMP.ComputerTrajectory.file.identity.sha1 | String | File's SHA-1. |
CiscoAMP.ComputerTrajectory.file.identity.md5 | String | File's MD5. |
CiscoAMP.ComputerTrajectory.file.parent.disposition | String | Disposition of parent. |
CiscoAMP.ComputerTrajectory.file.parent.identity.sha256 | String | SHA-256 of parent. |
CiscoAMP.ComputerTrajectory.scan.description | String | Description of the scan. |
CiscoAMP.ComputerTrajectory.scan.clean | Boolean | Whether the scan is clean. |
CiscoAMP.ComputerTrajectory.scan.scanned_files | Number | Number of scanned files. |
CiscoAMP.ComputerTrajectory.scan.scanned_processes | Number | Number of scanned processes. |
CiscoAMP.ComputerTrajectory.scan.scanned_paths | Number | Number of scanned paths. |
CiscoAMP.ComputerTrajectory.scan.malicious_detections | Number | Number of malicious detections. |
#
Command example!cisco-amp-computer-trajectory-list connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 limit=5
#
Context Example#
Human Readable Output#
Computer Information
Host Name Connector GUID Operating System External IP Group GUID Policy GUID Demo_AMP 22d4a486-1732-4f8b-9a6f-18f172fe7af0 Windows 10 (Build 10.0.19044.1466) IP bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 91c7894d-dd69-4a21-8cf6-5ebfc57ef4df #
Event Information
ID Date Event Type Group GUIDs 1667217305855411965 2022-10-31T11:55:05+00:00 Endpoint Isolation Stop Success bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 1667217298837175263 2022-10-31T11:54:58+00:00 Endpoint Isolation Start Success bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 1667216545769121964 2022-10-31T11:42:25+00:00 Endpoint Isolation Stop Success bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 1667216538974189121 2022-10-31T11:42:18+00:00 Endpoint Isolation Start Success bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 1667214907330813011 2022-10-31T11:15:07+00:00 Endpoint Isolation Stop Success bb5a9f90-d6fa-4fe7-99c8-e91060b49a98
#
cisco-amp-computer-user-activity-listFetch a list of computers that have observed activity by given username.
#
Base Commandcisco-amp-computer-user-activity-list
#
InputArgument Name | Description | Required |
---|---|---|
username | Username to filter by. | Required |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.ComputerUserActivity.connector_guid | String | GUID of the connector. |
CiscoAMP.ComputerUserActivity.hostname | String | Host's name. |
CiscoAMP.ComputerUserActivity.active | Boolean | Whether the computer is active. |
#
Command example!cisco-amp-computer-user-activity-list username=johndoe
#
Context Example#
Human Readable Output#
Results
Current Item Count Index Items Per Page Total 8 0 100 8 #
Activity Information
Connector GUID Host Name Active 113c1a8e-8e66-409e-92a8-41b7d586be5d Demo_AMP_Exploit_Prevention true 307ada77-5776-4de6-ab3b-9c42fe723c9c Demo_WannaCry_Ransomware true 32ac3d60-4038-4cac-8df8-7588cd959926 Demo_AMP_Threat_Audit true 7704bf95-5343-4825-8d68-2ecea81feda4 Demo_Qakbot_3 true 790e9bd4-99b5-433c-b027-9a9a5b9d426f Demo_Qakbot_2 true cd9ae0b3-b566-47f4-811b-980dcb7988d6 Demo_Qakbot_1 true d42cab73-c142-4c25-85d3-4bdefacb6b5b Demo_AMP_Threat_Quarantined true d6f49c17-9721-4c5b-a04f-32ba30be36a0 Demo_AMP_Intel true
#
cisco-amp-computer-user-trajectory-listFetch a specific computer's trajectory with a given connector_guid and filter for events with user name activity.
#
Base Commandcisco-amp-computer-user-trajectory-list
#
InputArgument Name | Description | Required |
---|---|---|
connector_guid | The connector GUID for a specific computer. | Required |
username | Username to filter by. | Optional |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 5000. | Optional |
limit | Number of total results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.ComputerUserTrajectory.connector_guid | String | GUID of the connector. |
CiscoAMP.ComputerUserTrajectory.id | String | Event's ID. |
CiscoAMP.ComputerUserTrajectory.timestamp | Number | Event's timestamp. |
CiscoAMP.ComputerUserTrajectory.timestamp_nanoseconds | Number | Event's timestamp in nano seconds. |
CiscoAMP.ComputerUserTrajectory.date | Date | Event's date. |
CiscoAMP.ComputerUserTrajectory.event_type | String | Event's type. |
CiscoAMP.ComputerUserTrajectory.event_type_id | Number | Event's type ID. |
CiscoAMP.ComputerUserTrajectory.group_guids | String | Group GUID. |
CiscoAMP.ComputerUserTrajectory.severity | String | Event's severity. |
CiscoAMP.ComputerUserTrajectory.detection | String | Event's detection. |
CiscoAMP.ComputerUserTrajectory.detection_id | String | Event's detection ID. |
CiscoAMP.ComputerUserTrajectory.file.disposition | String | Disposition of the file. |
CiscoAMP.ComputerUserTrajectory.file.file_name | String | Name of the file. |
CiscoAMP.ComputerUserTrajectory.file.file_path | String | Path to the file. |
CiscoAMP.ComputerUserTrajectory.file.file_type | String | Type of the file. |
CiscoAMP.ComputerUserTrajectory.file.identity.sha256 | String | File's SHA-256. |
CiscoAMP.ComputerUserTrajectory.file.identity.sha1 | String | File's SHA-1. |
CiscoAMP.ComputerUserTrajectory.file.identity.md5 | String | File's MD5. |
CiscoAMP.ComputerUserTrajectory.file.parent.disposition | String | Disposition of parent. |
CiscoAMP.ComputerUserTrajectory.file.parent.identity.sha256 | String | SHA-256 of parent. |
CiscoAMP.ComputerUserTrajectory.scan.description | String | Description. |
CiscoAMP.ComputerUserTrajectory.scan.clean | Boolean | Whether the scan is clean. |
CiscoAMP.ComputerUserTrajectory.scan.scanned_files | Number | Number of scanned files. |
CiscoAMP.ComputerUserTrajectory.scan.scanned_processes | Number | Number of scanned processes. |
CiscoAMP.ComputerUserTrajectory.scan.scanned_paths | Number | Number of scanned paths. |
CiscoAMP.ComputerUserTrajectory.scan.malicious_detections | Number | Number of malicious detections. |
#
Command example!cisco-amp-computer-user-trajectory-list connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 limit=5
#
Context Example#
Human Readable Output#
Computer Information
Host Name Connector GUID Operating System Demo_AMP 22d4a486-1732-4f8b-9a6f-18f172fe7af0 None (Build None) #
Event Information
ID Date Event Type Group GUIDs 1667217305855411965 2022-10-31T11:55:05+00:00 Endpoint Isolation Stop Success bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 1667217298837175263 2022-10-31T11:54:58+00:00 Endpoint Isolation Start Success bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 1667216545769121964 2022-10-31T11:42:25+00:00 Endpoint Isolation Stop Success bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 1667216538974189121 2022-10-31T11:42:18+00:00 Endpoint Isolation Start Success bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 1667214907330813011 2022-10-31T11:15:07+00:00 Endpoint Isolation Stop Success bb5a9f90-d6fa-4fe7-99c8-e91060b49a98
#
cisco-amp-computer-vulnerabilities-listProvides a list of vulnerabilities observed on a specific computer. The vulnerabilities can be filtered to show only vulnerable applications observed for a specific time range.
