Skip to main content

Cisco AMP v2

This Integration is part of the Cisco AMP Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Cisco Advanced Malware Protection software is designed to prevent, detect, and help remove threats in an efficient manner from computer systems. Threats can take the form of software viruses and other malware such as ransomware, worms, Trojans, spyware, adware, and fileless malware. This integration was integrated and tested with version 1 of CiscoAMP.

Configure Cisco AMP Secure Endpoint on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Cisco AMP Secure Endpoint.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLTrue
    3rd Party API Client IDTrue
    API KeyTrue
    Trust any certificate (unsecure)False
    Use system proxyFalse
    Maximum incidents to fetch.Maximum number of incidents per fetch. The maximum is 200.False
    Incident severity to fetch.False
    First fetch timeFirst alert created date to fetch. e.g., "1 min ago","2 weeks ago","3 months ago"False
    Event typesComma-separated list of Event Type IDs.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cisco-amp-computer-list#


Fetch computers to shows information about them. Can be filtered by a variety of criteria.

Base Command#

cisco-amp-computer-list

Input#

Argument NameDescriptionRequired
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional
connector_guidThe connector GUID for a specific computer.Optional
hostnameComma-separated list of host names to filter by (has auto complete capabilities).Optional
internal_ipInternal IP to filter by.Optional
external_ipExternal IP to filter by.Optional
group_guidComma-separated list of group GUIDs to filter by.Optional
last_seen_withinTime range to filter by.Optional
last_seen_overTime range to filter over by.Optional

Context Output#

PathTypeDescription
CiscoAMP.Computer.connector_guidStringGUID of the connector.
CiscoAMP.Computer.hostnameStringHost's name.
CiscoAMP.Computer.windows_processor_idStringWindows processor ID.
CiscoAMP.Computer.activeBooleanWhether the computer is active.
CiscoAMP.Computer.connector_versionStringVersion of the connector.
CiscoAMP.Computer.operating_systemStringOperating system of the computer.
CiscoAMP.Computer.os_versionStringOperating system version.
CiscoAMP.Computer.internal_ipsStringList of internal IPs.
CiscoAMP.Computer.external_ipStringExternal IP.
CiscoAMP.Computer.group_guidStringGUID of the group.
CiscoAMP.Computer.install_dateDateInstallation date.
CiscoAMP.Computer.is_compromisedBooleanWhether the computer is compromised.
CiscoAMP.Computer.demoBooleanWhether the computer is a demo.
CiscoAMP.Computer.network_addresses.macStringList of MAC addresses.
CiscoAMP.Computer.network_addresses.ipStringList of IP addresses.
CiscoAMP.Computer.policy.guidStringGUID of the policy.
CiscoAMP.Computer.policy.nameStringName of the policy.
CiscoAMP.Computer.groups.guidStringGUID of the group.
CiscoAMP.Computer.groups.nameStringName of the group.
CiscoAMP.Computer.last_seenDateLast date seen.
CiscoAMP.Computer.faultsStringFaults.
CiscoAMP.Computer.isolation.availableBooleanWhether the isolation is available.
CiscoAMP.Computer.isolation.statusStringStatus of the isolation.
CiscoAMP.Computer.orbital.statusStringStatus of the orbital.
Endpoint.HostnameStringThe hostname of the endpoint.
Endpoint.IDStringThe endpoint's identifier.
Endpoint.IPAddressStringThe endpoint's IP address.
Endpoint.OSStringThe endpoint's operating system.
Endpoint.OSVersionStringThe endpoint's operating system's version.
Endpoint.StatusStringThe status of the endpoint (online/offline).
Endpoint.MACAddressStringThe endpoint's MAC address.
Endpoint.VendorStringThe integration name of the endpoint vendor.

Command example#

!cisco-amp-computer-list limit=5

Context Example#

{
"CiscoAMP": {
"Computer": [
{
"active": "CiscoAMP_Computer[0]_active",
"connector_guid": "CiscoAMP_Computer[0]_connector_guid",
"connector_version": "CiscoAMP_Computer[0]_connector_version",
"demo": "CiscoAMP_Computer[0]_demo",
"external_ip": "CiscoAMP_Computer[0]_external_ip",
"faults": [],
"group_guid": "CiscoAMP_Computer[0]_group_guid",
"groups": [
{
"guid": "CiscoAMP_Computer[0]_groups[0]_guid",
"name": "CiscoAMP_Computer[0]_groups[0]_name"
}
],
"hostname": "CiscoAMP_Computer[0]_hostname",
"install_date": "CiscoAMP_Computer[0]_install_date",
"internal_ips": [
"CiscoAMP_Computer[0]_internal_ips_0"
],
"is_compromised": "CiscoAMP_Computer[0]_is_compromised",
"isolation": {
"available": "CiscoAMP_Computer[0]_isolation_available",
"status": "CiscoAMP_Computer[0]_isolation_status"
},
"last_seen": "CiscoAMP_Computer[0]_last_seen",
"network_addresses": [
{
"ip": "CiscoAMP_Computer[0]_network_addresses[0]_ip",
"mac": "CiscoAMP_Computer[0]_network_addresses[0]_mac"
}
],
"operating_system": "CiscoAMP_Computer[0]_operating_system",
"os_version": "CiscoAMP_Computer[0]_os_version",
"policy": {
"guid": "CiscoAMP_Computer[0]_policy_guid",
"name": "CiscoAMP_Computer[0]_policy_name"
},
"windows_processor_id": "CiscoAMP_Computer[0]_windows_processor_id"
},
{
"active": "CiscoAMP_Computer[1]_active",
"connector_guid": "CiscoAMP_Computer[1]_connector_guid",
"connector_version": "CiscoAMP_Computer[1]_connector_version",
"demo": "CiscoAMP_Computer[1]_demo",
"external_ip": "CiscoAMP_Computer[1]_external_ip",
"faults": [],
"group_guid": "CiscoAMP_Computer[1]_group_guid",
"groups": [
{
"guid": "CiscoAMP_Computer[1]_groups[0]_guid",
"name": "CiscoAMP_Computer[1]_groups[0]_name"
}
],
"hostname": "CiscoAMP_Computer[1]_hostname",
"install_date": "CiscoAMP_Computer[1]_install_date",
"internal_ips": [
"CiscoAMP_Computer[1]_internal_ips_0"
],
"is_compromised": "CiscoAMP_Computer[1]_is_compromised",
"isolation": {
"available": "CiscoAMP_Computer[1]_isolation_available",
"status": "CiscoAMP_Computer[1]_isolation_status"
},
"last_seen": "CiscoAMP_Computer[1]_last_seen",
"network_addresses": [
{
"ip": "CiscoAMP_Computer[1]_network_addresses[0]_ip",
"mac": "CiscoAMP_Computer[1]_network_addresses[0]_mac"
}
],
"operating_system": "CiscoAMP_Computer[1]_operating_system",
"os_version": "CiscoAMP_Computer[1]_os_version",
"policy": {
"guid": "CiscoAMP_Computer[1]_policy_guid",
"name": "CiscoAMP_Computer[1]_policy_name"
},
"windows_processor_id": "CiscoAMP_Computer[1]_windows_processor_id"
},
{
"active": "CiscoAMP_Computer[2]_active",
"connector_guid": "CiscoAMP_Computer[2]_connector_guid",
"connector_version": "CiscoAMP_Computer[2]_connector_version",
"demo": "CiscoAMP_Computer[2]_demo",
"external_ip": "CiscoAMP_Computer[2]_external_ip",
"faults": [],
"group_guid": "CiscoAMP_Computer[2]_group_guid",
"groups": [
{
"guid": "CiscoAMP_Computer[2]_groups[0]_guid",
"name": "CiscoAMP_Computer[2]_groups[0]_name"
}
],
"hostname": "CiscoAMP_Computer[2]_hostname",
"install_date": "CiscoAMP_Computer[2]_install_date",
"internal_ips": [
"CiscoAMP_Computer[2]_internal_ips_0"
],
"is_compromised": "CiscoAMP_Computer[2]_is_compromised",
"isolation": {
"available": "CiscoAMP_Computer[2]_isolation_available",
"status": "CiscoAMP_Computer[2]_isolation_status"
},
"last_seen": "CiscoAMP_Computer[2]_last_seen",
"network_addresses": [
{
"ip": "CiscoAMP_Computer[2]_network_addresses[0]_ip",
"mac": "CiscoAMP_Computer[2]_network_addresses[0]_mac"
}
],
"operating_system": "CiscoAMP_Computer[2]_operating_system",
"os_version": "CiscoAMP_Computer[2]_os_version",
"policy": {
"guid": "CiscoAMP_Computer[2]_policy_guid",
"name": "CiscoAMP_Computer[2]_policy_name"
},
"windows_processor_id": "CiscoAMP_Computer[2]_windows_processor_id"
},
{
"active": "CiscoAMP_Computer[3]_active",
"connector_guid": "CiscoAMP_Computer[3]_connector_guid",
"connector_version": "CiscoAMP_Computer[3]_connector_version",
"demo": "CiscoAMP_Computer[3]_demo",
"external_ip": "CiscoAMP_Computer[3]_external_ip",
"faults": [],
"group_guid": "CiscoAMP_Computer[3]_group_guid",
"groups": [
{
"guid": "CiscoAMP_Computer[3]_groups[0]_guid",
"name": "CiscoAMP_Computer[3]_groups[0]_name"
}
],
"hostname": "CiscoAMP_Computer[3]_hostname",
"install_date": "CiscoAMP_Computer[3]_install_date",
"internal_ips": [
"CiscoAMP_Computer[3]_internal_ips_0"
],
"is_compromised": "CiscoAMP_Computer[3]_is_compromised",
"isolation": {
"available": "CiscoAMP_Computer[3]_isolation_available",
"status": "CiscoAMP_Computer[3]_isolation_status"
},
"last_seen": "CiscoAMP_Computer[3]_last_seen",
"network_addresses": [
{
"ip": "CiscoAMP_Computer[3]_network_addresses[0]_ip",
"mac": "CiscoAMP_Computer[3]_network_addresses[0]_mac"
}
],
"operating_system": "CiscoAMP_Computer[3]_operating_system",
"os_version": "CiscoAMP_Computer[3]_os_version",
"policy": {
"guid": "CiscoAMP_Computer[3]_policy_guid",
"name": "CiscoAMP_Computer[3]_policy_name"
},
"windows_processor_id": "CiscoAMP_Computer[3]_windows_processor_id"
},
{
"active": "CiscoAMP_Computer[4]_active",
"connector_guid": "CiscoAMP_Computer[4]_connector_guid",
"connector_version": "CiscoAMP_Computer[4]_connector_version",
"demo": "CiscoAMP_Computer[4]_demo",
"external_ip": "CiscoAMP_Computer[4]_external_ip",
"faults": [],
"group_guid": "CiscoAMP_Computer[4]_group_guid",
"groups": [
{
"guid": "CiscoAMP_Computer[4]_groups[0]_guid",
"name": "CiscoAMP_Computer[4]_groups[0]_name"
}
],
"hostname": "CiscoAMP_Computer[4]_hostname",
"install_date": "CiscoAMP_Computer[4]_install_date",
"internal_ips": [
"CiscoAMP_Computer[4]_internal_ips_0"
],
"is_compromised": "CiscoAMP_Computer[4]_is_compromised",
"isolation": {
"available": "CiscoAMP_Computer[4]_isolation_available",
"status": "CiscoAMP_Computer[4]_isolation_status"
},
"last_seen": "CiscoAMP_Computer[4]_last_seen",
"network_addresses": [
{
"ip": "CiscoAMP_Computer[4]_network_addresses[0]_ip",
"mac": "CiscoAMP_Computer[4]_network_addresses[0]_mac"
}
],
"operating_system": "CiscoAMP_Computer[4]_operating_system",
"os_version": "CiscoAMP_Computer[4]_os_version",
"policy": {
"guid": "CiscoAMP_Computer[4]_policy_guid",
"name": "CiscoAMP_Computer[4]_policy_name"
},
"windows_processor_id": "CiscoAMP_Computer[4]_windows_processor_id"
}
]
},
"Endpoint": [
{
"Hostname": "Endpoint[0]_Hostname",
"ID": "Endpoint[0]_ID",
"IPAddress": "Endpoint[0]_IPAddress",
"MACAddress": "Endpoint[0]_MACAddress",
"OS": "Endpoint[0]_OS",
"OSVersion": "Endpoint[0]_OSVersion",
"Status": "Endpoint[0]_Status",
"Vendor": "Endpoint[0]_Vendor"
},
{
"Hostname": "Endpoint[1]_Hostname",
"ID": "Endpoint[1]_ID",
"IPAddress": "Endpoint[1]_IPAddress",
"MACAddress": "Endpoint[1]_MACAddress",
"OS": "Endpoint[1]_OS",
"OSVersion": "Endpoint[1]_OSVersion",
"Status": "Endpoint[1]_Status",
"Vendor": "Endpoint[1]_Vendor"
},
{
"Hostname": "Endpoint[2]_Hostname",
"ID": "Endpoint[2]_ID",
"IPAddress": "Endpoint[2]_IPAddress",
"MACAddress": "Endpoint[2]_MACAddress",
"OS": "Endpoint[2]_OS",
"OSVersion": "Endpoint[2]_OSVersion",
"Status": "Endpoint[2]_Status",
"Vendor": "Endpoint[2]_Vendor"
},
{
"Hostname": "Endpoint[3]_Hostname",
"ID": "Endpoint[3]_ID",
"IPAddress": "Endpoint[3]_IPAddress",
"MACAddress": "Endpoint[3]_MACAddress",
"OS": "Endpoint[3]_OS",
"OSVersion": "Endpoint[3]_OSVersion",
"Status": "Endpoint[3]_Status",
"Vendor": "Endpoint[3]_Vendor"
},
{
"Hostname": "Endpoint[4]_Hostname",
"ID": "Endpoint[4]_ID",
"IPAddress": "Endpoint[4]_IPAddress",
"MACAddress": "Endpoint[4]_MACAddress",
"OS": "Endpoint[4]_OS",
"OSVersion": "Endpoint[4]_OSVersion",
"Status": "Endpoint[4]_Status",
"Vendor": "Endpoint[4]_Vendor"
}
]
}

Human Readable Output#

Results#

Current Item CountIndexItems Per PageTotal
50532

Computer Information#

Host NameConnector GUIDOperating SystemExternal IPGroup GUIDPolicy GUID
Demo_AMP22d4a486-1732-4f8b-9a6f-18f172fe7af0Windows 10 (Build 10.0.19044.1466)IPbb5a9f90-d6fa-4fe7-99c8-e91060b49a9891c7894d-dd69-4a21-8cf6-5ebfc57ef4df
Demo_AMP_Exploit_Prevention113c1a8e-8e66-409e-92a8-41b7d586be5dWindows 10 (Build 10.0.19044.1466)IP6ed80412-0739-42c1-8f6d-32fb51b3f8941a352c59-793b-44f3-b8f9-0ddd354057bc
Demo_AMP_Exploit_Prevention_Audit93f395a2-e31f-4022-b1dd-afb16e093b8dWindows 10 (Build 10.0.19044.1466)IP5b1857e3-ba49-46cf-9bf1-0cad6b5ecd18a599bf5b-2cb7-4a5b-90bd-d0199e2ccd67
Demo_AMP_Inteld6f49c17-9721-4c5b-a04f-32ba30be36a0Windows 10 (Build 10.0.19043.1202)IPfedd82f8-c74f-49f4-a463-e576d3beee92be84e169-0830-4b95-915b-1e203a82ed58
Demo_AMP_MAP_FriedEx9a2abee8-b988-473b-9e99-a7abe6d068a5Windows 10 (Build 10.0.19044.1466)IP6ed80412-0739-42c1-8f6d-32fb51b3f8941a352c59-793b-44f3-b8f9-0ddd354057bc

cisco-amp-computer-trajectory-list#


Provides a list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP console.

Base Command#

cisco-amp-computer-trajectory-list

Input#

Argument NameDescriptionRequired
connector_guidThe connector GUID for a specific computer.Required
query_stringFreeform query string which currently accepts an: IP address, SHA-256, or URL.Optional
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 5000.Optional
limitNumber of total results to return.Optional

Context Output#

PathTypeDescription
CiscoAMP.ComputerTrajectory.connector_guidStringGUID of the connector.
CiscoAMP.ComputerTrajectory.idStringEvent's ID.
CiscoAMP.ComputerTrajectory.timestampNumberEvent's timestamp.
CiscoAMP.ComputerTrajectory.timestamp_nanosecondsNumberEvent's timestamp in nano seconds.
CiscoAMP.ComputerTrajectory.dateDateEvent's date.
CiscoAMP.ComputerTrajectory.event_typeStringEvent's type.
CiscoAMP.ComputerTrajectory.event_type_idNumberEvent's type ID.
CiscoAMP.ComputerTrajectory.group_guidsStringGroup GUID.
CiscoAMP.ComputerTrajectory.severityStringEvent's severity.
CiscoAMP.ComputerTrajectory.detectionStringEvent's detection.
CiscoAMP.ComputerTrajectory.detection_idStringEvent's detection ID.
CiscoAMP.ComputerTrajectory.file.dispositionStringDisposition of the file.
CiscoAMP.ComputerTrajectory.file.file_nameStringName of the file.
CiscoAMP.ComputerTrajectory.file.file_pathStringPath to the file.
CiscoAMP.ComputerTrajectory.file.file_typeStringType of the file.
CiscoAMP.ComputerTrajectory.file.identity.sha256StringFile's SHA-256.
CiscoAMP.ComputerTrajectory.file.identity.sha1StringFile's SHA-1.
CiscoAMP.ComputerTrajectory.file.identity.md5StringFile's MD5.
CiscoAMP.ComputerTrajectory.file.parent.dispositionStringDisposition of parent.
CiscoAMP.ComputerTrajectory.file.parent.identity.sha256StringSHA-256 of parent.
CiscoAMP.ComputerTrajectory.scan.descriptionStringDescription of the scan.
CiscoAMP.ComputerTrajectory.scan.cleanBooleanWhether the scan is clean.
CiscoAMP.ComputerTrajectory.scan.scanned_filesNumberNumber of scanned files.
CiscoAMP.ComputerTrajectory.scan.scanned_processesNumberNumber of scanned processes.
CiscoAMP.ComputerTrajectory.scan.scanned_pathsNumberNumber of scanned paths.
CiscoAMP.ComputerTrajectory.scan.malicious_detectionsNumberNumber of malicious detections.

Command example#

!cisco-amp-computer-trajectory-list connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 limit=5

Context Example#

{
"CiscoAMP": {
"ComputerTrajectory": [
{
"connector_guid": "CiscoAMP_ComputerTrajectory[0]_connector_guid",
"date": "CiscoAMP_ComputerTrajectory[0]_date",
"event_type": "CiscoAMP_ComputerTrajectory[0]_event_type",
"event_type_id": "CiscoAMP_ComputerTrajectory[0]_event_type_id",
"group_guids": [
"CiscoAMP_ComputerTrajectory[0]_group_guids_0"
],
"id": "CiscoAMP_ComputerTrajectory[0]_id",
"isolation": {
"duration": "CiscoAMP_ComputerTrajectory[0]_isolation_duration"
},
"timestamp": "CiscoAMP_ComputerTrajectory[0]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_ComputerTrajectory[0]_timestamp_nanoseconds"
},
{
"connector_guid": "CiscoAMP_ComputerTrajectory[1]_connector_guid",
"date": "CiscoAMP_ComputerTrajectory[1]_date",
"event_type": "CiscoAMP_ComputerTrajectory[1]_event_type",
"event_type_id": "CiscoAMP_ComputerTrajectory[1]_event_type_id",
"group_guids": [
"CiscoAMP_ComputerTrajectory[1]_group_guids_0"
],
"id": "CiscoAMP_ComputerTrajectory[1]_id",
"timestamp": "CiscoAMP_ComputerTrajectory[1]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_ComputerTrajectory[1]_timestamp_nanoseconds"
},
{
"connector_guid": "CiscoAMP_ComputerTrajectory[2]_connector_guid",
"date": "CiscoAMP_ComputerTrajectory[2]_date",
"event_type": "CiscoAMP_ComputerTrajectory[2]_event_type",
"event_type_id": "CiscoAMP_ComputerTrajectory[2]_event_type_id",
"group_guids": [
"CiscoAMP_ComputerTrajectory[2]_group_guids_0"
],
"id": "CiscoAMP_ComputerTrajectory[2]_id",
"isolation": {
"duration": "CiscoAMP_ComputerTrajectory[2]_isolation_duration"
},
"timestamp": "CiscoAMP_ComputerTrajectory[2]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_ComputerTrajectory[2]_timestamp_nanoseconds"
},
{
"connector_guid": "CiscoAMP_ComputerTrajectory[3]_connector_guid",
"date": "CiscoAMP_ComputerTrajectory[3]_date",
"event_type": "CiscoAMP_ComputerTrajectory[3]_event_type",
"event_type_id": "CiscoAMP_ComputerTrajectory[3]_event_type_id",
"group_guids": [
"CiscoAMP_ComputerTrajectory[3]_group_guids_0"
],
"id": "CiscoAMP_ComputerTrajectory[3]_id",
"timestamp": "CiscoAMP_ComputerTrajectory[3]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_ComputerTrajectory[3]_timestamp_nanoseconds"
},
{
"connector_guid": "CiscoAMP_ComputerTrajectory[4]_connector_guid",
"date": "CiscoAMP_ComputerTrajectory[4]_date",
"event_type": "CiscoAMP_ComputerTrajectory[4]_event_type",
"event_type_id": "CiscoAMP_ComputerTrajectory[4]_event_type_id",
"group_guids": [
"CiscoAMP_ComputerTrajectory[4]_group_guids_0"
],
"id": "CiscoAMP_ComputerTrajectory[4]_id",
"isolation": {
"duration": "CiscoAMP_ComputerTrajectory[4]_isolation_duration"
},
"timestamp": "CiscoAMP_ComputerTrajectory[4]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_ComputerTrajectory[4]_timestamp_nanoseconds"
}
]
}
}

Human Readable Output#

Computer Information#

Host NameConnector GUIDOperating SystemExternal IPGroup GUIDPolicy GUID
Demo_AMP22d4a486-1732-4f8b-9a6f-18f172fe7af0Windows 10 (Build 10.0.19044.1466)IPbb5a9f90-d6fa-4fe7-99c8-e91060b49a9891c7894d-dd69-4a21-8cf6-5ebfc57ef4df

Event Information#

IDDateEvent TypeGroup GUIDs
16672173058554119652022-10-31T11:55:05+00:00Endpoint Isolation Stop Successbb5a9f90-d6fa-4fe7-99c8-e91060b49a98
16672172988371752632022-10-31T11:54:58+00:00Endpoint Isolation Start Successbb5a9f90-d6fa-4fe7-99c8-e91060b49a98
16672165457691219642022-10-31T11:42:25+00:00Endpoint Isolation Stop Successbb5a9f90-d6fa-4fe7-99c8-e91060b49a98
16672165389741891212022-10-31T11:42:18+00:00Endpoint Isolation Start Successbb5a9f90-d6fa-4fe7-99c8-e91060b49a98
16672149073308130112022-10-31T11:15:07+00:00Endpoint Isolation Stop Successbb5a9f90-d6fa-4fe7-99c8-e91060b49a98

cisco-amp-computer-user-activity-list#


Fetch a list of computers that have observed activity by given username.

Base Command#

cisco-amp-computer-user-activity-list

Input#

Argument NameDescriptionRequired
usernameUsername to filter by.Required
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional

Context Output#

PathTypeDescription
CiscoAMP.ComputerUserActivity.connector_guidStringGUID of the connector.
CiscoAMP.ComputerUserActivity.hostnameStringHost's name.
CiscoAMP.ComputerUserActivity.activeBooleanWhether the computer is active.

Command example#

!cisco-amp-computer-user-activity-list username=johndoe

Context Example#

{
"CiscoAMP": {
"ComputerUserActivity": [
{
"active": "CiscoAMP_ComputerUserActivity[0]_active",
"connector_guid": "CiscoAMP_ComputerUserActivity[0]_connector_guid",
"hostname": "CiscoAMP_ComputerUserActivity[0]_hostname"
},
{
"active": "CiscoAMP_ComputerUserActivity[1]_active",
"connector_guid": "CiscoAMP_ComputerUserActivity[1]_connector_guid",
"hostname": "CiscoAMP_ComputerUserActivity[1]_hostname"
},
{
"active": "CiscoAMP_ComputerUserActivity[2]_active",
"connector_guid": "CiscoAMP_ComputerUserActivity[2]_connector_guid",
"hostname": "CiscoAMP_ComputerUserActivity[2]_hostname"
},
{
"active": "CiscoAMP_ComputerUserActivity[3]_active",
"connector_guid": "CiscoAMP_ComputerUserActivity[3]_connector_guid",
"hostname": "CiscoAMP_ComputerUserActivity[3]_hostname"
},
{
"active": "CiscoAMP_ComputerUserActivity[4]_active",
"connector_guid": "CiscoAMP_ComputerUserActivity[4]_connector_guid",
"hostname": "CiscoAMP_ComputerUserActivity[4]_hostname"
},
{
"active": "CiscoAMP_ComputerUserActivity[5]_active",
"connector_guid": "CiscoAMP_ComputerUserActivity[5]_connector_guid",
"hostname": "CiscoAMP_ComputerUserActivity[5]_hostname"
},
{
"active": "CiscoAMP_ComputerUserActivity[6]_active",
"connector_guid": "CiscoAMP_ComputerUserActivity[6]_connector_guid",
"hostname": "CiscoAMP_ComputerUserActivity[6]_hostname"
},
{
"active": "CiscoAMP_ComputerUserActivity[7]_active",
"connector_guid": "CiscoAMP_ComputerUserActivity[7]_connector_guid",
"hostname": "CiscoAMP_ComputerUserActivity[7]_hostname"
}
]
}
}

Human Readable Output#

Results#

Current Item CountIndexItems Per PageTotal
801008

Activity Information#

Connector GUIDHost NameActive
113c1a8e-8e66-409e-92a8-41b7d586be5dDemo_AMP_Exploit_Preventiontrue
307ada77-5776-4de6-ab3b-9c42fe723c9cDemo_WannaCry_Ransomwaretrue
32ac3d60-4038-4cac-8df8-7588cd959926Demo_AMP_Threat_Audittrue
7704bf95-5343-4825-8d68-2ecea81feda4Demo_Qakbot_3true
790e9bd4-99b5-433c-b027-9a9a5b9d426fDemo_Qakbot_2true
cd9ae0b3-b566-47f4-811b-980dcb7988d6Demo_Qakbot_1true
d42cab73-c142-4c25-85d3-4bdefacb6b5bDemo_AMP_Threat_Quarantinedtrue
d6f49c17-9721-4c5b-a04f-32ba30be36a0Demo_AMP_Inteltrue

cisco-amp-computer-user-trajectory-list#


Fetch a specific computer's trajectory with a given connector_guid and filter for events with user name activity.

Base Command#

cisco-amp-computer-user-trajectory-list

Input#

Argument NameDescriptionRequired
connector_guidThe connector GUID for a specific computer.Required
usernameUsername to filter by.Optional
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 5000.Optional
limitNumber of total results to return.Optional

Context Output#

PathTypeDescription
CiscoAMP.ComputerUserTrajectory.connector_guidStringGUID of the connector.
CiscoAMP.ComputerUserTrajectory.idStringEvent's ID.
CiscoAMP.ComputerUserTrajectory.timestampNumberEvent's timestamp.
CiscoAMP.ComputerUserTrajectory.timestamp_nanosecondsNumberEvent's timestamp in nano seconds.
CiscoAMP.ComputerUserTrajectory.dateDateEvent's date.
CiscoAMP.ComputerUserTrajectory.event_typeStringEvent's type.
CiscoAMP.ComputerUserTrajectory.event_type_idNumberEvent's type ID.
CiscoAMP.ComputerUserTrajectory.group_guidsStringGroup GUID.
CiscoAMP.ComputerUserTrajectory.severityStringEvent's severity.
CiscoAMP.ComputerUserTrajectory.detectionStringEvent's detection.
CiscoAMP.ComputerUserTrajectory.detection_idStringEvent's detection ID.
CiscoAMP.ComputerUserTrajectory.file.dispositionStringDisposition of the file.
CiscoAMP.ComputerUserTrajectory.file.file_nameStringName of the file.
CiscoAMP.ComputerUserTrajectory.file.file_pathStringPath to the file.
CiscoAMP.ComputerUserTrajectory.file.file_typeStringType of the file.
CiscoAMP.ComputerUserTrajectory.file.identity.sha256StringFile's SHA-256.
CiscoAMP.ComputerUserTrajectory.file.identity.sha1StringFile's SHA-1.
CiscoAMP.ComputerUserTrajectory.file.identity.md5StringFile's MD5.
CiscoAMP.ComputerUserTrajectory.file.parent.dispositionStringDisposition of parent.
CiscoAMP.ComputerUserTrajectory.file.parent.identity.sha256StringSHA-256 of parent.
CiscoAMP.ComputerUserTrajectory.scan.descriptionStringDescription.
CiscoAMP.ComputerUserTrajectory.scan.cleanBooleanWhether the scan is clean.
CiscoAMP.ComputerUserTrajectory.scan.scanned_filesNumberNumber of scanned files.
CiscoAMP.ComputerUserTrajectory.scan.scanned_processesNumberNumber of scanned processes.
CiscoAMP.ComputerUserTrajectory.scan.scanned_pathsNumberNumber of scanned paths.
CiscoAMP.ComputerUserTrajectory.scan.malicious_detectionsNumberNumber of malicious detections.