#
Base Commandcisco-amp-computer-vulnerabilities-list
#
InputArgument Name | Description | Required |
---|---|---|
connector_guid | The connector GUID for a specific computer. | Required |
start_time | The start date and time expressed according to ISO 8601. The retrieved list will include vulnerable programs detected at start_time. | Optional |
end_time | The end date and/or time expressed according to ISO 8601. Exclusive - if end_time is a time, the list will only include vulnerable programs detected before end_time). Inclusive - if end_time is a date, the list will include vulnerable programs detected on the date. | Optional |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.ComputerVulnerability.connector_guid | String | GUID of the connector. |
CiscoAMP.ComputerVulnerability.application | String | Name of the application. |
CiscoAMP.ComputerVulnerability.version | String | Version of the application. |
CiscoAMP.ComputerVulnerability.file.filename | String | Name of the file. |
CiscoAMP.ComputerVulnerability.file.identity.sha256 | String | File's SHA-256. |
CiscoAMP.ComputerVulnerability.file.identity.sha1 | String | File's SHA-1. |
CiscoAMP.ComputerVulnerability.file.identity.md5 | String | File's MD5. |
CiscoAMP.ComputerVulnerability.cves.id | String | Common vulnerability exposure ID. |
CiscoAMP.ComputerVulnerability.cves.link | String | Common vulnerability exposure link. |
CiscoAMP.ComputerVulnerability.cves.cvss | Number | Common vulnerability scoring system. |
CiscoAMP.ComputerVulnerability.latest_timestamp | Number | Vulnerability latest timestamp. |
CiscoAMP.ComputerVulnerability.latest_date | Date | Vulnerability latest date. |
#
Command example!cisco-amp-computer-vulnerabilities-list connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0
#
Context Example#
Human Readable Output#
Results
Current Item Count Index Items Per Page Total 1 0 100 1 #
Computer Information
Host Name Connector GUID Operating System Group GUID Demo_AMP 22d4a486-1732-4f8b-9a6f-18f172fe7af0 None (Build None) bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 #
Vulnerabilities Information
Application Version Latest Date File Name SHA-256 Microsoft Office 2013 2022-10-23T12:37:33+00:00 WINWORD.EXE 3D46E95284F93BBB76B3B7E1BF0E1B2D51E8A9411C2B6E649112F22F92DE63C2
#
cisco-amp-computer-moveMoves a computer to a group with a given connector_guid and group_guid.
#
Base Commandcisco-amp-computer-move
#
InputArgument Name | Description | Required |
---|---|---|
connector_guid | The connector GUID for a specific computer. | Required |
group_guid | Group GUID to move the computer to. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.Computer.connector_guid | String | GUID of the connector. |
CiscoAMP.Computer.hostname | String | Host's name. |
CiscoAMP.Computer.windows_processor_id | String | Windows processor ID. |
CiscoAMP.Computer.active | Boolean | Whether the computer is active. |
CiscoAMP.Computer.connector_version | String | Version of the connector. |
CiscoAMP.Computer.operating_system | String | Operating system of the computer. |
CiscoAMP.Computer.os_version | String | Operating system version. |
CiscoAMP.Computer.internal_ips | String | List of internal IPs. |
CiscoAMP.Computer.external_ip | String | External IP. |
CiscoAMP.Computer.group_guid | String | GUID of the group. |
CiscoAMP.Computer.install_date | Date | Installation date. |
CiscoAMP.Computer.is_compromised | Boolean | Whether the computer is compromised. |
CiscoAMP.Computer.demo | Boolean | Whether the computer is a demo. |
CiscoAMP.Computer.network_addresses.mac | String | List of MAC addresses. |
CiscoAMP.Computer.network_addresses.ip | String | List of IP addresses. |
CiscoAMP.Computer.policy.guid | String | GUID of the policy. |
CiscoAMP.Computer.policy.name | String | Name of the policy. |
CiscoAMP.Computer.groups.guid | String | GUID of the group. |
CiscoAMP.Computer.groups.name | String | Name of the group. |
CiscoAMP.Computer.last_seen | Date | Last date seen. |
CiscoAMP.Computer.faults | String | Faults. |
CiscoAMP.Computer.isolation.available | Boolean | Whether the isolation is available. |
CiscoAMP.Computer.isolation.status | String | Status of the isolation. |
CiscoAMP.Computer.orbital.status | String | Status of the orbital. |
#
Command example!cisco-amp-computer-move connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 group_guid=bb5a9f90-d6fa-4fe7-99c8-e91060b49a98
#
Context Example#
Human Readable Output#
Computer Information
Host Name Connector GUID Operating System External IP Group GUID Policy GUID Demo_AMP 22d4a486-1732-4f8b-9a6f-18f172fe7af0 Windows 10 (Build 10.0.19044.1466) IP bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 91c7894d-dd69-4a21-8cf6-5ebfc57ef4df
#
cisco-amp-computer-deleteDeletes a specific computer with given connector GUID.
#
Base Commandcisco-amp-computer-delete
#
InputArgument Name | Description | Required |
---|---|---|
connector_guid | The connector GUID for a specific computer. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cisco-amp-computer-delete connector_guid=dddd4ceb-4ce1-4f81-a7a7-04d13cc1df43
#
Human Readable OutputConnector GUID: "dddd4ceb-4ce1-4f81-a7a7-04d13cc1df43" Successfully deleted.
#
cisco-amp-computer-activity-listFetch a list of computers that have observed files with a given file name. Provides the ability to search all computers across an organization for any events or activities associated with a file or network operation, and returns computers matching those criteria. There is a hard limit of 5000 historical entries searched.
#
Base Commandcisco-amp-computer-activity-list
#
InputArgument Name | Description | Required |
---|---|---|
query_string | Freeform query string which currently accepts: IPv4 address (CIDR not supported), SHA-256, file name, and a URL Fragment. | Required |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.ComputerActivity.connector_guid | String | GUID of the connector. |
CiscoAMP.ComputerActivity.hostname | String | Host's name. |
CiscoAMP.ComputerActivity.windows_processor_id | String | Windows processor ID. |
CiscoAMP.ComputerActivity.active | Boolean | Whether the computer is active. |
#
Command example!cisco-amp-computer-activity-list query_string=8.8.8.8
#
Context Example#
Human Readable Output#
Results
Current Item Count Index Items Per Page Total 5 0 100 5 #
Activity Information
Connector GUID Host Name Windows Processor ID Active 1e104704-0b8f-4703-a49f-ec3d13e1e079 Demo_Dyre 346b8f2ad9e5107 true 22b1d33c-b875-445f-8a98-d7fd05616ff0 Demo_Upatre b2a9e0f43861d75 true 33c101dd-4f50-4fd3-bce5-d3bd9d94e1a2 Demo_ZAccess b047d5268e9a13f true 4d91c4ea-4f4d-4b87-b5d7-d34cc2c678a5 Demo_Global_Threat_Alerts 9af0463d1852be7 true ab22d66b-3443-4653-99ec-1fdeb680f30b Demo_TDSS 0ad79f21856e34b true
#
cisco-amp-computer-isolation-feature-availability-getPerforms a feature availability request on a computer. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.
#
Base Commandcisco-amp-computer-isolation-feature-availability-get
#
InputArgument Name | Description | Required |
---|---|---|
connector_guid | The connector GUID for a specific computer. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cisco-amp-computer-isolation-feature-availability-get connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0
#
Human Readable OutputCan get information about an isolation with computer-isolation-get Can request to create a new isolation with computer-isolation-create
#
cisco-amp-computer-isolation-getReturns a fine-grained isolation status for a computer. The available flag is set to true if isolation can be performed on the computer. Status will be set to one of - not_isolated, pending_start, isolated and pending_stop. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.
#
Base Commandcisco-amp-computer-isolation-get
#
InputArgument Name | Description | Required |
---|---|---|
connector_guid | The connector GUID for a specific computer. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.ComputerIsolation.connector_guid | String | ID of the connector. |
CiscoAMP.ComputerIsolation.available | Boolean | Set to true if isolation can be performed on the computer. |
CiscoAMP.ComputerIsolation.status | String | Will be set to one of: not_isolated, pending_start, isolated and pending_stop. |
CiscoAMP.ComputerIsolation.unlock_code | String | Isolation unlock code. |
CiscoAMP.ComputerIsolation.comment | String | Isolation comment. |
CiscoAMP.ComputerIsolation.ccms_message_guid | String | Cisco Cluster Management Suite message GUID. |
CiscoAMP.ComputerIsolation.ccms_job_guid | String | Cisco Cluster Management Suite job GUID. |
#
Command example!cisco-amp-computer-isolation-get connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0
#
Context Example#
Human Readable Output#
Isolation Information
Available Status Unlock Code Comment true not_isolated unlockme End readme test
#
cisco-amp-computer-isolation-createRequest isolation for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.
#
Base Commandcisco-amp-computer-isolation-create
#
InputArgument Name | Description | Required |
---|---|---|
interval_in_seconds | The interval in seconds between each poll. Default is 30. | Optional |
timeout_in_seconds | The timeout in seconds until polling ends. Default is 600. | Optional |
connector_guid | The connector GUID for a specific computer. | Required |
comment | Comment for isolation. | Required |
unlock_code | Isolation unlock code. | Required |
status | Status of the current run. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.ComputerIsolation.connector_guid | String | ID of the connector. |
CiscoAMP.ComputerIsolation.available | Boolean | Set to true if isolation can be performed on the computer. |
CiscoAMP.ComputerIsolation.status | String | Will be set to one of: not_isolated, pending_start, isolated and pending_stop. |
CiscoAMP.ComputerIsolation.unlock_code | String | Isolation unlock code. |
CiscoAMP.ComputerIsolation.comment | String | Isolation comment. |
CiscoAMP.ComputerIsolation.isolated_by | String | Isolation initiator. |
#
Command example!cisco-amp-computer-isolation-create connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 comment="readme generate test" unlock_code=unlockme interval_in_seconds=5 timeout_in_seconds=20
#
Context Example#
Human Readable Output#
Isolation Information
Available Status Unlock Code Comment Isolated By true isolated unlockme readme generate test Lior Sabri
#
cisco-amp-computer-isolation-deleteRequest isolation stop for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.
#
Base Commandcisco-amp-computer-isolation-delete
#
InputArgument Name | Description | Required |
---|---|---|
interval_in_seconds | The interval in seconds between each poll. Default is 30. | Optional |
timeout_in_seconds | The timeout in seconds until polling ends. Default is 600. | Optional |
connector_guid | The connector GUID for a specific computer. | Required |
comment | Comment for isolation deletion. | Optional |
status | Status of the current run. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.ComputerIsolation.available | Boolean | Set to true if isolation can be performed on the computer. |
CiscoAMP.ComputerIsolation.status | String | Will be set to one of: not_isolated, pending_start, isolated and pending_stop. |
CiscoAMP.ComputerIsolation.unlock_code | String | Isolation unlock code. |
CiscoAMP.ComputerIsolation.comment | String | Isolation comment. |
CiscoAMP.ComputerIsolation.isolated_by | String | Isolation initiator. |
#
Command example!cisco-amp-computer-isolation-delete connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 comment="End readme test" interval_in_seconds=5 timeout_in_seconds=20
#
Human Readable OutputFetching Results:
#
cisco-amp-event-listFetch a list of events that can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria, each selection of a criteria is logically ORed. This is analogous to the Events view on the FireAMP Console.