Command example#

!cisco-amp-computer-user-trajectory-list connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 limit=5

Context Example#

{
"CiscoAMP": {
"ComputerUserTrajectory": [
{
"connector_guid": "CiscoAMP_ComputerUserTrajectory[0]_connector_guid",
"date": "CiscoAMP_ComputerUserTrajectory[0]_date",
"event_type": "CiscoAMP_ComputerUserTrajectory[0]_event_type",
"event_type_id": "CiscoAMP_ComputerUserTrajectory[0]_event_type_id",
"group_guids": [
"CiscoAMP_ComputerUserTrajectory[0]_group_guids_0"
],
"id": "CiscoAMP_ComputerUserTrajectory[0]_id",
"isolation": {
"duration": "CiscoAMP_ComputerUserTrajectory[0]_isolation_duration"
},
"timestamp": "CiscoAMP_ComputerUserTrajectory[0]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_ComputerUserTrajectory[0]_timestamp_nanoseconds"
},
{
"connector_guid": "CiscoAMP_ComputerUserTrajectory[1]_connector_guid",
"date": "CiscoAMP_ComputerUserTrajectory[1]_date",
"event_type": "CiscoAMP_ComputerUserTrajectory[1]_event_type",
"event_type_id": "CiscoAMP_ComputerUserTrajectory[1]_event_type_id",
"group_guids": [
"CiscoAMP_ComputerUserTrajectory[1]_group_guids_0"
],
"id": "CiscoAMP_ComputerUserTrajectory[1]_id",
"timestamp": "CiscoAMP_ComputerUserTrajectory[1]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_ComputerUserTrajectory[1]_timestamp_nanoseconds"
},
{
"connector_guid": "CiscoAMP_ComputerUserTrajectory[2]_connector_guid",
"date": "CiscoAMP_ComputerUserTrajectory[2]_date",
"event_type": "CiscoAMP_ComputerUserTrajectory[2]_event_type",
"event_type_id": "CiscoAMP_ComputerUserTrajectory[2]_event_type_id",
"group_guids": [
"CiscoAMP_ComputerUserTrajectory[2]_group_guids_0"
],
"id": "CiscoAMP_ComputerUserTrajectory[2]_id",
"isolation": {
"duration": "CiscoAMP_ComputerUserTrajectory[2]_isolation_duration"
},
"timestamp": "CiscoAMP_ComputerUserTrajectory[2]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_ComputerUserTrajectory[2]_timestamp_nanoseconds"
},
{
"connector_guid": "CiscoAMP_ComputerUserTrajectory[3]_connector_guid",
"date": "CiscoAMP_ComputerUserTrajectory[3]_date",
"event_type": "CiscoAMP_ComputerUserTrajectory[3]_event_type",
"event_type_id": "CiscoAMP_ComputerUserTrajectory[3]_event_type_id",
"group_guids": [
"CiscoAMP_ComputerUserTrajectory[3]_group_guids_0"
],
"id": "CiscoAMP_ComputerUserTrajectory[3]_id",
"timestamp": "CiscoAMP_ComputerUserTrajectory[3]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_ComputerUserTrajectory[3]_timestamp_nanoseconds"
},
{
"connector_guid": "CiscoAMP_ComputerUserTrajectory[4]_connector_guid",
"date": "CiscoAMP_ComputerUserTrajectory[4]_date",
"event_type": "CiscoAMP_ComputerUserTrajectory[4]_event_type",
"event_type_id": "CiscoAMP_ComputerUserTrajectory[4]_event_type_id",
"group_guids": [
"CiscoAMP_ComputerUserTrajectory[4]_group_guids_0"
],
"id": "CiscoAMP_ComputerUserTrajectory[4]_id",
"isolation": {
"duration": "CiscoAMP_ComputerUserTrajectory[4]_isolation_duration"
},
"timestamp": "CiscoAMP_ComputerUserTrajectory[4]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_ComputerUserTrajectory[4]_timestamp_nanoseconds"
}
]
}
}

Human Readable Output#

Computer Information#

Host NameConnector GUIDOperating System
Demo_AMP22d4a486-1732-4f8b-9a6f-18f172fe7af0None (Build None)

Event Information#

IDDateEvent TypeGroup GUIDs
16672173058554119652022-10-31T11:55:05+00:00Endpoint Isolation Stop Successbb5a9f90-d6fa-4fe7-99c8-e91060b49a98
16672172988371752632022-10-31T11:54:58+00:00Endpoint Isolation Start Successbb5a9f90-d6fa-4fe7-99c8-e91060b49a98
16672165457691219642022-10-31T11:42:25+00:00Endpoint Isolation Stop Successbb5a9f90-d6fa-4fe7-99c8-e91060b49a98
16672165389741891212022-10-31T11:42:18+00:00Endpoint Isolation Start Successbb5a9f90-d6fa-4fe7-99c8-e91060b49a98
16672149073308130112022-10-31T11:15:07+00:00Endpoint Isolation Stop Successbb5a9f90-d6fa-4fe7-99c8-e91060b49a98

cisco-amp-computer-vulnerabilities-list#


Provides a list of vulnerabilities observed on a specific computer. The vulnerabilities can be filtered to show only vulnerable applications observed for a specific time range.

Base Command#

cisco-amp-computer-vulnerabilities-list

Input#

Argument NameDescriptionRequired
connector_guidThe connector GUID for a specific computer.Required
start_timeThe start date and time expressed according to ISO 8601. The retrieved list will include vulnerable programs detected at start_time.Optional
end_timeThe end date and/or time expressed according to ISO 8601. Exclusive - if end_time is a time, the list will only include vulnerable programs detected before end_time). Inclusive - if end_time is a date, the list will include vulnerable programs detected on the date.Optional
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional

Context Output#

PathTypeDescription
CiscoAMP.ComputerVulnerability.connector_guidStringGUID of the connector.
CiscoAMP.ComputerVulnerability.applicationStringName of the application.
CiscoAMP.ComputerVulnerability.versionStringVersion of the application.
CiscoAMP.ComputerVulnerability.file.filenameStringName of the file.
CiscoAMP.ComputerVulnerability.file.identity.sha256StringFile's SHA-256.
CiscoAMP.ComputerVulnerability.file.identity.sha1StringFile's SHA-1.
CiscoAMP.ComputerVulnerability.file.identity.md5StringFile's MD5.
CiscoAMP.ComputerVulnerability.cves.idStringCommon vulnerability exposure ID.
CiscoAMP.ComputerVulnerability.cves.linkStringCommon vulnerability exposure link.
CiscoAMP.ComputerVulnerability.cves.cvssNumberCommon vulnerability scoring system.
CiscoAMP.ComputerVulnerability.latest_timestampNumberVulnerability latest timestamp.
CiscoAMP.ComputerVulnerability.latest_dateDateVulnerability latest date.

Command example#

!cisco-amp-computer-vulnerabilities-list connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0

Context Example#

{
"CiscoAMP": {
"ComputerVulnerability": {
"application": "CiscoAMP_ComputerVulnerability_application",
"connector_guid": "CiscoAMP_ComputerVulnerability_connector_guid",
"cves": [
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[0]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[0]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[0]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[1]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[1]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[1]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[2]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[2]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[2]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[3]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[3]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[3]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[4]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[4]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[4]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[5]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[5]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[5]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[6]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[6]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[6]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[7]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[7]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[7]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[8]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[8]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[8]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[9]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[9]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[9]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[10]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[10]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[10]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[11]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[11]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[11]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[12]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[12]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[12]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[13]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[13]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[13]_link"
},
{
"cvss": "CiscoAMP_ComputerVulnerability_cves[14]_cvss",
"id": "CiscoAMP_ComputerVulnerability_cves[14]_id",
"link": "CiscoAMP_ComputerVulnerability_cves[14]_link"
}
],
"file": {
"filename": "CiscoAMP_ComputerVulnerability_file_filename",
"identity": {
"sha256": "CiscoAMP_ComputerVulnerability_file_identity_sha256"
}
},
"latest_date": "CiscoAMP_ComputerVulnerability_latest_date",
"latest_timestamp": "CiscoAMP_ComputerVulnerability_latest_timestamp",
"version": "CiscoAMP_ComputerVulnerability_version"
}
}
}

Human Readable Output#

Results#

Current Item CountIndexItems Per PageTotal
101001

Computer Information#

Host NameConnector GUIDOperating SystemGroup GUID
Demo_AMP22d4a486-1732-4f8b-9a6f-18f172fe7af0None (Build None)bb5a9f90-d6fa-4fe7-99c8-e91060b49a98

Vulnerabilities Information#

ApplicationVersionLatest DateFile NameSHA-256
Microsoft Office20132022-10-23T12:37:33+00:00WINWORD.EXE3D46E95284F93BBB76B3B7E1BF0E1B2D51E8A9411C2B6E649112F22F92DE63C2

cisco-amp-computer-move#


Moves a computer to a group with a given connector_guid and group_guid.

Base Command#

cisco-amp-computer-move

Input#

Argument NameDescriptionRequired
connector_guidThe connector GUID for a specific computer.Required
group_guidGroup GUID to move the computer to.Required

Context Output#

PathTypeDescription
CiscoAMP.Computer.connector_guidStringGUID of the connector.
CiscoAMP.Computer.hostnameStringHost's name.
CiscoAMP.Computer.windows_processor_idStringWindows processor ID.
CiscoAMP.Computer.activeBooleanWhether the computer is active.
CiscoAMP.Computer.connector_versionStringVersion of the connector.
CiscoAMP.Computer.operating_systemStringOperating system of the computer.
CiscoAMP.Computer.os_versionStringOperating system version.
CiscoAMP.Computer.internal_ipsStringList of internal IPs.
CiscoAMP.Computer.external_ipStringExternal IP.
CiscoAMP.Computer.group_guidStringGUID of the group.
CiscoAMP.Computer.install_dateDateInstallation date.
CiscoAMP.Computer.is_compromisedBooleanWhether the computer is compromised.
CiscoAMP.Computer.demoBooleanWhether the computer is a demo.
CiscoAMP.Computer.network_addresses.macStringList of MAC addresses.
CiscoAMP.Computer.network_addresses.ipStringList of IP addresses.
CiscoAMP.Computer.policy.guidStringGUID of the policy.
CiscoAMP.Computer.policy.nameStringName of the policy.
CiscoAMP.Computer.groups.guidStringGUID of the group.
CiscoAMP.Computer.groups.nameStringName of the group.
CiscoAMP.Computer.last_seenDateLast date seen.
CiscoAMP.Computer.faultsStringFaults.
CiscoAMP.Computer.isolation.availableBooleanWhether the isolation is available.
CiscoAMP.Computer.isolation.statusStringStatus of the isolation.
CiscoAMP.Computer.orbital.statusStringStatus of the orbital.

Command example#

!cisco-amp-computer-move connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 group_guid=bb5a9f90-d6fa-4fe7-99c8-e91060b49a98

Context Example#

{
"CiscoAMP": {
"Computer": {
"active": "CiscoAMP_Computer_active",
"connector_guid": "CiscoAMP_Computer_connector_guid",
"connector_version": "CiscoAMP_Computer_connector_version",
"demo": "CiscoAMP_Computer_demo",
"external_ip": "CiscoAMP_Computer_external_ip",
"faults": [],
"group_guid": "CiscoAMP_Computer_group_guid",
"groups": [
{
"guid": "CiscoAMP_Computer_groups[0]_guid",
"name": "CiscoAMP_Computer_groups[0]_name"
}
],
"hostname": "CiscoAMP_Computer_hostname",
"install_date": "CiscoAMP_Computer_install_date",
"internal_ips": [
"CiscoAMP_Computer_internal_ips_0"
],
"is_compromised": "CiscoAMP_Computer_is_compromised",
"isolation": {
"available": "CiscoAMP_Computer_isolation_available",
"status": "CiscoAMP_Computer_isolation_status"
},
"network_addresses": [
{
"ip": "CiscoAMP_Computer_network_addresses[0]_ip",
"mac": "CiscoAMP_Computer_network_addresses[0]_mac"
}
],
"operating_system": "CiscoAMP_Computer_operating_system",
"os_version": "CiscoAMP_Computer_os_version",
"policy": {
"guid": "CiscoAMP_Computer_policy_guid",
"name": "CiscoAMP_Computer_policy_name"
},
"windows_processor_id": "CiscoAMP_Computer_windows_processor_id"
}
}
}

Human Readable Output#

Computer Information#

Host NameConnector GUIDOperating SystemExternal IPGroup GUIDPolicy GUID
Demo_AMP22d4a486-1732-4f8b-9a6f-18f172fe7af0Windows 10 (Build 10.0.19044.1466)IPbb5a9f90-d6fa-4fe7-99c8-e91060b49a9891c7894d-dd69-4a21-8cf6-5ebfc57ef4df

cisco-amp-computer-delete#


Deletes a specific computer with given connector GUID.

Base Command#

cisco-amp-computer-delete

Input#

Argument NameDescriptionRequired
connector_guidThe connector GUID for a specific computer.Required

Context Output#

There is no context output for this command.

Command example#

!cisco-amp-computer-delete connector_guid=dddd4ceb-4ce1-4f81-a7a7-04d13cc1df43

Human Readable Output#

Connector GUID: "dddd4ceb-4ce1-4f81-a7a7-04d13cc1df43" Successfully deleted.

cisco-amp-computer-activity-list#


Fetch a list of computers that have observed files with a given file name. Provides the ability to search all computers across an organization for any events or activities associated with a file or network operation, and returns computers matching those criteria. There is a hard limit of 5000 historical entries searched.

Base Command#

cisco-amp-computer-activity-list

Input#

Argument NameDescriptionRequired
query_stringFreeform query string which currently accepts: IPv4 address (CIDR not supported), SHA-256, file name, and a URL Fragment.Required
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional

Context Output#

PathTypeDescription
CiscoAMP.ComputerActivity.connector_guidStringGUID of the connector.
CiscoAMP.ComputerActivity.hostnameStringHost's name.
CiscoAMP.ComputerActivity.windows_processor_idStringWindows processor ID.
CiscoAMP.ComputerActivity.activeBooleanWhether the computer is active.

Command example#

!cisco-amp-computer-activity-list query_string=8.8.8.8

Context Example#

{
"CiscoAMP": {
"ComputerActivity": [
{
"active": "CiscoAMP_ComputerActivity[0]_active",
"connector_guid": "CiscoAMP_ComputerActivity[0]_connector_guid",
"hostname": "CiscoAMP_ComputerActivity[0]_hostname",
"windows_processor_id": "CiscoAMP_ComputerActivity[0]_windows_processor_id"
},
{
"active": "CiscoAMP_ComputerActivity[1]_active",
"connector_guid": "CiscoAMP_ComputerActivity[1]_connector_guid",
"hostname": "CiscoAMP_ComputerActivity[1]_hostname",
"windows_processor_id": "CiscoAMP_ComputerActivity[1]_windows_processor_id"
},
{
"active": "CiscoAMP_ComputerActivity[2]_active",
"connector_guid": "CiscoAMP_ComputerActivity[2]_connector_guid",
"hostname": "CiscoAMP_ComputerActivity[2]_hostname",
"windows_processor_id": "CiscoAMP_ComputerActivity[2]_windows_processor_id"
},
{
"active": "CiscoAMP_ComputerActivity[3]_active",
"connector_guid": "CiscoAMP_ComputerActivity[3]_connector_guid",
"hostname": "CiscoAMP_ComputerActivity[3]_hostname",
"windows_processor_id": "CiscoAMP_ComputerActivity[3]_windows_processor_id"
},
{
"active": "CiscoAMP_ComputerActivity[4]_active",
"connector_guid": "CiscoAMP_ComputerActivity[4]_connector_guid",
"hostname": "CiscoAMP_ComputerActivity[4]_hostname",
"windows_processor_id": "CiscoAMP_ComputerActivity[4]_windows_processor_id"
}
]
}
}

Human Readable Output#

Results#

Current Item CountIndexItems Per PageTotal
501005

Activity Information#

Connector GUIDHost NameWindows Processor IDActive
1e104704-0b8f-4703-a49f-ec3d13e1e079Demo_Dyre346b8f2ad9e5107true
22b1d33c-b875-445f-8a98-d7fd05616ff0Demo_Upatreb2a9e0f43861d75true
33c101dd-4f50-4fd3-bce5-d3bd9d94e1a2Demo_ZAccessb047d5268e9a13ftrue
4d91c4ea-4f4d-4b87-b5d7-d34cc2c678a5Demo_Global_Threat_Alerts9af0463d1852be7true
ab22d66b-3443-4653-99ec-1fdeb680f30bDemo_TDSS0ad79f21856e34btrue

cisco-amp-computer-isolation-feature-availability-get#


Performs a feature availability request on a computer. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.