#
Base Commandcisco-amp-event-list
#
InputArgument Name | Description | Required |
---|---|---|
detection_sha256 | Detection SHA-256 to filter by. | Optional |
application_sha256 | Application SHA-256 to filter by. | Optional |
connector_guid | Comma-separated list for connector GUIDs to filter by. | Optional |
group_guid | Comma-separated list for group GUIDs to filter by. | Optional |
start_date | Fetch events that are newer than the given time. | Optional |
event_type | Comma-separated list for event types to filter by. | Optional |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.Event.id | Number | Event's ID. |
CiscoAMP.Event.timestamp | Number | Event's timestamp. |
CiscoAMP.Event.timestamp_nanoseconds | Number | Event's timestamp in nano seconds. |
CiscoAMP.Event.date | Date | Event's date. |
CiscoAMP.Event.event_type | String | Event's type. |
CiscoAMP.Event.event_type_id | Number | Event's type ID. |
CiscoAMP.Event.detection | String | Event's detection. |
CiscoAMP.Event.detection_id | String | Event's detection ID. |
CiscoAMP.Event.connector_guid | String | GUID of the connector. |
CiscoAMP.Event.group_guids | String | Event's group GUID. |
CiscoAMP.Event.severity | String | Event's severity. |
CiscoAMP.Event.computer.connector_guid | String | GUID of the connector. |
CiscoAMP.Event.computer.hostname | String | Host's name. |
CiscoAMP.Event.computer.external_ip | String | External IP. |
CiscoAMP.Event.computer.active | Boolean | Whether the computer is active. |
CiscoAMP.Event.computer.user | String | Computer user. |
CiscoAMP.Event.computer.network_addresses.ip | String | List of IP addresses. |
CiscoAMP.Event.computer.network_addresses.mac | String | List of MAC addresses. |
CiscoAMP.Event.file.disposition | String | Disposition of the file. |
CiscoAMP.Event.file.file_name | String | Name of the file. |
CiscoAMP.Event.file.file_path | String | Path to the file. |
CiscoAMP.Event.file.identity.sha256 | String | File's SHA-256. |
CiscoAMP.Event.file.identity.sha1 | String | File's SHA-1. |
CiscoAMP.Event.file.identity.md5 | String | File's MD5 |
CiscoAMP.Event.file.parent.process_id | Number | Parent's process ID. |
CiscoAMP.Event.file.parent.file_name | String | Parent's file name. |
CiscoAMP.Event.file.parent.disposition | String | Parent's disposition. |
CiscoAMP.Event.file.parent.identity.sha256 | String | Parent's SHA-256. |
CiscoAMP.Event.file.parent.identity.sha1 | String | Parent's SHA-1. |
CiscoAMP.Event.file.parent.identity.md5 | String | Parent's MD5. |
CiscoAMP.Event.scan.description | String | Description of the scan. |
CiscoAMP.Event.scan.clean | Boolean | Whether the scam is clean. |
CiscoAMP.Event.scan.scanned_files | Number | Number of scanned files. |
CiscoAMP.Event.scan.scanned_processes | Number | Number of scanned processes. |
CiscoAMP.Event.scan.scanned_paths | Number | Number of scanned paths. |
CiscoAMP.Event.scan.malicious_detections | Number | Number of malicious detections. |
File.MD5 | String | The MD5 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.Name | String | The full file name (including file extension). |
File.Path | String | The path where the file is located. |
File.Hostname | String | The name of the host where the file was found. |
File.Malicious.Vendor | String | The vendor that reported the file as malicious. |
File.Malicious.Description | String | A description of why the file was determined to be malicious. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
DBotScore.Score | Number | The actual score. |
#
Command example!cisco-amp-event-list limit=5
#
Context Example#
Human Readable Output#
Results
Current Item Count Index Items Per Page Total 5 0 5 1228 #
Event Information
ID Date Event Type Connector GUID 1667218513509436397 2022-10-31T12:15:13+00:00 Endpoint Isolation Stop Success 22d4a486-1732-4f8b-9a6f-18f172fe7af0 1667218506680244597 2022-10-31T12:15:06+00:00 Endpoint Isolation Start Success 22d4a486-1732-4f8b-9a6f-18f172fe7af0 1667217305855411965 2022-10-31T11:55:05+00:00 Endpoint Isolation Stop Success 22d4a486-1732-4f8b-9a6f-18f172fe7af0 1667217298837175263 2022-10-31T11:54:58+00:00 Endpoint Isolation Start Success 22d4a486-1732-4f8b-9a6f-18f172fe7af0 1667216545769121964 2022-10-31T11:42:25+00:00 Endpoint Isolation Stop Success 22d4a486-1732-4f8b-9a6f-18f172fe7af0
#
cisco-amp-event-type-listFetches a list of event types. Events are identified and filtered by a unique ID.
#
Base Commandcisco-amp-event-type-list
#
InputArgument Name | Description | Required |
---|---|---|
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.EventType.id | Number | Event type ID. |
CiscoAMP.EventType.name | String | Event type name. |
CiscoAMP.EventType.description | String | Event type description. |
#
Command example!cisco-amp-event-type-list limit=5
#
Context Example#
Human Readable Output#
Results
Total 106 #
Event Type Information
ID Name Description 50331649 Initial Agent Registration A new agent has registered with the system. 553648130 Policy Update An agent has been told to fetch policy. 554696714 Scan Started An agent has started scanning. 554696715 Scan Completed, No Detections A scan has completed without detecting anything malicious. 1091567628 Scan Completed With Detections A scan has completed and detected malicious items.
#
cisco-amp-file-list-listReturns a particular file list for application blocking or simple custom detection. file_list_guid must be provided to retrieve information about a particular file_list. Can fetch an application_blocking or simple_custom_detection file list. Defaults to application_blocking.
#
Base Commandcisco-amp-file-list-list
#
InputArgument Name | Description | Required |
---|---|---|
file_list_type | Fetch a list type to return. Possible values are: Application Blocking, Simple Custom Detection. Default is Application Blocking. | Optional |
name | Comma-separated list for name to filter by (has auto complete capabilities). | Optional |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
file_list_guid | GUID of the file list to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.FileList.name | String | Name of blocking. |
CiscoAMP.FileList.guid | String | File list GUID. |
CiscoAMP.FileList.type | String | Type of blocking. |
#
Command example!cisco-amp-file-list-list
#
Context Example#
Human Readable Output#
Results
Current Item Count Index Items Per Page Total 1 0 100 1 #
File List Information
GUID Name Type 1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12 Blocked Application List application_blocking
#
cisco-amp-file-list-item-listReturns a list of items for a particular file_list. file_list_guid must be provided to retrieve these items. A particular item can be returned by providing a SHA-256.
#
Base Commandcisco-amp-file-list-item-list
#
InputArgument Name | Description | Required |
---|---|---|
file_list_guid | File list to return. | Required |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
sha256 | File list item SHA-256 to search. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.FileListItem.name | String | Name of file list. |
CiscoAMP.FileListItem.guid | String | File list GUID. |
CiscoAMP.FileListItem.policies.name | String | Name of the policy. |
CiscoAMP.FileListItem.policies.guid | String | Policy GUID. |
CiscoAMP.FileListItem.items.sha256 | String | Item SHA-256. |
CiscoAMP.FileListItem.items.source | String | Item source. |
#
Command example!cisco-amp-file-list-item-list file_list_guid=1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12
#
Context Example#
Human Readable Output#
Results
Current Item Count Index Items Per Page Total 0 0 100 0 #
File List Item InformationNo entries.
#
Related Policy Information
Name Guid Audit be84e169-0830-4b95-915b-1e203a82ed58 Protect a599bf5b-2cb7-4a5b-90bd-d0199e2ccd67 Triage 1a352c59-793b-44f3-b8f9-0ddd354057bc Server dd1da971-926c-42ab-9e5a-154f2695d995 Domain Controller fa0c377e-8f0a-40ab-885a-afc8c08d3732 Audit 9f2fa537-df5d-4c6c-abf3-edc25a893a7a Protect 30fba653-eb4e-4c3d-b1bb-1cef9f0e31e4 Triage cfcf4841-bf00-4030-8ac3-4a607ecf245e Audit b4e266c8-ebd1-4e94-80b6-b04a966cb0d5 Protect 653508ed-28d4-465a-80c4-7ed9c0232b55
#
cisco-amp-file-list-item-createCreates a file list item with a given SHA-256 for a specific file list with a given file_list_guid.