Base Command#

cisco-amp-computer-isolation-feature-availability-get

Input#

Argument NameDescriptionRequired
connector_guidThe connector GUID for a specific computer.Required

Context Output#

There is no context output for this command.

Command example#

!cisco-amp-computer-isolation-feature-availability-get connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0

Human Readable Output#

Can get information about an isolation with computer-isolation-get Can request to create a new isolation with computer-isolation-create

cisco-amp-computer-isolation-get#


Returns a fine-grained isolation status for a computer. The available flag is set to true if isolation can be performed on the computer. Status will be set to one of - not_isolated, pending_start, isolated and pending_stop. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.

Base Command#

cisco-amp-computer-isolation-get

Input#

Argument NameDescriptionRequired
connector_guidThe connector GUID for a specific computer.Required

Context Output#

PathTypeDescription
CiscoAMP.ComputerIsolation.connector_guidStringID of the connector.
CiscoAMP.ComputerIsolation.availableBooleanSet to true if isolation can be performed on the computer.
CiscoAMP.ComputerIsolation.statusStringWill be set to one of: not_isolated, pending_start, isolated and pending_stop.
CiscoAMP.ComputerIsolation.unlock_codeStringIsolation unlock code.
CiscoAMP.ComputerIsolation.commentStringIsolation comment.
CiscoAMP.ComputerIsolation.ccms_message_guidStringCisco Cluster Management Suite message GUID.
CiscoAMP.ComputerIsolation.ccms_job_guidStringCisco Cluster Management Suite job GUID.

Command example#

!cisco-amp-computer-isolation-get connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0

Context Example#

{
"CiscoAMP": {
"ComputerIsolation": {
"available": "CiscoAMP_ComputerIsolation_available",
"comment": "CiscoAMP_ComputerIsolation_comment",
"connector_guid": "CiscoAMP_ComputerIsolation_connector_guid",
"status": "CiscoAMP_ComputerIsolation_status",
"unlock_code": "CiscoAMP_ComputerIsolation_unlock_code"
}
}
}

Human Readable Output#

Isolation Information#

AvailableStatusUnlock CodeComment
truenot_isolatedunlockmeEnd readme test

cisco-amp-computer-isolation-create#


Request isolation for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.

Base Command#

cisco-amp-computer-isolation-create

Input#

Argument NameDescriptionRequired
interval_in_secondsThe interval in seconds between each poll. Default is 30.Optional
timeout_in_secondsThe timeout in seconds until polling ends. Default is 600.Optional
connector_guidThe connector GUID for a specific computer.Required
commentComment for isolation.Required
unlock_codeIsolation unlock code.Required
statusStatus of the current run.Optional

Context Output#

PathTypeDescription
CiscoAMP.ComputerIsolation.connector_guidStringID of the connector.
CiscoAMP.ComputerIsolation.availableBooleanSet to true if isolation can be performed on the computer.
CiscoAMP.ComputerIsolation.statusStringWill be set to one of: not_isolated, pending_start, isolated and pending_stop.
CiscoAMP.ComputerIsolation.unlock_codeStringIsolation unlock code.
CiscoAMP.ComputerIsolation.commentStringIsolation comment.
CiscoAMP.ComputerIsolation.isolated_byStringIsolation initiator.

Command example#

!cisco-amp-computer-isolation-create connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 comment="readme generate test" unlock_code=unlockme interval_in_seconds=5 timeout_in_seconds=20

Context Example#

{
"CiscoAMP": {
"ComputerIsolation": {
"available": "CiscoAMP_ComputerIsolation_available",
"comment": "CiscoAMP_ComputerIsolation_comment",
"connector_guid": "CiscoAMP_ComputerIsolation_connector_guid",
"isolated_by": "CiscoAMP_ComputerIsolation_isolated_by",
"status": "CiscoAMP_ComputerIsolation_status",
"unlock_code": "CiscoAMP_ComputerIsolation_unlock_code"
}
}
}

Human Readable Output#

Isolation Information#

AvailableStatusUnlock CodeCommentIsolated By
trueisolatedunlockmereadme generate testLior Sabri

cisco-amp-computer-isolation-delete#


Request isolation stop for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation.

Base Command#

cisco-amp-computer-isolation-delete

Input#

Argument NameDescriptionRequired
interval_in_secondsThe interval in seconds between each poll. Default is 30.Optional
timeout_in_secondsThe timeout in seconds until polling ends. Default is 600.Optional
connector_guidThe connector GUID for a specific computer.Required
commentComment for isolation deletion.Optional
statusStatus of the current run.Optional

Context Output#

PathTypeDescription
CiscoAMP.ComputerIsolation.availableBooleanSet to true if isolation can be performed on the computer.
CiscoAMP.ComputerIsolation.statusStringWill be set to one of: not_isolated, pending_start, isolated and pending_stop.
CiscoAMP.ComputerIsolation.unlock_codeStringIsolation unlock code.
CiscoAMP.ComputerIsolation.commentStringIsolation comment.
CiscoAMP.ComputerIsolation.isolated_byStringIsolation initiator.

Command example#

!cisco-amp-computer-isolation-delete connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 comment="End readme test" interval_in_seconds=5 timeout_in_seconds=20

Human Readable Output#

Fetching Results:

cisco-amp-event-list#


Fetch a list of events that can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria, each selection of a criteria is logically ORed. This is analogous to the Events view on the FireAMP Console.

Base Command#

cisco-amp-event-list

Input#

Argument NameDescriptionRequired
detection_sha256Detection SHA-256 to filter by.Optional
application_sha256Application SHA-256 to filter by.Optional
connector_guidComma-separated list for connector GUIDs to filter by.Optional
group_guidComma-separated list for group GUIDs to filter by.Optional
start_dateFetch events that are newer than the given time.Optional
event_typeComma-separated list for event types to filter by.Optional
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional

Context Output#

PathTypeDescription
CiscoAMP.Event.idNumberEvent's ID.
CiscoAMP.Event.timestampNumberEvent's timestamp.
CiscoAMP.Event.timestamp_nanosecondsNumberEvent's timestamp in nano seconds.
CiscoAMP.Event.dateDateEvent's date.
CiscoAMP.Event.event_typeStringEvent's type.
CiscoAMP.Event.event_type_idNumberEvent's type ID.
CiscoAMP.Event.detectionStringEvent's detection.
CiscoAMP.Event.detection_idStringEvent's detection ID.
CiscoAMP.Event.connector_guidStringGUID of the connector.
CiscoAMP.Event.group_guidsStringEvent's group GUID.
CiscoAMP.Event.severityStringEvent's severity.
CiscoAMP.Event.computer.connector_guidStringGUID of the connector.
CiscoAMP.Event.computer.hostnameStringHost's name.
CiscoAMP.Event.computer.external_ipStringExternal IP.
CiscoAMP.Event.computer.activeBooleanWhether the computer is active.
CiscoAMP.Event.computer.userStringComputer user.
CiscoAMP.Event.computer.network_addresses.ipStringList of IP addresses.
CiscoAMP.Event.computer.network_addresses.macStringList of MAC addresses.
CiscoAMP.Event.file.dispositionStringDisposition of the file.
CiscoAMP.Event.file.file_nameStringName of the file.
CiscoAMP.Event.file.file_pathStringPath to the file.
CiscoAMP.Event.file.identity.sha256StringFile's SHA-256.
CiscoAMP.Event.file.identity.sha1StringFile's SHA-1.
CiscoAMP.Event.file.identity.md5StringFile's MD5
CiscoAMP.Event.file.parent.process_idNumberParent's process ID.
CiscoAMP.Event.file.parent.file_nameStringParent's file name.
CiscoAMP.Event.file.parent.dispositionStringParent's disposition.
CiscoAMP.Event.file.parent.identity.sha256StringParent's SHA-256.
CiscoAMP.Event.file.parent.identity.sha1StringParent's SHA-1.
CiscoAMP.Event.file.parent.identity.md5StringParent's MD5.
CiscoAMP.Event.scan.descriptionStringDescription of the scan.
CiscoAMP.Event.scan.cleanBooleanWhether the scam is clean.
CiscoAMP.Event.scan.scanned_filesNumberNumber of scanned files.
CiscoAMP.Event.scan.scanned_processesNumberNumber of scanned processes.
CiscoAMP.Event.scan.scanned_pathsNumberNumber of scanned paths.
CiscoAMP.Event.scan.malicious_detectionsNumberNumber of malicious detections.
File.MD5StringThe MD5 hash of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe full file name (including file extension).
File.PathStringThe path where the file is located.
File.HostnameStringThe name of the host where the file was found.
File.Malicious.VendorStringThe vendor that reported the file as malicious.
File.Malicious.DescriptionStringA description of why the file was determined to be malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
DBotScore.ScoreNumberThe actual score.

Command example#

!cisco-amp-event-list limit=5

Context Example#

{
"CiscoAMP": {
"Event": [
{
"computer": {
"active": "CiscoAMP_Event[0]_computer_active",
"connector_guid": "CiscoAMP_Event[0]_computer_connector_guid",
"external_ip": "CiscoAMP_Event[0]_computer_external_ip",
"hostname": "CiscoAMP_Event[0]_computer_hostname",
"network_addresses": [
{
"ip": "CiscoAMP_Event[0]_computer_network_addresses[0]_ip",
"mac": "CiscoAMP_Event[0]_computer_network_addresses[0]_mac"
}
]
},
"connector_guid": "CiscoAMP_Event[0]_connector_guid",
"date": "CiscoAMP_Event[0]_date",
"event_type": "CiscoAMP_Event[0]_event_type",
"event_type_id": "CiscoAMP_Event[0]_event_type_id",
"group_guids": [
"CiscoAMP_Event[0]_group_guids_0"
],
"id": "CiscoAMP_Event[0]_id",
"isolation": {
"duration": "CiscoAMP_Event[0]_isolation_duration"
},
"timestamp": "CiscoAMP_Event[0]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_Event[0]_timestamp_nanoseconds"
},
{
"computer": {
"active": "CiscoAMP_Event[1]_computer_active",
"connector_guid": "CiscoAMP_Event[1]_computer_connector_guid",
"external_ip": "CiscoAMP_Event[1]_computer_external_ip",
"hostname": "CiscoAMP_Event[1]_computer_hostname",
"network_addresses": [
{
"ip": "CiscoAMP_Event[1]_computer_network_addresses[0]_ip",
"mac": "CiscoAMP_Event[1]_computer_network_addresses[0]_mac"
}
]
},
"connector_guid": "CiscoAMP_Event[1]_connector_guid",
"date": "CiscoAMP_Event[1]_date",
"event_type": "CiscoAMP_Event[1]_event_type",
"event_type_id": "CiscoAMP_Event[1]_event_type_id",
"group_guids": [
"CiscoAMP_Event[1]_group_guids_0"
],
"id": "CiscoAMP_Event[1]_id",
"timestamp": "CiscoAMP_Event[1]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_Event[1]_timestamp_nanoseconds"
},
{
"computer": {
"active": "CiscoAMP_Event[2]_computer_active",
"connector_guid": "CiscoAMP_Event[2]_computer_connector_guid",
"external_ip": "CiscoAMP_Event[2]_computer_external_ip",
"hostname": "CiscoAMP_Event[2]_computer_hostname",
"network_addresses": [
{
"ip": "CiscoAMP_Event[2]_computer_network_addresses[0]_ip",
"mac": "CiscoAMP_Event[2]_computer_network_addresses[0]_mac"
}
]
},
"connector_guid": "CiscoAMP_Event[2]_connector_guid",
"date": "CiscoAMP_Event[2]_date",
"event_type": "CiscoAMP_Event[2]_event_type",
"event_type_id": "CiscoAMP_Event[2]_event_type_id",
"group_guids": [
"CiscoAMP_Event[2]_group_guids_0"
],
"id": "CiscoAMP_Event[2]_id",
"isolation": {
"duration": "CiscoAMP_Event[2]_isolation_duration"
},
"timestamp": "CiscoAMP_Event[2]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_Event[2]_timestamp_nanoseconds"
},
{
"computer": {
"active": "CiscoAMP_Event[3]_computer_active",
"connector_guid": "CiscoAMP_Event[3]_computer_connector_guid",
"external_ip": "CiscoAMP_Event[3]_computer_external_ip",
"hostname": "CiscoAMP_Event[3]_computer_hostname",
"network_addresses": [
{
"ip": "CiscoAMP_Event[3]_computer_network_addresses[0]_ip",
"mac": "CiscoAMP_Event[3]_computer_network_addresses[0]_mac"
}
]
},
"connector_guid": "CiscoAMP_Event[3]_connector_guid",
"date": "CiscoAMP_Event[3]_date",
"event_type": "CiscoAMP_Event[3]_event_type",
"event_type_id": "CiscoAMP_Event[3]_event_type_id",
"group_guids": [
"CiscoAMP_Event[3]_group_guids_0"
],
"id": "CiscoAMP_Event[3]_id",
"timestamp": "CiscoAMP_Event[3]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_Event[3]_timestamp_nanoseconds"
},
{
"computer": {
"active": "CiscoAMP_Event[4]_computer_active",
"connector_guid": "CiscoAMP_Event[4]_computer_connector_guid",
"external_ip": "CiscoAMP_Event[4]_computer_external_ip",
"hostname": "CiscoAMP_Event[4]_computer_hostname",
"network_addresses": [
{
"ip": "CiscoAMP_Event[4]_computer_network_addresses[0]_ip",
"mac": "CiscoAMP_Event[4]_computer_network_addresses[0]_mac"
}
]
},
"connector_guid": "CiscoAMP_Event[4]_connector_guid",
"date": "CiscoAMP_Event[4]_date",
"event_type": "CiscoAMP_Event[4]_event_type",
"event_type_id": "CiscoAMP_Event[4]_event_type_id",
"group_guids": [
"CiscoAMP_Event[4]_group_guids_0"
],
"id": "CiscoAMP_Event[4]_id",
"isolation": {
"duration": "CiscoAMP_Event[4]_isolation_duration"
},
"timestamp": "CiscoAMP_Event[4]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_Event[4]_timestamp_nanoseconds"
}
]
}
}

Human Readable Output#

Results#

Current Item CountIndexItems Per PageTotal
5051228

Event Information#

IDDateEvent TypeConnector GUID
16672185135094363972022-10-31T12:15:13+00:00Endpoint Isolation Stop Success22d4a486-1732-4f8b-9a6f-18f172fe7af0
16672185066802445972022-10-31T12:15:06+00:00Endpoint Isolation Start Success22d4a486-1732-4f8b-9a6f-18f172fe7af0
16672173058554119652022-10-31T11:55:05+00:00Endpoint Isolation Stop Success22d4a486-1732-4f8b-9a6f-18f172fe7af0
16672172988371752632022-10-31T11:54:58+00:00Endpoint Isolation Start Success22d4a486-1732-4f8b-9a6f-18f172fe7af0
16672165457691219642022-10-31T11:42:25+00:00Endpoint Isolation Stop Success22d4a486-1732-4f8b-9a6f-18f172fe7af0

cisco-amp-event-type-list#


Fetches a list of event types. Events are identified and filtered by a unique ID.

Base Command#

cisco-amp-event-type-list

Input#

Argument NameDescriptionRequired
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional

Context Output#

PathTypeDescription
CiscoAMP.EventType.idNumberEvent type ID.
CiscoAMP.EventType.nameStringEvent type name.
CiscoAMP.EventType.descriptionStringEvent type description.

Command example#

!cisco-amp-event-type-list limit=5

Context Example#

{
"CiscoAMP": {
"EventType": [
{
"description": "CiscoAMP_EventType[0]_description",
"id": "CiscoAMP_EventType[0]_id",
"name": "CiscoAMP_EventType[0]_name"
},
{
"description": "CiscoAMP_EventType[1]_description",
"id": "CiscoAMP_EventType[1]_id",
"name": "CiscoAMP_EventType[1]_name"
},
{
"description": "CiscoAMP_EventType[2]_description",
"id": "CiscoAMP_EventType[2]_id",
"name": "CiscoAMP_EventType[2]_name"
},
{
"description": "CiscoAMP_EventType[3]_description",
"id": "CiscoAMP_EventType[3]_id",
"name": "CiscoAMP_EventType[3]_name"
},
{
"description": "CiscoAMP_EventType[4]_description",
"id": "CiscoAMP_EventType[4]_id",
"name": "CiscoAMP_EventType[4]_name"
}
]
}
}

Human Readable Output#

Results#

Total
106

Event Type Information#

IDNameDescription
50331649Initial Agent RegistrationA new agent has registered with the system.
553648130Policy UpdateAn agent has been told to fetch policy.
554696714Scan StartedAn agent has started scanning.
554696715Scan Completed, No DetectionsA scan has completed without detecting anything malicious.
1091567628Scan Completed With DetectionsA scan has completed and detected malicious items.

cisco-amp-file-list-list#


Returns a particular file list for application blocking or simple custom detection. file_list_guid must be provided to retrieve information about a particular file_list. Can fetch an application_blocking or simple_custom_detection file list. Defaults to application_blocking.

Base Command#

cisco-amp-file-list-list

Input#

Argument NameDescriptionRequired
file_list_typeFetch a list type to return. Possible values are: Application Blocking, Simple Custom Detection. Default is Application Blocking.Optional
nameComma-separated list for name to filter by (has auto complete capabilities).Optional
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional
file_list_guidGUID of the file list to return.Optional

Context Output#

PathTypeDescription
CiscoAMP.FileList.nameStringName of blocking.
CiscoAMP.FileList.guidStringFile list GUID.
CiscoAMP.FileList.typeStringType of blocking.

Command example#

!cisco-amp-file-list-list

Context Example#

{
"CiscoAMP": {
"FileList": {
"guid": "CiscoAMP_FileList_guid",
"name": "CiscoAMP_FileList_name",
"type": "CiscoAMP_FileList_type"
}
}
}

Human Readable Output#

Results#

Current Item CountIndexItems Per PageTotal
101001

File List Information#

GUIDNameType
1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12Blocked Application Listapplication_blocking

cisco-amp-file-list-item-list#


Returns a list of items for a particular file_list. file_list_guid must be provided to retrieve these items. A particular item can be returned by providing a SHA-256.

Base Command#

cisco-amp-file-list-item-list

Input#

Argument NameDescriptionRequired
file_list_guidFile list to return.Required
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional
sha256File list item SHA-256 to search.Optional

Context Output#

PathTypeDescription
CiscoAMP.FileListItem.nameStringName of file list.
CiscoAMP.FileListItem.guidStringFile list GUID.
CiscoAMP.FileListItem.policies.nameStringName of the policy.
CiscoAMP.FileListItem.policies.guidStringPolicy GUID.
CiscoAMP.FileListItem.items.sha256StringItem SHA-256.
CiscoAMP.FileListItem.items.sourceStringItem source.

Command example#

!cisco-amp-file-list-item-list file_list_guid=1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12

Context Example#

{
"CiscoAMP": {
"FileListItem": {
"guid": "CiscoAMP_FileListItem_guid",
"items": [],
"name": "CiscoAMP_FileListItem_name",
"policies": [
{
"guid": "CiscoAMP_FileListItem_policies[0]_guid",
"name": "CiscoAMP_FileListItem_policies[0]_name"
},
{
"guid": "CiscoAMP_FileListItem_policies[1]_guid",
"name": "CiscoAMP_FileListItem_policies[1]_name"
},
{
"guid": "CiscoAMP_FileListItem_policies[2]_guid",
"name": "CiscoAMP_FileListItem_policies[2]_name"
},
{
"guid": "CiscoAMP_FileListItem_policies[3]_guid",
"name": "CiscoAMP_FileListItem_policies[3]_name"
},
{
"guid": "CiscoAMP_FileListItem_policies[4]_guid",
"name": "CiscoAMP_FileListItem_policies[4]_name"
},
{
"guid": "CiscoAMP_FileListItem_policies[5]_guid",
"name": "CiscoAMP_FileListItem_policies[5]_name"
},
{
"guid": "CiscoAMP_FileListItem_policies[6]_guid",
"name": "CiscoAMP_FileListItem_policies[6]_name"
},
{
"guid": "CiscoAMP_FileListItem_policies[7]_guid",
"name": "CiscoAMP_FileListItem_policies[7]_name"
},
{
"guid": "CiscoAMP_FileListItem_policies[8]_guid",
"name": "CiscoAMP_FileListItem_policies[8]_name"
},
{
"guid": "CiscoAMP_FileListItem_policies[9]_guid",
"name": "CiscoAMP_FileListItem_policies[9]_name"
}
]
}
}
}

Human Readable Output#

Results#

Current Item CountIndexItems Per PageTotal
001000

File List Item Information#

No entries.

Related Policy Information#

NameGuid
Auditbe84e169-0830-4b95-915b-1e203a82ed58
Protecta599bf5b-2cb7-4a5b-90bd-d0199e2ccd67
Triage1a352c59-793b-44f3-b8f9-0ddd354057bc
Serverdd1da971-926c-42ab-9e5a-154f2695d995
Domain Controllerfa0c377e-8f0a-40ab-885a-afc8c08d3732
Audit9f2fa537-df5d-4c6c-abf3-edc25a893a7a
Protect30fba653-eb4e-4c3d-b1bb-1cef9f0e31e4
Triagecfcf4841-bf00-4030-8ac3-4a607ecf245e
Auditb4e266c8-ebd1-4e94-80b6-b04a966cb0d5
Protect653508ed-28d4-465a-80c4-7ed9c0232b55

cisco-amp-file-list-item-create#


Creates a file list item with a given SHA-256 for a specific file list with a given file_list_guid.

Base Command#

cisco-amp-file-list-item-create

Input#

Argument NameDescriptionRequired
file_list_guidFile list to add to.Required
sha256File list item's SHA-256 to add.Required
descriptionDescription for the created item.Optional

Context Output#

PathTypeDescription
CiscoAMP.FileListItem.sha256StringItem SHA-256.
CiscoAMP.FileListItem.descriptionStringFile's description.
CiscoAMP.FileListItem.sourceStringItem source.

Command example#

!cisco-amp-file-list-item-create file_list_guid=1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12 sha256=ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad

Context Example#

{
"CiscoAMP": {
"FileListItem": {
"sha256": "CiscoAMP_FileListItem_sha256",
"source": "CiscoAMP_FileListItem_source"
}
}
}

Human Readable Output#

File List Item Information#

SHA-256Source
ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015adCreated by entering SHA-256 via Public api.

cisco-amp-file-list-item-delete#


Deletes a file list item with a given SHA-256 and associated to a file list with a given file_list_guid.

Base Command#

cisco-amp-file-list-item-delete

Input#

Argument NameDescriptionRequired
file_list_guidFile list to delete from.Required
sha256File list item SHA-256 to delete.Required

Context Output#

There is no context output for this command.

Command example#

!cisco-amp-file-list-item-delete file_list_guid=1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12 sha256=ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad

Human Readable Output#

SHA-256: "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" Successfully deleted from File List GUID: "1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12".

cisco-amp-group-list#


Provides information about groups in an organization.

Base Command#

cisco-amp-group-list

Input#

Argument NameDescriptionRequired
nameName to filter by (has auto complete capabilities).Optional
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional
group_guidGroup's GUID.Optional

Context Output#

PathTypeDescription
CiscoAMP.Group.nameStringName of the group.
CiscoAMP.Group.descriptionStringGroup's description.
CiscoAMP.Group.guidStringGroup GUID.
CiscoAMP.Group.sourceStringCreation source.
CiscoAMP.Group.creatorStringCreator of the group.
CiscoAMP.Group.created_atDateDate of creation.
CiscoAMP.Group.computers_countNumberNumber of computers in the group.
CiscoAMP.Group.descendant_computers_countNumberNumber of computers from descendant groups.
CiscoAMP.Group.ancestry.nameStringParent group name.
CiscoAMP.Group.ancestry.guidStringParent group GUID.
CiscoAMP.Group.child_groups.nameStringChild group name.
CiscoAMP.Group.child_groups.guidStringChild group GUID.
CiscoAMP.Group.policies.nameStringPolicy name.
CiscoAMP.Group.policies.descriptionStringPolicy description.
CiscoAMP.Group.policies.guidStringPolicy GUID.
CiscoAMP.Group.policies.productStringPolicy operating system product.
CiscoAMP.Group.policies.defaultBooleanWhether the policy is the default policy.
CiscoAMP.Group.policies.serial_numberNumberPolicy serial number.
CiscoAMP.Group.policies.inheritedBooleanWhether the policy is inherited.
CiscoAMP.Group.policies.file_lists.nameStringFile list name.
CiscoAMP.Group.policies.file_lists.guidStringFile list GUID.
CiscoAMP.Group.policies.file_lists.typeStringFile list type.
CiscoAMP.Group.policies.ip_lists.nameStringIP list name.
CiscoAMP.Group.policies.ip_lists.guidStringIP list GUID.
CiscoAMP.Group.policies.ip_lists.typeStringIP list type.
CiscoAMP.Group.policies.exclusion_sets.nameStringExclusion set name.
CiscoAMP.Group.policies.exclusion_sets.guidStringExclusion set GUID.
CiscoAMP.Group.policies.used_in_groups.nameStringName of the group it is used in.
CiscoAMP.Group.policies.used_in_groups.descriptionStringDescription of the group it is used in.
CiscoAMP.Group.policies.used_in_groups.guidStringGUID of the group it is used in.
CiscoAMP.Group.policies.used_in_groups.sourceStringCreation source of the group it is used in.

Command example#

!cisco-amp-group-list

Context Example#

{
"CiscoAMP": {
"Group": [
{
"description": "CiscoAMP_Group[0]_description",
"guid": "CiscoAMP_Group[0]_guid",
"name": "CiscoAMP_Group[0]_name",
"source": "CiscoAMP_Group[0]_source"
},
{
"description": "CiscoAMP_Group[1]_description",
"guid": "CiscoAMP_Group[1]_guid",
"name": "CiscoAMP_Group[1]_name",
"source": "CiscoAMP_Group[1]_source"
},
{
"description": "CiscoAMP_Group[2]_description",
"guid": "CiscoAMP_Group[2]_guid",
"name": "CiscoAMP_Group[2]_name",
"source": "CiscoAMP_Group[2]_source"
},
{
"description": "CiscoAMP_Group[3]_description",
"guid": "CiscoAMP_Group[3]_guid",
"name": "CiscoAMP_Group[3]_name",
"source": "CiscoAMP_Group[3]_source"
},
{
"ancestry": [
{
"guid": "CiscoAMP_Group[4]_ancestry[0]_guid",
"name": "CiscoAMP_Group[4]_ancestry[0]_name"
}
],
"description": "CiscoAMP_Group[4]_description",
"guid": "CiscoAMP_Group[4]_guid",
"name": "CiscoAMP_Group[4]_name",
"source": "CiscoAMP_Group[4]_source"
},
{
"description": "CiscoAMP_Group[5]_description",
"guid": "CiscoAMP_Group[5]_guid",
"name": "CiscoAMP_Group[5]_name",
"source": "CiscoAMP_Group[5]_source"
},
{
"description": "CiscoAMP_Group[6]_description",
"guid": "CiscoAMP_Group[6]_guid",
"name": "CiscoAMP_Group[6]_name",
"source": "CiscoAMP_Group[6]_source"
},
{
"description": "CiscoAMP_Group[7]_description",
"guid": "CiscoAMP_Group[7]_guid",
"name": "CiscoAMP_Group[7]_name",
"source": "CiscoAMP_Group[7]_source"
},
{
"description": "CiscoAMP_Group[8]_description",
"guid": "CiscoAMP_Group[8]_guid",
"name": "CiscoAMP_Group[8]_name",
"source": "CiscoAMP_Group[8]_source"
}
]
}
}

Human Readable Output#

Results#

Current Item CountIndexItems Per PageTotal
901009

Group Information#

NameDescriptionGUIDSource
AuditAudit Group for QMASTERS SECURITY SERVICES LTDfedd82f8-c74f-49f4-a463-e576d3beee92
Domain ControllerDomain Controller Group for QMASTERS SECURITY SERVICES LTD92615a6b-631f-4436-b2da-47e94b349737
group todeleteplaybook deletee66a0f8a-47f6-4da5-bf95-2834f668d71bCreated via API
Lior-GroupTest groupbb5a9f90-d6fa-4fe7-99c8-e91060b49a98
Lior-Group-childTest child group8b5245b5-993b-4ba9-9fe0-fb0454e815e5
ProtectProtect Group for QMASTERS SECURITY SERVICES LTD5b1857e3-ba49-46cf-9bf1-0cad6b5ecd18
readme group to deletereadme test group to be deletedd088adeb-7cb4-48e4-807b-edcb828f4d29Created via API
ServerServer Group for QMASTERS SECURITY SERVICES LTD9b54e512-b5ac-4865-ba1f-8cf2fbfbe052
TriageTriage Group for QMASTERS SECURITY SERVICES LTD6ed80412-0739-42c1-8f6d-32fb51b3f894

cisco-amp-group-policy-update#


Updates a group to a given policy and returns all the policies in that group.

Base Command#

cisco-amp-group-policy-update

Input#

Argument NameDescriptionRequired
group_guidGroup's GUID.Required
windows_policy_guidPolicy GUID for Windows.Optional
mac_policy_guidPolicy GUID for MAC.Optional
android_policy_guidPolicy GUID for Android.Optional
linux_policy_guidPolicy GUID for Linux.Optional

Context Output#

PathTypeDescription
CiscoAMP.Group.nameStringName of the group.
CiscoAMP.Group.descriptionStringGroup's description.
CiscoAMP.Group.guidStringGroup GUID.
CiscoAMP.Group.sourceStringCreation source.
CiscoAMP.Group.creatorStringCreator of the group.
CiscoAMP.Group.created_atDateDate of creation.
CiscoAMP.Group.computers_countNumberNumber of computers in the group.
CiscoAMP.Group.descendant_computers_countNumberNumber of computers from descendant groups.
CiscoAMP.Group.ancestry.nameStringParent group name.
CiscoAMP.Group.ancestry.guidStringParent group GUID.
CiscoAMP.Group.child_groups.nameStringChild group name.
CiscoAMP.Group.child_groups.guidStringChild group GUID.
CiscoAMP.Group.policies.nameStringPolicy name.
CiscoAMP.Group.policies.descriptionStringPolicy description.
CiscoAMP.Group.policies.guidStringPolicy GUID.
CiscoAMP.Group.policies.productStringPolicy operating system product.
CiscoAMP.Group.policies.defaultBooleanWhether the policy is the default policy.
CiscoAMP.Group.policies.serial_numberNumberPolicy serial number.
CiscoAMP.Group.policies.inheritedBooleanWhether the policy is inherited.
CiscoAMP.Group.policies.file_lists.nameStringFile list name.
CiscoAMP.Group.policies.file_lists.guidStringFile list GUID.
CiscoAMP.Group.policies.file_lists.typeStringFile list type.
CiscoAMP.Group.policies.ip_lists.nameStringIP list name.
CiscoAMP.Group.policies.ip_lists.guidStringIP list GUID.
CiscoAMP.Group.policies.ip_lists.typeStringIP list type.
CiscoAMP.Group.policies.exclusion_sets.nameStringExclusion set name.
CiscoAMP.Group.policies.exclusion_sets.guidStringExclusion set GUID.
CiscoAMP.Group.policies.used_in_groups.nameStringName of the group the policy is used in.
CiscoAMP.Group.policies.used_in_groups.descriptionStringDescription of the group the policy is used in.
CiscoAMP.Group.policies.used_in_groups.guidStringGUID of the group the policy is used in.
CiscoAMP.Group.policies.used_in_groups.sourceStringCreation source of the group the policy is used in.