#
Base Commandcisco-amp-file-list-item-create
#
InputArgument Name | Description | Required |
---|---|---|
file_list_guid | File list to add to. | Required |
sha256 | File list item's SHA-256 to add. | Required |
description | Description for the created item. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.FileListItem.sha256 | String | Item SHA-256. |
CiscoAMP.FileListItem.description | String | File's description. |
CiscoAMP.FileListItem.source | String | Item source. |
#
Command example!cisco-amp-file-list-item-create file_list_guid=1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12 sha256=ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad
#
Context Example#
Human Readable Output#
File List Item Information
SHA-256 Source ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad Created by entering SHA-256 via Public api.
#
cisco-amp-file-list-item-deleteDeletes a file list item with a given SHA-256 and associated to a file list with a given file_list_guid.
#
Base Commandcisco-amp-file-list-item-delete
#
InputArgument Name | Description | Required |
---|---|---|
file_list_guid | File list to delete from. | Required |
sha256 | File list item SHA-256 to delete. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cisco-amp-file-list-item-delete file_list_guid=1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12 sha256=ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad
#
Human Readable OutputSHA-256: "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" Successfully deleted from File List GUID: "1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12".
#
cisco-amp-group-listProvides information about groups in an organization.
#
Base Commandcisco-amp-group-list
#
InputArgument Name | Description | Required |
---|---|---|
name | Name to filter by (has auto complete capabilities). | Optional |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
group_guid | Group's GUID. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.Group.name | String | Name of the group. |
CiscoAMP.Group.description | String | Group's description. |
CiscoAMP.Group.guid | String | Group GUID. |
CiscoAMP.Group.source | String | Creation source. |
CiscoAMP.Group.creator | String | Creator of the group. |
CiscoAMP.Group.created_at | Date | Date of creation. |
CiscoAMP.Group.computers_count | Number | Number of computers in the group. |
CiscoAMP.Group.descendant_computers_count | Number | Number of computers from descendant groups. |
CiscoAMP.Group.ancestry.name | String | Parent group name. |
CiscoAMP.Group.ancestry.guid | String | Parent group GUID. |
CiscoAMP.Group.child_groups.name | String | Child group name. |
CiscoAMP.Group.child_groups.guid | String | Child group GUID. |
CiscoAMP.Group.policies.name | String | Policy name. |
CiscoAMP.Group.policies.description | String | Policy description. |
CiscoAMP.Group.policies.guid | String | Policy GUID. |
CiscoAMP.Group.policies.product | String | Policy operating system product. |
CiscoAMP.Group.policies.default | Boolean | Whether the policy is the default policy. |
CiscoAMP.Group.policies.serial_number | Number | Policy serial number. |
CiscoAMP.Group.policies.inherited | Boolean | Whether the policy is inherited. |
CiscoAMP.Group.policies.file_lists.name | String | File list name. |
CiscoAMP.Group.policies.file_lists.guid | String | File list GUID. |
CiscoAMP.Group.policies.file_lists.type | String | File list type. |
CiscoAMP.Group.policies.ip_lists.name | String | IP list name. |
CiscoAMP.Group.policies.ip_lists.guid | String | IP list GUID. |
CiscoAMP.Group.policies.ip_lists.type | String | IP list type. |
CiscoAMP.Group.policies.exclusion_sets.name | String | Exclusion set name. |
CiscoAMP.Group.policies.exclusion_sets.guid | String | Exclusion set GUID. |
CiscoAMP.Group.policies.used_in_groups.name | String | Name of the group it is used in. |
CiscoAMP.Group.policies.used_in_groups.description | String | Description of the group it is used in. |
CiscoAMP.Group.policies.used_in_groups.guid | String | GUID of the group it is used in. |
CiscoAMP.Group.policies.used_in_groups.source | String | Creation source of the group it is used in. |
#
Command example!cisco-amp-group-list
#
Context Example#
Human Readable Output#
Results
Current Item Count Index Items Per Page Total 9 0 100 9 #
Group Information
Name Description GUID Source Audit Audit Group for QMASTERS SECURITY SERVICES LTD fedd82f8-c74f-49f4-a463-e576d3beee92 Domain Controller Domain Controller Group for QMASTERS SECURITY SERVICES LTD 92615a6b-631f-4436-b2da-47e94b349737 group todelete playbook delete e66a0f8a-47f6-4da5-bf95-2834f668d71b Created via API Lior-Group Test group bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 Lior-Group-child Test child group 8b5245b5-993b-4ba9-9fe0-fb0454e815e5 Protect Protect Group for QMASTERS SECURITY SERVICES LTD 5b1857e3-ba49-46cf-9bf1-0cad6b5ecd18 readme group to delete readme test group to be deleted d088adeb-7cb4-48e4-807b-edcb828f4d29 Created via API Server Server Group for QMASTERS SECURITY SERVICES LTD 9b54e512-b5ac-4865-ba1f-8cf2fbfbe052 Triage Triage Group for QMASTERS SECURITY SERVICES LTD 6ed80412-0739-42c1-8f6d-32fb51b3f894
#
cisco-amp-group-policy-updateUpdates a group to a given policy and returns all the policies in that group.
#
Base Commandcisco-amp-group-policy-update
#
InputArgument Name | Description | Required |
---|---|---|
group_guid | Group's GUID. | Required |
windows_policy_guid | Policy GUID for Windows. | Optional |
mac_policy_guid | Policy GUID for MAC. | Optional |
android_policy_guid | Policy GUID for Android. | Optional |
linux_policy_guid | Policy GUID for Linux. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.Group.name | String | Name of the group. |
CiscoAMP.Group.description | String | Group's description. |
CiscoAMP.Group.guid | String | Group GUID. |
CiscoAMP.Group.source | String | Creation source. |
CiscoAMP.Group.creator | String | Creator of the group. |
CiscoAMP.Group.created_at | Date | Date of creation. |
CiscoAMP.Group.computers_count | Number | Number of computers in the group. |
CiscoAMP.Group.descendant_computers_count | Number | Number of computers from descendant groups. |
CiscoAMP.Group.ancestry.name | String | Parent group name. |
CiscoAMP.Group.ancestry.guid | String | Parent group GUID. |
CiscoAMP.Group.child_groups.name | String | Child group name. |
CiscoAMP.Group.child_groups.guid | String | Child group GUID. |
CiscoAMP.Group.policies.name | String | Policy name. |
CiscoAMP.Group.policies.description | String | Policy description. |
CiscoAMP.Group.policies.guid | String | Policy GUID. |
CiscoAMP.Group.policies.product | String | Policy operating system product. |
CiscoAMP.Group.policies.default | Boolean | Whether the policy is the default policy. |
CiscoAMP.Group.policies.serial_number | Number | Policy serial number. |
CiscoAMP.Group.policies.inherited | Boolean | Whether the policy is inherited. |
CiscoAMP.Group.policies.file_lists.name | String | File list name. |
CiscoAMP.Group.policies.file_lists.guid | String | File list GUID. |
CiscoAMP.Group.policies.file_lists.type | String | File list type. |
CiscoAMP.Group.policies.ip_lists.name | String | IP list name. |
CiscoAMP.Group.policies.ip_lists.guid | String | IP list GUID. |
CiscoAMP.Group.policies.ip_lists.type | String | IP list type. |
CiscoAMP.Group.policies.exclusion_sets.name | String | Exclusion set name. |
CiscoAMP.Group.policies.exclusion_sets.guid | String | Exclusion set GUID. |
CiscoAMP.Group.policies.used_in_groups.name | String | Name of the group the policy is used in. |
CiscoAMP.Group.policies.used_in_groups.description | String | Description of the group the policy is used in. |
CiscoAMP.Group.policies.used_in_groups.guid | String | GUID of the group the policy is used in. |
CiscoAMP.Group.policies.used_in_groups.source | String | Creation source of the group the policy is used in. |
#
Command example!cisco-amp-group-policy-update group_guid=bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 windows_policy_guid=91c7894d-dd69-4a21-8cf6-5ebfc57ef4df
#
Context Example#
Human Readable Output#
Group Information
Name Description Creator Created At Computers Count Descendant Computers Count Lior-Group Test group 2022-10-25 13:42:36 1 0
#
cisco-amp-group-parent-updateConverts an existing group to a child of another group or an existing child group to a root group (that is, one with no parent groups).
#
Base Commandcisco-amp-group-parent-update
#
InputArgument Name | Description | Required |
---|---|---|
child_guid | Group's GUID. | Required |
parent_group_guid | Group parent to set to child group. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.Group.name | String | Name of the group. |
CiscoAMP.Group.description | String | Group's description. |
CiscoAMP.Group.guid | String | Group GUID. |
CiscoAMP.Group.source | String | Creation source. |
CiscoAMP.Group.creator | String | Creator of the group. |
CiscoAMP.Group.created_at | Date | Date of creation. |
CiscoAMP.Group.computers_count | Number | Number of computers in the group. |
CiscoAMP.Group.descendant_computers_count | Number | Number of computers from descendant groups. |
CiscoAMP.Group.ancestry.name | String | Parent group name. |
CiscoAMP.Group.ancestry.guid | String | Parent group GUID. |
CiscoAMP.Group.child_groups.name | String | Child group name. |
CiscoAMP.Group.child_groups.guid | String | Child group GUID. |
CiscoAMP.Group.policies.name | String | Policy name. |
CiscoAMP.Group.policies.description | String | Policy description. |
CiscoAMP.Group.policies.guid | String | Policy GUID. |
CiscoAMP.Group.policies.product | String | Policy operating system product. |
CiscoAMP.Group.policies.default | Boolean | Whether the policy is the default policy. |
CiscoAMP.Group.policies.serial_number | Number | Policy serial number. |
CiscoAMP.Group.policies.inherited | Boolean | Whether the policy is inherited. |
CiscoAMP.Group.policies.file_lists.name | String | File list name. |
CiscoAMP.Group.policies.file_lists.guid | String | File list GUID. |
CiscoAMP.Group.policies.file_lists.type | String | File list type. |
CiscoAMP.Group.policies.ip_lists.name | String | IP list name. |
CiscoAMP.Group.policies.ip_lists.guid | String | IP list GUID. |
CiscoAMP.Group.policies.ip_lists.type | String | IP list type. |
CiscoAMP.Group.policies.exclusion_sets.name | String | Exclusion set name. |
CiscoAMP.Group.policies.exclusion_sets.guid | String | Exclusion set GUID. |
CiscoAMP.Group.policies.used_in_groups.name | String | Name of the group it is used in. |
CiscoAMP.Group.policies.used_in_groups.description | String | Description of the group it is used in. |
CiscoAMP.Group.policies.used_in_groups.guid | String | GUID of the group it is used in. |
CiscoAMP.Group.policies.used_in_groups.source | String | Creation source of the group it is used in. |
#
Command example!cisco-amp-group-parent-update child_guid=bb5a9f90-d6fa-4fe7-99c8-e91060b49a98
#
Context Example#
Human Readable Output#
Group Information
Name Description Creator Created At Computers Count Descendant Computers Count Lior-Group Test group 2022-10-25 13:42:36 1 0
#
cisco-amp-group-createCreates a new group along with a group name or description.
#
Base Commandcisco-amp-group-create
#
InputArgument Name | Description | Required |
---|---|---|
name | Group name. | Required |
description | Group description. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.Group.name | String | Name of the group. |
CiscoAMP.Group.description | String | Group's description. |
CiscoAMP.Group.guid | String | Group GUID. |
CiscoAMP.Group.source | String | Creation source. |
CiscoAMP.Group.creator | String | Creator of the group. |
CiscoAMP.Group.created_at | Date | Date of creation. |
CiscoAMP.Group.computers_count | Number | Number of computers in the group. |
CiscoAMP.Group.descendant_computers_count | Number | Number of computers from descendant groups. |
CiscoAMP.Group.policies.name | String | Policy name. |
CiscoAMP.Group.policies.description | String | Policy description. |
CiscoAMP.Group.policies.guid | String | Policy GUID. |
CiscoAMP.Group.policies.product | String | Policy operating system product. |
CiscoAMP.Group.policies.default | Boolean | Whether the policy is the default policy. |
CiscoAMP.Group.policies.serial_number | Number | Policy serial number. |
CiscoAMP.Group.policies.inherited | Boolean | Whether the policy is inherited. |
CiscoAMP.Group.policies.file_lists.name | String | File list name. |
CiscoAMP.Group.policies.file_lists.guid | String | File list GUID. |
CiscoAMP.Group.policies.file_lists.type | String | File list type. |
CiscoAMP.Group.policies.ip_lists.name | String | IP list name. |
CiscoAMP.Group.policies.ip_lists.guid | String | IP list GUID. |
CiscoAMP.Group.policies.ip_lists.type | String | IP list type. |
CiscoAMP.Group.policies.exclusion_sets.name | String | Exclusion set name. |
CiscoAMP.Group.policies.exclusion_sets.guid | String | Exclusion set GUID. |
CiscoAMP.Group.policies.used_in_groups.name | String | Name of the group it is used in. |
CiscoAMP.Group.policies.used_in_groups.description | String | Description of the group it is used in. |
CiscoAMP.Group.policies.used_in_groups.guid | String | GUID of the group it is used in. |
CiscoAMP.Group.policies.used_in_groups.source | String | Creation source of the group it is used in. |
#
Command example!cisco-amp-group-create description="readme test group to be deleted" name="readme group"
#
Context Example#
Human Readable Output#
Group Information
Name Description Created At Computers Count Descendant Computers Count readme group readme test group to be deleted 2022-10-31 12:16:25 0 0
#
cisco-amp-group-deleteDestroys a group with a given GUID.
#
Base Commandcisco-amp-group-delete
#
InputArgument Name | Description | Required |
---|---|---|
group_guid | Group's GUID. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cisco-amp-group-delete group_guid=d088adeb-7cb4-48e4-807b-edcb828f4d29
#
Human Readable OutputGroup GUID: "d088adeb-7cb4-48e4-807b-edcb828f4d29" Successfully deleted.