Command example#

!cisco-amp-group-policy-update group_guid=bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 windows_policy_guid=91c7894d-dd69-4a21-8cf6-5ebfc57ef4df

Context Example#

{
"CiscoAMP": {
"Group": {
"child_groups": [
{
"guid": "CiscoAMP_Group_child_groups[0]_guid",
"name": "CiscoAMP_Group_child_groups[0]_name"
}
],
"computers_count": "CiscoAMP_Group_computers_count",
"created_at": "CiscoAMP_Group_created_at",
"creator": "CiscoAMP_Group_creator",
"descendant_computers_count": "CiscoAMP_Group_descendant_computers_count",
"description": "CiscoAMP_Group_description",
"guid": "CiscoAMP_Group_guid",
"name": "CiscoAMP_Group_name",
"policies": [
{
"default": "CiscoAMP_Group_policies[0]_default",
"description": "CiscoAMP_Group_policies[0]_description",
"exclusion_sets": [
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[0]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[0]_name"
}
],
"file_lists": [],
"guid": "CiscoAMP_Group_policies[0]_guid",
"inherited": "CiscoAMP_Group_policies[0]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[0]_name",
"product": "CiscoAMP_Group_policies[0]_product",
"serial_number": "CiscoAMP_Group_policies[0]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[0]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[0]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[0]_used_in_groups[0]_name"
}
]
},
{
"default": "CiscoAMP_Group_policies[1]_default",
"description": "CiscoAMP_Group_policies[1]_description",
"file_lists": [],
"guid": "CiscoAMP_Group_policies[1]_guid",
"inherited": "CiscoAMP_Group_policies[1]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[1]_name",
"product": "CiscoAMP_Group_policies[1]_product",
"serial_number": "CiscoAMP_Group_policies[1]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[1]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[1]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[1]_used_in_groups[0]_name"
},
{
"description": "CiscoAMP_Group_policies[1]_used_in_groups[1]_description",
"guid": "CiscoAMP_Group_policies[1]_used_in_groups[1]_guid",
"name": "CiscoAMP_Group_policies[1]_used_in_groups[1]_name"
}
]
},
{
"default": "CiscoAMP_Group_policies[2]_default",
"description": "CiscoAMP_Group_policies[2]_description",
"exclusion_sets": [
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[0]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[0]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[1]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[1]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[2]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[2]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[3]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[3]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[4]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[4]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[5]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[5]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[6]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[6]_name"
}
],
"file_lists": [
{
"guid": "CiscoAMP_Group_policies[2]_file_lists[0]_guid",
"name": "CiscoAMP_Group_policies[2]_file_lists[0]_name",
"type": "CiscoAMP_Group_policies[2]_file_lists[0]_type"
},
{
"guid": "CiscoAMP_Group_policies[2]_file_lists[1]_guid",
"name": "CiscoAMP_Group_policies[2]_file_lists[1]_name",
"type": "CiscoAMP_Group_policies[2]_file_lists[1]_type"
},
{
"guid": "CiscoAMP_Group_policies[2]_file_lists[2]_guid",
"name": "CiscoAMP_Group_policies[2]_file_lists[2]_name",
"type": "CiscoAMP_Group_policies[2]_file_lists[2]_type"
}
],
"guid": "CiscoAMP_Group_policies[2]_guid",
"inherited": "CiscoAMP_Group_policies[2]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[2]_name",
"product": "CiscoAMP_Group_policies[2]_product",
"serial_number": "CiscoAMP_Group_policies[2]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[2]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[2]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[2]_used_in_groups[0]_name"
},
{
"description": "CiscoAMP_Group_policies[2]_used_in_groups[1]_description",
"guid": "CiscoAMP_Group_policies[2]_used_in_groups[1]_guid",
"name": "CiscoAMP_Group_policies[2]_used_in_groups[1]_name"
}
]
},
{
"default": "CiscoAMP_Group_policies[3]_default",
"description": "CiscoAMP_Group_policies[3]_description",
"file_lists": [
{
"guid": "CiscoAMP_Group_policies[3]_file_lists[0]_guid",
"name": "CiscoAMP_Group_policies[3]_file_lists[0]_name",
"type": "CiscoAMP_Group_policies[3]_file_lists[0]_type"
},
{
"guid": "CiscoAMP_Group_policies[3]_file_lists[1]_guid",
"name": "CiscoAMP_Group_policies[3]_file_lists[1]_name",
"type": "CiscoAMP_Group_policies[3]_file_lists[1]_type"
},
{
"guid": "CiscoAMP_Group_policies[3]_file_lists[2]_guid",
"name": "CiscoAMP_Group_policies[3]_file_lists[2]_name",
"type": "CiscoAMP_Group_policies[3]_file_lists[2]_type"
}
],
"guid": "CiscoAMP_Group_policies[3]_guid",
"inherited": "CiscoAMP_Group_policies[3]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[3]_name",
"product": "CiscoAMP_Group_policies[3]_product",
"serial_number": "CiscoAMP_Group_policies[3]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[3]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[3]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[3]_used_in_groups[0]_name"
},
{
"description": "CiscoAMP_Group_policies[3]_used_in_groups[1]_description",
"guid": "CiscoAMP_Group_policies[3]_used_in_groups[1]_guid",
"name": "CiscoAMP_Group_policies[3]_used_in_groups[1]_name"
}
]
},
{
"default": "CiscoAMP_Group_policies[4]_default",
"description": "CiscoAMP_Group_policies[4]_description",
"file_lists": [],
"guid": "CiscoAMP_Group_policies[4]_guid",
"inherited": "CiscoAMP_Group_policies[4]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[4]_name",
"product": "CiscoAMP_Group_policies[4]_product",
"serial_number": "CiscoAMP_Group_policies[4]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[4]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[4]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[4]_used_in_groups[0]_name"
},
{
"description": "CiscoAMP_Group_policies[4]_used_in_groups[1]_description",
"guid": "CiscoAMP_Group_policies[4]_used_in_groups[1]_guid",
"name": "CiscoAMP_Group_policies[4]_used_in_groups[1]_name"
}
]
}
],
"source": "CiscoAMP_Group_source"
}
}
}

Human Readable Output#

Group Information#

NameDescriptionCreatorCreated AtComputers CountDescendant Computers Count
Lior-GroupTest groupEmail2022-10-25 13:42:3610

cisco-amp-group-parent-update#


Converts an existing group to a child of another group or an existing child group to a root group (that is, one with no parent groups).

Base Command#

cisco-amp-group-parent-update

Input#

Argument NameDescriptionRequired
child_guidGroup's GUID.Required
parent_group_guidGroup parent to set to child group.Optional

Context Output#

PathTypeDescription
CiscoAMP.Group.nameStringName of the group.
CiscoAMP.Group.descriptionStringGroup's description.
CiscoAMP.Group.guidStringGroup GUID.
CiscoAMP.Group.sourceStringCreation source.
CiscoAMP.Group.creatorStringCreator of the group.
CiscoAMP.Group.created_atDateDate of creation.
CiscoAMP.Group.computers_countNumberNumber of computers in the group.
CiscoAMP.Group.descendant_computers_countNumberNumber of computers from descendant groups.
CiscoAMP.Group.ancestry.nameStringParent group name.
CiscoAMP.Group.ancestry.guidStringParent group GUID.
CiscoAMP.Group.child_groups.nameStringChild group name.
CiscoAMP.Group.child_groups.guidStringChild group GUID.
CiscoAMP.Group.policies.nameStringPolicy name.
CiscoAMP.Group.policies.descriptionStringPolicy description.
CiscoAMP.Group.policies.guidStringPolicy GUID.
CiscoAMP.Group.policies.productStringPolicy operating system product.
CiscoAMP.Group.policies.defaultBooleanWhether the policy is the default policy.
CiscoAMP.Group.policies.serial_numberNumberPolicy serial number.
CiscoAMP.Group.policies.inheritedBooleanWhether the policy is inherited.
CiscoAMP.Group.policies.file_lists.nameStringFile list name.
CiscoAMP.Group.policies.file_lists.guidStringFile list GUID.
CiscoAMP.Group.policies.file_lists.typeStringFile list type.
CiscoAMP.Group.policies.ip_lists.nameStringIP list name.
CiscoAMP.Group.policies.ip_lists.guidStringIP list GUID.
CiscoAMP.Group.policies.ip_lists.typeStringIP list type.
CiscoAMP.Group.policies.exclusion_sets.nameStringExclusion set name.
CiscoAMP.Group.policies.exclusion_sets.guidStringExclusion set GUID.
CiscoAMP.Group.policies.used_in_groups.nameStringName of the group it is used in.
CiscoAMP.Group.policies.used_in_groups.descriptionStringDescription of the group it is used in.
CiscoAMP.Group.policies.used_in_groups.guidStringGUID of the group it is used in.
CiscoAMP.Group.policies.used_in_groups.sourceStringCreation source of the group it is used in.

Command example#

!cisco-amp-group-parent-update child_guid=bb5a9f90-d6fa-4fe7-99c8-e91060b49a98

Context Example#

{
"CiscoAMP": {
"Group": {
"child_groups": [
{
"guid": "CiscoAMP_Group_child_groups[0]_guid",
"name": "CiscoAMP_Group_child_groups[0]_name"
}
],
"computers_count": "CiscoAMP_Group_computers_count",
"created_at": "CiscoAMP_Group_created_at",
"creator": "CiscoAMP_Group_creator",
"descendant_computers_count": "CiscoAMP_Group_descendant_computers_count",
"description": "CiscoAMP_Group_description",
"guid": "CiscoAMP_Group_guid",
"name": "CiscoAMP_Group_name",
"policies": [
{
"default": "CiscoAMP_Group_policies[0]_default",
"description": "CiscoAMP_Group_policies[0]_description",
"exclusion_sets": [
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[0]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[0]_name"
}
],
"file_lists": [],
"guid": "CiscoAMP_Group_policies[0]_guid",
"inherited": "CiscoAMP_Group_policies[0]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[0]_name",
"product": "CiscoAMP_Group_policies[0]_product",
"serial_number": "CiscoAMP_Group_policies[0]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[0]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[0]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[0]_used_in_groups[0]_name"
}
]
},
{
"default": "CiscoAMP_Group_policies[1]_default",
"description": "CiscoAMP_Group_policies[1]_description",
"file_lists": [],
"guid": "CiscoAMP_Group_policies[1]_guid",
"inherited": "CiscoAMP_Group_policies[1]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[1]_name",
"product": "CiscoAMP_Group_policies[1]_product",
"serial_number": "CiscoAMP_Group_policies[1]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[1]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[1]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[1]_used_in_groups[0]_name"
},
{
"description": "CiscoAMP_Group_policies[1]_used_in_groups[1]_description",
"guid": "CiscoAMP_Group_policies[1]_used_in_groups[1]_guid",
"name": "CiscoAMP_Group_policies[1]_used_in_groups[1]_name"
}
]
},
{
"default": "CiscoAMP_Group_policies[2]_default",
"description": "CiscoAMP_Group_policies[2]_description",
"exclusion_sets": [
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[0]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[0]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[1]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[1]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[2]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[2]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[3]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[3]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[4]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[4]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[5]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[5]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[6]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[6]_name"
}
],
"file_lists": [
{
"guid": "CiscoAMP_Group_policies[2]_file_lists[0]_guid",
"name": "CiscoAMP_Group_policies[2]_file_lists[0]_name",
"type": "CiscoAMP_Group_policies[2]_file_lists[0]_type"
},
{
"guid": "CiscoAMP_Group_policies[2]_file_lists[1]_guid",
"name": "CiscoAMP_Group_policies[2]_file_lists[1]_name",
"type": "CiscoAMP_Group_policies[2]_file_lists[1]_type"
},
{
"guid": "CiscoAMP_Group_policies[2]_file_lists[2]_guid",
"name": "CiscoAMP_Group_policies[2]_file_lists[2]_name",
"type": "CiscoAMP_Group_policies[2]_file_lists[2]_type"
}
],
"guid": "CiscoAMP_Group_policies[2]_guid",
"inherited": "CiscoAMP_Group_policies[2]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[2]_name",
"product": "CiscoAMP_Group_policies[2]_product",
"serial_number": "CiscoAMP_Group_policies[2]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[2]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[2]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[2]_used_in_groups[0]_name"
},
{
"description": "CiscoAMP_Group_policies[2]_used_in_groups[1]_description",
"guid": "CiscoAMP_Group_policies[2]_used_in_groups[1]_guid",
"name": "CiscoAMP_Group_policies[2]_used_in_groups[1]_name"
}
]
},
{
"default": "CiscoAMP_Group_policies[3]_default",
"description": "CiscoAMP_Group_policies[3]_description",
"file_lists": [
{
"guid": "CiscoAMP_Group_policies[3]_file_lists[0]_guid",
"name": "CiscoAMP_Group_policies[3]_file_lists[0]_name",
"type": "CiscoAMP_Group_policies[3]_file_lists[0]_type"
},
{
"guid": "CiscoAMP_Group_policies[3]_file_lists[1]_guid",
"name": "CiscoAMP_Group_policies[3]_file_lists[1]_name",
"type": "CiscoAMP_Group_policies[3]_file_lists[1]_type"
},
{
"guid": "CiscoAMP_Group_policies[3]_file_lists[2]_guid",
"name": "CiscoAMP_Group_policies[3]_file_lists[2]_name",
"type": "CiscoAMP_Group_policies[3]_file_lists[2]_type"
}
],
"guid": "CiscoAMP_Group_policies[3]_guid",
"inherited": "CiscoAMP_Group_policies[3]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[3]_name",
"product": "CiscoAMP_Group_policies[3]_product",
"serial_number": "CiscoAMP_Group_policies[3]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[3]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[3]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[3]_used_in_groups[0]_name"
},
{
"description": "CiscoAMP_Group_policies[3]_used_in_groups[1]_description",
"guid": "CiscoAMP_Group_policies[3]_used_in_groups[1]_guid",
"name": "CiscoAMP_Group_policies[3]_used_in_groups[1]_name"
}
]
},
{
"default": "CiscoAMP_Group_policies[4]_default",
"description": "CiscoAMP_Group_policies[4]_description",
"file_lists": [],
"guid": "CiscoAMP_Group_policies[4]_guid",
"inherited": "CiscoAMP_Group_policies[4]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[4]_name",
"product": "CiscoAMP_Group_policies[4]_product",
"serial_number": "CiscoAMP_Group_policies[4]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[4]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[4]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[4]_used_in_groups[0]_name"
},
{
"description": "CiscoAMP_Group_policies[4]_used_in_groups[1]_description",
"guid": "CiscoAMP_Group_policies[4]_used_in_groups[1]_guid",
"name": "CiscoAMP_Group_policies[4]_used_in_groups[1]_name"
}
]
}
],
"source": "CiscoAMP_Group_source"
}
}
}

Human Readable Output#

Group Information#

NameDescriptionCreatorCreated AtComputers CountDescendant Computers Count
Lior-GroupTest groupEmail2022-10-25 13:42:3610

cisco-amp-group-create#


Creates a new group along with a group name or description.