#
cisco-amp-indicator-listShow information about indicators.
#
Base Commandcisco-amp-indicator-list
#
InputArgument Name | Description | Required |
---|---|---|
indicator_guid | Indicator GUID. | Optional |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.Indicator.name | String | Indicator name. |
CiscoAMP.Indicator.description | String | Indicator description. |
CiscoAMP.Indicator.guid | String | Indicator GUID. |
CiscoAMP.Indicator.severity | String | Indicator severity. |
CiscoAMP.Indicator.mitre.tactics.external_id | String | Mitre tactic ID. |
CiscoAMP.Indicator.mitre.tactics.name | String | Mitre tactic name. |
CiscoAMP.Indicator.mitre.tactics.mitre_url | String | Mitre tactic URL. |
CiscoAMP.Indicator.mitre.techniques.external_id | String | Mitre technique ID. |
CiscoAMP.Indicator.mitre.techniques.name | String | Mitre technique name. |
CiscoAMP.Indicator.mitre.techniques.mitre_url | String | Mitre technique URL. |
CiscoAMP.Indicator.observed_compromises | Number | Total number of observed compromises. |
CiscoAMP.Indicator.observed_compromises.unresolved | Number | Number of unresolved compromises. |
CiscoAMP.Indicator.observed_compromises.in_progress | Number | Number of compromises in progress. |
CiscoAMP.Indicator.observed_compromises.resolved | Number | Number of resolved compromises. |
#
Command example!cisco-amp-indicator-list limit=5
#
Context Example#
Human Readable Output#
Results
Current Item Count Index Items Per Page Total 5 0 5 910 #
Indicator Information
GUID Name Description Severity Observed Compromises 5593ab7e-1db5-4759-9785-96c55824b675 Crossrider.ioc Crossrider is a an Adware variant that targets Mac with the intent of displaying ads. It also changes the default home page of Safari and Chrome browsers. Medium 0 fef2d8b2-95f6-4392-abec-fc1f6a670251 Dummy.ioc OSX.Dummy is a poorly executed Trojan variant. It requires users to input their password in order to complete it's install. However, once this is done the malware will have complete access to the whole system, and it will persist itself via a LaunchDaemon. Medium 0 dcc66a98-5658-41d4-a1ca-887933a8b24f GateDotPhp.ioc Accessed URL matches characteristics of several malware families. High 1 940bdaf4-4c89-4423-a55e-410ed56143a8 JS.Trojan.Generic_48153.ioc JS.Trojan.Generic_48153 is malware that contacts a remote server over HTTP. This IOC is based on Snort Intrusion Prevention System (IPS) rule id:48153 from the malware detection rulesets. This IOC fires when a URI pattern similar to this malware has been detected. The components of the URI this IOC inspects for are: "/01/Carontex". Critical 0 318d030d-7fdc-48f4-afcd-66c7c75cade7 Linux.AutostartPersistence.ioc Most Linux distributions support creation of auto-start files. This consists of placing a configuration file with a .desktop extension in the .config/autostart location. In this case, a suspicious auto-start entry was created. Linux malware such as x-agent also known as sofacy/sednit are known to do that. High 0
#
cisco-amp-policy-listGets information about policies by filtering with a product and name of a specific policy with a policy_guid.
#
Base Commandcisco-amp-policy-list
#
InputArgument Name | Description | Required |
---|---|---|
policy_guid | Policy GUID. | Optional |
product | Comma-separated list for products to filter by. | Optional |
name | Comma-separated list for names to filter by (has auto complete capabilities). | Optional |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.Policy.name | String | Policy name. |
CiscoAMP.Policy.description | String | Policy description. |
CiscoAMP.Policy.guid | String | Policy GUID. |
CiscoAMP.Policy.product | String | Product used. |
CiscoAMP.Policy.default | Boolean | Whether the policy is the default policy. |
CiscoAMP.Policy.serial_number | Number | Policy serial number. |
CiscoAMP.Policy.file_lists.name | String | File list name. |
CiscoAMP.Policy.file_lists.guid | String | File list GUID. |
CiscoAMP.Policy.file_lists.type | String | File list type. |
CiscoAMP.Policy.ip_lists.name | String | IP list name. |
CiscoAMP.Policy.ip_lists.guid | String | IP list GUID. |
CiscoAMP.Policy.ip_lists.type | String | IP list type. |
CiscoAMP.Policy.exclusion_sets.name | String | Exclusion set name. |
CiscoAMP.Policy.exclusion_sets.guid | String | Exclusion set GUID. |
CiscoAMP.Policy.used_in_groups.name | String | Group name. |
CiscoAMP.Policy.used_in_groups.description | String | Group description. |
CiscoAMP.Policy.used_in_groups.guid | String | Group GUID. |
#
Command example!cisco-amp-policy-list
#
Context Example#
Human Readable Output#
Results
Current Item Count Index Items Per Page Total 14 0 100 14 #
Policy Information
GUID Name Description Product Serial Number 082bc9a3-b73a-4f42-8cc5-de1cd3748700 Protect This is the standard policy for the Secure Endpoint Connector that will quarantine malicious files and block malicious network connections. android 11 5102948a-db78-4a94-849a-b9f12b04e526 Audit This policy puts Clarity in a mode that will log and alert on convictions but not block traffic. ios 23 c90936b3-2ad7-458c-90a3-a806d50ed16e Protect This is the standard policy for Clarity that will log and alert on convictions and block any potentially malicious traffic. ios 25 b4e266c8-ebd1-4e94-80b6-b04a966cb0d5 Audit This policy puts the Secure Endpoint Connector in a mode that will only detect malicious files but not quarantine them. Malicious network traffic is also detected but not blocked. linux 19 653508ed-28d4-465a-80c4-7ed9c0232b55 Protect This is the standard policy for the Secure Endpoint Connector that will quarantine malicious files and block malicious network connections. linux 21 9f2fa537-df5d-4c6c-abf3-edc25a893a7a Audit This policy puts the Secure Endpoint Connector in a mode that will only detect malicious files but not quarantine them. Malicious network traffic is also detected but not blocked. mac 13 30fba653-eb4e-4c3d-b1bb-1cef9f0e31e4 Protect This is the standard policy for the Secure Endpoint Connector that will quarantine malicious files and block malicious network connections. mac 15 cfcf4841-bf00-4030-8ac3-4a607ecf245e Triage This is an aggressive policy that enables the offline engine to scan computers that are suspected or known to be infected with malware. mac 17 be84e169-0830-4b95-915b-1e203a82ed58 Audit This policy puts the Secure Endpoint Connector in a mode that will only detect malicious files but not quarantine them. Malicious network traffic is also detected but not blocked. windows 29 fa0c377e-8f0a-40ab-885a-afc8c08d3732 Domain Controller This is a lightweight policy for use on Active Directory Domain Controllers. windows 10 91c7894d-dd69-4a21-8cf6-5ebfc57ef4df Lior-test Test policy windows 27 a599bf5b-2cb7-4a5b-90bd-d0199e2ccd67 Protect This is the standard policy for the Secure Endpoint Connector that will quarantine malicious files and block malicious network connections. windows 28 dd1da971-926c-42ab-9e5a-154f2695d995 Server This is a lightweight policy for high availability computers and servers that require maximum performance and uptime. windows 8 1a352c59-793b-44f3-b8f9-0ddd354057bc Triage This is an aggressive policy that enables the offline engine to scan computers that are suspected or known to be infected with malware. windows 6
#
cisco-amp-app-trajectory-query-listRetrieve app_trajectory queries for a given ios bundle id.