Base Command#

cisco-amp-group-create

Input#

Argument NameDescriptionRequired
nameGroup name.Required
descriptionGroup description.Required

Context Output#

PathTypeDescription
CiscoAMP.Group.nameStringName of the group.
CiscoAMP.Group.descriptionStringGroup's description.
CiscoAMP.Group.guidStringGroup GUID.
CiscoAMP.Group.sourceStringCreation source.
CiscoAMP.Group.creatorStringCreator of the group.
CiscoAMP.Group.created_atDateDate of creation.
CiscoAMP.Group.computers_countNumberNumber of computers in the group.
CiscoAMP.Group.descendant_computers_countNumberNumber of computers from descendant groups.
CiscoAMP.Group.policies.nameStringPolicy name.
CiscoAMP.Group.policies.descriptionStringPolicy description.
CiscoAMP.Group.policies.guidStringPolicy GUID.
CiscoAMP.Group.policies.productStringPolicy operating system product.
CiscoAMP.Group.policies.defaultBooleanWhether the policy is the default policy.
CiscoAMP.Group.policies.serial_numberNumberPolicy serial number.
CiscoAMP.Group.policies.inheritedBooleanWhether the policy is inherited.
CiscoAMP.Group.policies.file_lists.nameStringFile list name.
CiscoAMP.Group.policies.file_lists.guidStringFile list GUID.
CiscoAMP.Group.policies.file_lists.typeStringFile list type.
CiscoAMP.Group.policies.ip_lists.nameStringIP list name.
CiscoAMP.Group.policies.ip_lists.guidStringIP list GUID.
CiscoAMP.Group.policies.ip_lists.typeStringIP list type.
CiscoAMP.Group.policies.exclusion_sets.nameStringExclusion set name.
CiscoAMP.Group.policies.exclusion_sets.guidStringExclusion set GUID.
CiscoAMP.Group.policies.used_in_groups.nameStringName of the group it is used in.
CiscoAMP.Group.policies.used_in_groups.descriptionStringDescription of the group it is used in.
CiscoAMP.Group.policies.used_in_groups.guidStringGUID of the group it is used in.
CiscoAMP.Group.policies.used_in_groups.sourceStringCreation source of the group it is used in.

Command example#

!cisco-amp-group-create description="readme test group to be deleted" name="readme group"

Context Example#

{
"CiscoAMP": {
"Group": {
"computers_count": "CiscoAMP_Group_computers_count",
"created_at": "CiscoAMP_Group_created_at",
"creator": "CiscoAMP_Group_creator",
"descendant_computers_count": "CiscoAMP_Group_descendant_computers_count",
"description": "CiscoAMP_Group_description",
"guid": "CiscoAMP_Group_guid",
"name": "CiscoAMP_Group_name",
"policies": [
{
"default": "CiscoAMP_Group_policies[0]_default",
"description": "CiscoAMP_Group_policies[0]_description",
"exclusion_sets": [
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[0]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[0]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[1]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[1]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[2]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[2]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[3]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[3]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[4]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[4]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[5]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[5]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[6]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[6]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[7]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[7]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[8]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[8]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[9]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[9]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[10]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[10]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[11]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[11]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[12]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[12]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[13]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[13]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[14]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[14]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[15]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[15]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[16]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[16]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[17]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[17]_name"
},
{
"guid": "CiscoAMP_Group_policies[0]_exclusion_sets[18]_guid",
"name": "CiscoAMP_Group_policies[0]_exclusion_sets[18]_name"
}
],
"file_lists": [
{
"guid": "CiscoAMP_Group_policies[0]_file_lists[0]_guid",
"name": "CiscoAMP_Group_policies[0]_file_lists[0]_name",
"type": "CiscoAMP_Group_policies[0]_file_lists[0]_type"
},
{
"guid": "CiscoAMP_Group_policies[0]_file_lists[1]_guid",
"name": "CiscoAMP_Group_policies[0]_file_lists[1]_name",
"type": "CiscoAMP_Group_policies[0]_file_lists[1]_type"
},
{
"guid": "CiscoAMP_Group_policies[0]_file_lists[2]_guid",
"name": "CiscoAMP_Group_policies[0]_file_lists[2]_name",
"type": "CiscoAMP_Group_policies[0]_file_lists[2]_type"
}
],
"guid": "CiscoAMP_Group_policies[0]_guid",
"inherited": "CiscoAMP_Group_policies[0]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[0]_name",
"product": "CiscoAMP_Group_policies[0]_product",
"serial_number": "CiscoAMP_Group_policies[0]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[0]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[0]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[0]_used_in_groups[0]_name"
}
]
},
{
"default": "CiscoAMP_Group_policies[1]_default",
"description": "CiscoAMP_Group_policies[1]_description",
"file_lists": [],
"guid": "CiscoAMP_Group_policies[1]_guid",
"inherited": "CiscoAMP_Group_policies[1]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[1]_name",
"product": "CiscoAMP_Group_policies[1]_product",
"serial_number": "CiscoAMP_Group_policies[1]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[1]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[1]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[1]_used_in_groups[0]_name"
},
{
"description": "CiscoAMP_Group_policies[1]_used_in_groups[1]_description",
"guid": "CiscoAMP_Group_policies[1]_used_in_groups[1]_guid",
"name": "CiscoAMP_Group_policies[1]_used_in_groups[1]_name"
}
]
},
{
"default": "CiscoAMP_Group_policies[2]_default",
"description": "CiscoAMP_Group_policies[2]_description",
"exclusion_sets": [
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[0]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[0]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[1]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[1]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[2]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[2]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[3]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[3]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[4]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[4]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[5]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[5]_name"
},
{
"guid": "CiscoAMP_Group_policies[2]_exclusion_sets[6]_guid",
"name": "CiscoAMP_Group_policies[2]_exclusion_sets[6]_name"
}
],
"file_lists": [
{
"guid": "CiscoAMP_Group_policies[2]_file_lists[0]_guid",
"name": "CiscoAMP_Group_policies[2]_file_lists[0]_name",
"type": "CiscoAMP_Group_policies[2]_file_lists[0]_type"
},
{
"guid": "CiscoAMP_Group_policies[2]_file_lists[1]_guid",
"name": "CiscoAMP_Group_policies[2]_file_lists[1]_name",
"type": "CiscoAMP_Group_policies[2]_file_lists[1]_type"
},
{
"guid": "CiscoAMP_Group_policies[2]_file_lists[2]_guid",
"name": "CiscoAMP_Group_policies[2]_file_lists[2]_name",
"type": "CiscoAMP_Group_policies[2]_file_lists[2]_type"
}
],
"guid": "CiscoAMP_Group_policies[2]_guid",
"inherited": "CiscoAMP_Group_policies[2]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[2]_name",
"product": "CiscoAMP_Group_policies[2]_product",
"serial_number": "CiscoAMP_Group_policies[2]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[2]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[2]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[2]_used_in_groups[0]_name"
}
]
},
{
"default": "CiscoAMP_Group_policies[3]_default",
"description": "CiscoAMP_Group_policies[3]_description",
"file_lists": [
{
"guid": "CiscoAMP_Group_policies[3]_file_lists[0]_guid",
"name": "CiscoAMP_Group_policies[3]_file_lists[0]_name",
"type": "CiscoAMP_Group_policies[3]_file_lists[0]_type"
},
{
"guid": "CiscoAMP_Group_policies[3]_file_lists[1]_guid",
"name": "CiscoAMP_Group_policies[3]_file_lists[1]_name",
"type": "CiscoAMP_Group_policies[3]_file_lists[1]_type"
},
{
"guid": "CiscoAMP_Group_policies[3]_file_lists[2]_guid",
"name": "CiscoAMP_Group_policies[3]_file_lists[2]_name",
"type": "CiscoAMP_Group_policies[3]_file_lists[2]_type"
}
],
"guid": "CiscoAMP_Group_policies[3]_guid",
"inherited": "CiscoAMP_Group_policies[3]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[3]_name",
"product": "CiscoAMP_Group_policies[3]_product",
"serial_number": "CiscoAMP_Group_policies[3]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[3]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[3]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[3]_used_in_groups[0]_name"
}
]
},
{
"default": "CiscoAMP_Group_policies[4]_default",
"description": "CiscoAMP_Group_policies[4]_description",
"file_lists": [],
"guid": "CiscoAMP_Group_policies[4]_guid",
"inherited": "CiscoAMP_Group_policies[4]_inherited",
"ip_lists": [],
"isolation_ip_lists": [],
"name": "CiscoAMP_Group_policies[4]_name",
"product": "CiscoAMP_Group_policies[4]_product",
"serial_number": "CiscoAMP_Group_policies[4]_serial_number",
"used_in_groups": [
{
"description": "CiscoAMP_Group_policies[4]_used_in_groups[0]_description",
"guid": "CiscoAMP_Group_policies[4]_used_in_groups[0]_guid",
"name": "CiscoAMP_Group_policies[4]_used_in_groups[0]_name"
}
]
}
],
"source": "CiscoAMP_Group_source"
}
}
}

Human Readable Output#

Group Information#

NameDescriptionCreated AtComputers CountDescendant Computers Count
readme groupreadme test group to be deleted2022-10-31 12:16:2500

cisco-amp-group-delete#


Destroys a group with a given GUID.

Base Command#

cisco-amp-group-delete

Input#

Argument NameDescriptionRequired
group_guidGroup's GUID.Required

Context Output#

There is no context output for this command.

Command example#

!cisco-amp-group-delete group_guid=d088adeb-7cb4-48e4-807b-edcb828f4d29

Human Readable Output#

Group GUID: "d088adeb-7cb4-48e4-807b-edcb828f4d29" Successfully deleted.

cisco-amp-indicator-list#


Show information about indicators.

Base Command#

cisco-amp-indicator-list

Input#

Argument NameDescriptionRequired
indicator_guidIndicator GUID.Optional
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional

Context Output#

PathTypeDescription
CiscoAMP.Indicator.nameStringIndicator name.
CiscoAMP.Indicator.descriptionStringIndicator description.
CiscoAMP.Indicator.guidStringIndicator GUID.
CiscoAMP.Indicator.severityStringIndicator severity.
CiscoAMP.Indicator.mitre.tactics.external_idStringMitre tactic ID.
CiscoAMP.Indicator.mitre.tactics.nameStringMitre tactic name.
CiscoAMP.Indicator.mitre.tactics.mitre_urlStringMitre tactic URL.
CiscoAMP.Indicator.mitre.techniques.external_idStringMitre technique ID.
CiscoAMP.Indicator.mitre.techniques.nameStringMitre technique name.
CiscoAMP.Indicator.mitre.techniques.mitre_urlStringMitre technique URL.
CiscoAMP.Indicator.observed_compromisesNumberTotal number of observed compromises.
CiscoAMP.Indicator.observed_compromises.unresolvedNumberNumber of unresolved compromises.
CiscoAMP.Indicator.observed_compromises.in_progressNumberNumber of compromises in progress.
CiscoAMP.Indicator.observed_compromises.resolvedNumberNumber of resolved compromises.

Command example#

!cisco-amp-indicator-list limit=5

Context Example#

{
"CiscoAMP": {
"Indicator": [
{
"description": "CiscoAMP_Indicator[0]_description",
"guid": "CiscoAMP_Indicator[0]_guid",
"name": "CiscoAMP_Indicator[0]_name",
"observed_compromises": "CiscoAMP_Indicator[0]_observed_compromises",
"severity": "CiscoAMP_Indicator[0]_severity"
},
{
"description": "CiscoAMP_Indicator[1]_description",
"guid": "CiscoAMP_Indicator[1]_guid",
"name": "CiscoAMP_Indicator[1]_name",
"observed_compromises": "CiscoAMP_Indicator[1]_observed_compromises",
"severity": "CiscoAMP_Indicator[1]_severity"
},
{
"description": "CiscoAMP_Indicator[2]_description",
"guid": "CiscoAMP_Indicator[2]_guid",
"name": "CiscoAMP_Indicator[2]_name",
"observed_compromises": "CiscoAMP_Indicator[2]_observed_compromises",
"severity": "CiscoAMP_Indicator[2]_severity"
},
{
"description": "CiscoAMP_Indicator[3]_description",
"guid": "CiscoAMP_Indicator[3]_guid",
"name": "CiscoAMP_Indicator[3]_name",
"observed_compromises": "CiscoAMP_Indicator[3]_observed_compromises",
"severity": "CiscoAMP_Indicator[3]_severity"
},
{
"description": "CiscoAMP_Indicator[4]_description",
"guid": "CiscoAMP_Indicator[4]_guid",
"name": "CiscoAMP_Indicator[4]_name",
"observed_compromises": "CiscoAMP_Indicator[4]_observed_compromises",
"severity": "CiscoAMP_Indicator[4]_severity"
}
]
}
}

Human Readable Output#

Results#

Current Item CountIndexItems Per PageTotal
505910

Indicator Information#

GUIDNameDescriptionSeverityObserved Compromises
5593ab7e-1db5-4759-9785-96c55824b675Crossrider.iocCrossrider is a an Adware variant that targets Mac with the intent of displaying ads. It also changes the default home page of Safari and Chrome browsers.Medium0
fef2d8b2-95f6-4392-abec-fc1f6a670251Dummy.iocOSX.Dummy is a poorly executed Trojan variant. It requires users to input their password in order to complete it's install. However, once this is done the malware will have complete access to the whole system, and it will persist itself via a LaunchDaemon.Medium0
dcc66a98-5658-41d4-a1ca-887933a8b24fGateDotPhp.iocAccessed URL matches characteristics of several malware families.High1
940bdaf4-4c89-4423-a55e-410ed56143a8JS.Trojan.Generic_48153.iocJS.Trojan.Generic_48153 is malware that contacts a remote server over HTTP. This IOC is based on Snort Intrusion Prevention System (IPS) rule id:48153 from the malware detection rulesets. This IOC fires when a URI pattern similar to this malware has been detected. The components of the URI this IOC inspects for are: "/01/Carontex".Critical0
318d030d-7fdc-48f4-afcd-66c7c75cade7Linux.AutostartPersistence.iocMost Linux distributions support creation of auto-start files. This consists of placing a configuration file with a .desktop extension in the .config/autostart location. In this case, a suspicious auto-start entry was created. Linux malware such as x-agent also known as sofacy/sednit are known to do that.High0

cisco-amp-policy-list#


Gets information about policies by filtering with a product and name of a specific policy with a policy_guid.