#
Base Commandcisco-amp-app-trajectory-query-list
#
InputArgument Name | Description | Required |
---|---|---|
ios_bid | IOS bundle ID for app trajectory. | Required |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.AppTrajectoryQuery.connector_guid | String | GUID of the connector. |
CiscoAMP.AppTrajectoryQuery.bundle_id | String | Bundle ID. |
CiscoAMP.AppTrajectoryQuery.group_guids | String | List of group's GUIDs. |
CiscoAMP.AppTrajectoryQuery.cdhash | String | CD hash. |
CiscoAMP.AppTrajectoryQuery.timestamp | Number | Observed timestamp. |
CiscoAMP.AppTrajectoryQuery.timestamp_nanoseconds | Number | Observed timestamp in nano seconds. |
CiscoAMP.AppTrajectoryQuery.date | Date | Observed date. |
CiscoAMP.AppTrajectoryQuery.query_type | String | The type of the query. |
CiscoAMP.AppTrajectoryQuery.network_info.dirty_url | String | Link to the observed URL. |
CiscoAMP.AppTrajectoryQuery.network_info.remote_ip | String | Remote IP. |
CiscoAMP.AppTrajectoryQuery.network_info.remote_port | Number | Remote port. |
CiscoAMP.AppTrajectoryQuery.network_info.local_ip | String | Local IP. |
CiscoAMP.AppTrajectoryQuery.network_info.local_port | Number | Local Port. |
CiscoAMP.AppTrajectoryQuery.network_info.direction | String | Outgoing or incoming connection. |
CiscoAMP.AppTrajectoryQuery.network_info.protocol | String | Communication protocol used. |
CiscoAMP.AppTrajectoryQuery.ver | String | Version. |
#
Command example!cisco-amp-app-trajectory-query-list ios_bid=com.apple.Safari.SafeBrowsing limit=5
#
Context Example#
Human Readable Output#
App Trajectory Information
Connector GUID Date Query Type Dirty URL dddd4ceb-4ce1-4f81-a7a7-04d13cc1df43 2022-10-24T12:01:59+00:00 Network Query https://configuration.apple.com/configurations/internetservices/safari/SafeBrowsingRemoteConfiguration-0.plist 0f6ee17f-a31b-4b76-902f-7cf68a79089d 2022-10-23T13:48:38+00:00 Network Query https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch 0f6ee17f-a31b-4b76-902f-7cf68a79089d 2022-10-23T13:18:16+00:00 Network Query https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch 8aa97bc7-3cc1-47aa-ad0a-0e23d5493aff 2022-10-23T12:30:46+00:00 Network Query https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch 8aa97bc7-3cc1-47aa-ad0a-0e23d5493aff 2022-10-23T12:00:54+00:00 Network Query https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch
#
cisco-amp-version-getGet API version.
#
Base Commandcisco-amp-version-get
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.Version.version | String | API version. |
#
Command example!cisco-amp-version-get
#
Context Example#
Human Readable OutputVersion: v1.2.0
#
cisco-amp-vulnerability-listFetch a list of vulnerabilities. This is analogous to the Vulnerable Software view on the AMP for Endpoints Console. The list can be filtered to show only the vulnerable programs detected for a specific time range. Provide a list of computers on which the vulnerability has been observed with a given SHA-256. The list item contains a summary of information on the vulnerability, including: application name and version, SHA-256 value for the executable file, connectors on which the vulnerable application was observed and the most recent CVSS score. IMPORTANT: The computer's key returns information about the last 1000 connectors on which the vulnerable application was observed.
#
Base Commandcisco-amp-vulnerability-list
#
InputArgument Name | Description | Required |
---|---|---|
sha256 | SHA-256 that has been observed as a vulnerability. | Optional |
group_guid | Comma-separated list for group GUIDs to filter by. | Optional |
start_time | The start date and time expressed according to ISO 8601. The retrieved list will include vulnerable programs detected at start_time. | Optional |
end_time | The end date and/or time expressed according to ISO 8601. Exclusive - if end_time is a time, the list will only include vulnerable programs detected before end_time). Inclusive - if end_time is a date, the list will include vulnerable programs detected on the date. | Optional |
page | Page number to return. | Optional |
page_size | Number of results in a page. Maximum is 500. | Optional |
limit | Number of total results to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CiscoAMP.Vulnerability.application | String | Name of the application. |
CiscoAMP.Vulnerability.version | String | Version of the application. |
CiscoAMP.Vulnerability.file.filename | String | Name of the file. |
CiscoAMP.Vulnerability.file.identity.sha256 | String | File's SHA-256. |
CiscoAMP.Vulnerability.latest_timestamp | Number | Vulnerability latest timestamp. |
CiscoAMP.Vulnerability.latest_date | Date | Vulnerability latest date. |
CiscoAMP.Vulnerability.computers_total_count | Number | Number of computers. |
CiscoAMP.Vulnerability.connector_guid | String | GUID of the connector. |
CiscoAMP.Vulnerability.hostname | String | Host's name. |
CiscoAMP.Vulnerability.windows_processor_id | String | Windows processor ID. |
CiscoAMP.Vulnerability.active | Boolean | Whether the computer is active. |
CiscoAMP.Vulnerability.group_guid | String | Group's GUID. |
CiscoAMP.Vulnerability.cves.id | String | Common vulnerability exposure ID. |
CiscoAMP.Vulnerability.cves.link | String | Common vulnerability exposure link. |
CiscoAMP.Vulnerability.cves.cvss | Number | Common vulnerability scoring system. |
CiscoAMP.Vulnerability.groups.name | String | Group's name. |
CiscoAMP.Vulnerability.groups.description | String | Group's description. |
CiscoAMP.Vulnerability.groups.guid | String | Group's GUID. |
CiscoAMP.Vulnerability.groups.source | String | Group's source of creation. |
CiscoAMP.Vulnerability.computers.connector_guid | String | GUID of the connector. |
CiscoAMP.Vulnerability.computers.hostname | String | Host's name. |
CiscoAMP.Vulnerability.computers.windows_processor_id | String | Windows processor ID. |
CiscoAMP.Vulnerability.computers.active | Boolean | Whether the computer is active. |
#
Command example!cisco-amp-vulnerability-list