Base Command#

cisco-amp-policy-list

Input#

Argument NameDescriptionRequired
policy_guidPolicy GUID.Optional
productComma-separated list for products to filter by.Optional
nameComma-separated list for names to filter by (has auto complete capabilities).Optional
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional

Context Output#

PathTypeDescription
CiscoAMP.Policy.nameStringPolicy name.
CiscoAMP.Policy.descriptionStringPolicy description.
CiscoAMP.Policy.guidStringPolicy GUID.
CiscoAMP.Policy.productStringProduct used.
CiscoAMP.Policy.defaultBooleanWhether the policy is the default policy.
CiscoAMP.Policy.serial_numberNumberPolicy serial number.
CiscoAMP.Policy.file_lists.nameStringFile list name.
CiscoAMP.Policy.file_lists.guidStringFile list GUID.
CiscoAMP.Policy.file_lists.typeStringFile list type.
CiscoAMP.Policy.ip_lists.nameStringIP list name.
CiscoAMP.Policy.ip_lists.guidStringIP list GUID.
CiscoAMP.Policy.ip_lists.typeStringIP list type.
CiscoAMP.Policy.exclusion_sets.nameStringExclusion set name.
CiscoAMP.Policy.exclusion_sets.guidStringExclusion set GUID.
CiscoAMP.Policy.used_in_groups.nameStringGroup name.
CiscoAMP.Policy.used_in_groups.descriptionStringGroup description.
CiscoAMP.Policy.used_in_groups.guidStringGroup GUID.

Command example#

!cisco-amp-policy-list

Context Example#

{
"CiscoAMP": {
"Policy": [
{
"default": "CiscoAMP_Policy[0]_default",
"description": "CiscoAMP_Policy[0]_description",
"guid": "CiscoAMP_Policy[0]_guid",
"name": "CiscoAMP_Policy[0]_name",
"product": "CiscoAMP_Policy[0]_product",
"serial_number": "CiscoAMP_Policy[0]_serial_number"
},
{
"default": "CiscoAMP_Policy[1]_default",
"description": "CiscoAMP_Policy[1]_description",
"guid": "CiscoAMP_Policy[1]_guid",
"name": "CiscoAMP_Policy[1]_name",
"product": "CiscoAMP_Policy[1]_product",
"serial_number": "CiscoAMP_Policy[1]_serial_number"
},
{
"default": "CiscoAMP_Policy[2]_default",
"description": "CiscoAMP_Policy[2]_description",
"guid": "CiscoAMP_Policy[2]_guid",
"name": "CiscoAMP_Policy[2]_name",
"product": "CiscoAMP_Policy[2]_product",
"serial_number": "CiscoAMP_Policy[2]_serial_number"
},
{
"default": "CiscoAMP_Policy[3]_default",
"description": "CiscoAMP_Policy[3]_description",
"guid": "CiscoAMP_Policy[3]_guid",
"name": "CiscoAMP_Policy[3]_name",
"product": "CiscoAMP_Policy[3]_product",
"serial_number": "CiscoAMP_Policy[3]_serial_number"
},
{
"default": "CiscoAMP_Policy[4]_default",
"description": "CiscoAMP_Policy[4]_description",
"guid": "CiscoAMP_Policy[4]_guid",
"name": "CiscoAMP_Policy[4]_name",
"product": "CiscoAMP_Policy[4]_product",
"serial_number": "CiscoAMP_Policy[4]_serial_number"
},
{
"default": "CiscoAMP_Policy[5]_default",
"description": "CiscoAMP_Policy[5]_description",
"guid": "CiscoAMP_Policy[5]_guid",
"name": "CiscoAMP_Policy[5]_name",
"product": "CiscoAMP_Policy[5]_product",
"serial_number": "CiscoAMP_Policy[5]_serial_number"
},
{
"default": "CiscoAMP_Policy[6]_default",
"description": "CiscoAMP_Policy[6]_description",
"guid": "CiscoAMP_Policy[6]_guid",
"name": "CiscoAMP_Policy[6]_name",
"product": "CiscoAMP_Policy[6]_product",
"serial_number": "CiscoAMP_Policy[6]_serial_number"
},
{
"default": "CiscoAMP_Policy[7]_default",
"description": "CiscoAMP_Policy[7]_description",
"guid": "CiscoAMP_Policy[7]_guid",
"name": "CiscoAMP_Policy[7]_name",
"product": "CiscoAMP_Policy[7]_product",
"serial_number": "CiscoAMP_Policy[7]_serial_number"
},
{
"default": "CiscoAMP_Policy[8]_default",
"description": "CiscoAMP_Policy[8]_description",
"guid": "CiscoAMP_Policy[8]_guid",
"name": "CiscoAMP_Policy[8]_name",
"product": "CiscoAMP_Policy[8]_product",
"serial_number": "CiscoAMP_Policy[8]_serial_number"
},
{
"default": "CiscoAMP_Policy[9]_default",
"description": "CiscoAMP_Policy[9]_description",
"guid": "CiscoAMP_Policy[9]_guid",
"name": "CiscoAMP_Policy[9]_name",
"product": "CiscoAMP_Policy[9]_product",
"serial_number": "CiscoAMP_Policy[9]_serial_number"
},
{
"default": "CiscoAMP_Policy[10]_default",
"description": "CiscoAMP_Policy[10]_description",
"guid": "CiscoAMP_Policy[10]_guid",
"name": "CiscoAMP_Policy[10]_name",
"product": "CiscoAMP_Policy[10]_product",
"serial_number": "CiscoAMP_Policy[10]_serial_number"
},
{
"default": "CiscoAMP_Policy[11]_default",
"description": "CiscoAMP_Policy[11]_description",
"guid": "CiscoAMP_Policy[11]_guid",
"name": "CiscoAMP_Policy[11]_name",
"product": "CiscoAMP_Policy[11]_product",
"serial_number": "CiscoAMP_Policy[11]_serial_number"
},
{
"default": "CiscoAMP_Policy[12]_default",
"description": "CiscoAMP_Policy[12]_description",
"guid": "CiscoAMP_Policy[12]_guid",
"name": "CiscoAMP_Policy[12]_name",
"product": "CiscoAMP_Policy[12]_product",
"serial_number": "CiscoAMP_Policy[12]_serial_number"
},
{
"default": "CiscoAMP_Policy[13]_default",
"description": "CiscoAMP_Policy[13]_description",
"guid": "CiscoAMP_Policy[13]_guid",
"name": "CiscoAMP_Policy[13]_name",
"product": "CiscoAMP_Policy[13]_product",
"serial_number": "CiscoAMP_Policy[13]_serial_number"
}
]
}
}

Human Readable Output#

Results#

Current Item CountIndexItems Per PageTotal
14010014

Policy Information#

GUIDNameDescriptionProductSerial Number
082bc9a3-b73a-4f42-8cc5-de1cd3748700ProtectThis is the standard policy for the Secure Endpoint Connector that will quarantine malicious files and block malicious network connections.android11
5102948a-db78-4a94-849a-b9f12b04e526AuditThis policy puts Clarity in a mode that will log and alert on convictions but not block traffic.ios23
c90936b3-2ad7-458c-90a3-a806d50ed16eProtectThis is the standard policy for Clarity that will log and alert on convictions and block any potentially malicious traffic.ios25
b4e266c8-ebd1-4e94-80b6-b04a966cb0d5AuditThis policy puts the Secure Endpoint Connector in a mode that will only detect malicious files but not quarantine them. Malicious network traffic is also detected but not blocked.linux19
653508ed-28d4-465a-80c4-7ed9c0232b55ProtectThis is the standard policy for the Secure Endpoint Connector that will quarantine malicious files and block malicious network connections.linux21
9f2fa537-df5d-4c6c-abf3-edc25a893a7aAuditThis policy puts the Secure Endpoint Connector in a mode that will only detect malicious files but not quarantine them. Malicious network traffic is also detected but not blocked.mac13
30fba653-eb4e-4c3d-b1bb-1cef9f0e31e4ProtectThis is the standard policy for the Secure Endpoint Connector that will quarantine malicious files and block malicious network connections.mac15
cfcf4841-bf00-4030-8ac3-4a607ecf245eTriageThis is an aggressive policy that enables the offline engine to scan computers that are suspected or known to be infected with malware.mac17
be84e169-0830-4b95-915b-1e203a82ed58AuditThis policy puts the Secure Endpoint Connector in a mode that will only detect malicious files but not quarantine them. Malicious network traffic is also detected but not blocked.windows29
fa0c377e-8f0a-40ab-885a-afc8c08d3732Domain ControllerThis is a lightweight policy for use on Active Directory Domain Controllers.windows10
91c7894d-dd69-4a21-8cf6-5ebfc57ef4dfLior-testTest policywindows27
a599bf5b-2cb7-4a5b-90bd-d0199e2ccd67ProtectThis is the standard policy for the Secure Endpoint Connector that will quarantine malicious files and block malicious network connections.windows28
dd1da971-926c-42ab-9e5a-154f2695d995ServerThis is a lightweight policy for high availability computers and servers that require maximum performance and uptime.windows8
1a352c59-793b-44f3-b8f9-0ddd354057bcTriageThis is an aggressive policy that enables the offline engine to scan computers that are suspected or known to be infected with malware.windows6

cisco-amp-app-trajectory-query-list#


Retrieve app_trajectory queries for a given ios bundle id.

Base Command#

cisco-amp-app-trajectory-query-list

Input#

Argument NameDescriptionRequired
ios_bidIOS bundle ID for app trajectory.Required
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional

Context Output#

PathTypeDescription
CiscoAMP.AppTrajectoryQuery.connector_guidStringGUID of the connector.
CiscoAMP.AppTrajectoryQuery.bundle_idStringBundle ID.
CiscoAMP.AppTrajectoryQuery.group_guidsStringList of group's GUIDs.
CiscoAMP.AppTrajectoryQuery.cdhashStringCD hash.
CiscoAMP.AppTrajectoryQuery.timestampNumberObserved timestamp.
CiscoAMP.AppTrajectoryQuery.timestamp_nanosecondsNumberObserved timestamp in nano seconds.
CiscoAMP.AppTrajectoryQuery.dateDateObserved date.
CiscoAMP.AppTrajectoryQuery.query_typeStringThe type of the query.
CiscoAMP.AppTrajectoryQuery.network_info.dirty_urlStringLink to the observed URL.
CiscoAMP.AppTrajectoryQuery.network_info.remote_ipStringRemote IP.
CiscoAMP.AppTrajectoryQuery.network_info.remote_portNumberRemote port.
CiscoAMP.AppTrajectoryQuery.network_info.local_ipStringLocal IP.
CiscoAMP.AppTrajectoryQuery.network_info.local_portNumberLocal Port.
CiscoAMP.AppTrajectoryQuery.network_info.directionStringOutgoing or incoming connection.
CiscoAMP.AppTrajectoryQuery.network_info.protocolStringCommunication protocol used.
CiscoAMP.AppTrajectoryQuery.verStringVersion.

Command example#

!cisco-amp-app-trajectory-query-list ios_bid=com.apple.Safari.SafeBrowsing limit=5

Context Example#

{
"CiscoAMP": {
"AppTrajectoryQuery": [
{
"bundle_id": "CiscoAMP_AppTrajectoryQuery[0]_bundle_id",
"cdhash": "CiscoAMP_AppTrajectoryQuery[0]_cdhash",
"connector_guid": "CiscoAMP_AppTrajectoryQuery[0]_connector_guid",
"date": "CiscoAMP_AppTrajectoryQuery[0]_date",
"group_guids": [
"CiscoAMP_AppTrajectoryQuery[0]_group_guids_0"
],
"network_info": {
"direction": "CiscoAMP_AppTrajectoryQuery[0]_network_info_direction",
"dirty_url": "CiscoAMP_AppTrajectoryQuery[0]_network_info_dirty_url",
"local_ip": "CiscoAMP_AppTrajectoryQuery[0]_network_info_local_ip",
"local_port": "CiscoAMP_AppTrajectoryQuery[0]_network_info_local_port",
"protocol": "CiscoAMP_AppTrajectoryQuery[0]_network_info_protocol",
"remote_ip": "CiscoAMP_AppTrajectoryQuery[0]_network_info_remote_ip",
"remote_port": "CiscoAMP_AppTrajectoryQuery[0]_network_info_remote_port"
},
"query_type": "CiscoAMP_AppTrajectoryQuery[0]_query_type",
"timestamp": "CiscoAMP_AppTrajectoryQuery[0]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_AppTrajectoryQuery[0]_timestamp_nanoseconds",
"ver": "CiscoAMP_AppTrajectoryQuery[0]_ver"
},
{
"bundle_id": "CiscoAMP_AppTrajectoryQuery[1]_bundle_id",
"cdhash": "CiscoAMP_AppTrajectoryQuery[1]_cdhash",
"connector_guid": "CiscoAMP_AppTrajectoryQuery[1]_connector_guid",
"date": "CiscoAMP_AppTrajectoryQuery[1]_date",
"group_guids": [
"CiscoAMP_AppTrajectoryQuery[1]_group_guids_0"
],
"network_info": {
"direction": "CiscoAMP_AppTrajectoryQuery[1]_network_info_direction",
"dirty_url": "CiscoAMP_AppTrajectoryQuery[1]_network_info_dirty_url",
"local_ip": "CiscoAMP_AppTrajectoryQuery[1]_network_info_local_ip",
"local_port": "CiscoAMP_AppTrajectoryQuery[1]_network_info_local_port",
"protocol": "CiscoAMP_AppTrajectoryQuery[1]_network_info_protocol",
"remote_ip": "CiscoAMP_AppTrajectoryQuery[1]_network_info_remote_ip",
"remote_port": "CiscoAMP_AppTrajectoryQuery[1]_network_info_remote_port"
},
"query_type": "CiscoAMP_AppTrajectoryQuery[1]_query_type",
"timestamp": "CiscoAMP_AppTrajectoryQuery[1]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_AppTrajectoryQuery[1]_timestamp_nanoseconds",
"ver": "CiscoAMP_AppTrajectoryQuery[1]_ver"
},
{
"bundle_id": "CiscoAMP_AppTrajectoryQuery[2]_bundle_id",
"cdhash": "CiscoAMP_AppTrajectoryQuery[2]_cdhash",
"connector_guid": "CiscoAMP_AppTrajectoryQuery[2]_connector_guid",
"date": "CiscoAMP_AppTrajectoryQuery[2]_date",
"group_guids": [
"CiscoAMP_AppTrajectoryQuery[2]_group_guids_0"
],
"network_info": {
"direction": "CiscoAMP_AppTrajectoryQuery[2]_network_info_direction",
"dirty_url": "CiscoAMP_AppTrajectoryQuery[2]_network_info_dirty_url",
"local_ip": "CiscoAMP_AppTrajectoryQuery[2]_network_info_local_ip",
"local_port": "CiscoAMP_AppTrajectoryQuery[2]_network_info_local_port",
"protocol": "CiscoAMP_AppTrajectoryQuery[2]_network_info_protocol",
"remote_ip": "CiscoAMP_AppTrajectoryQuery[2]_network_info_remote_ip",
"remote_port": "CiscoAMP_AppTrajectoryQuery[2]_network_info_remote_port"
},
"query_type": "CiscoAMP_AppTrajectoryQuery[2]_query_type",
"timestamp": "CiscoAMP_AppTrajectoryQuery[2]_timestamp",
"timestamp_nanoseconds": "CiscoAMP_AppTrajectoryQuery[2]_timestamp_nanoseconds",
"ver": "CiscoAMP_AppTrajectoryQuery[2]_ver"
}
]
}
}

Human Readable Output#

App Trajectory Information#

Connector GUIDDateQuery TypeDirty URL
dddd4ceb-4ce1-4f81-a7a7-04d13cc1df432022-10-24T12:01:59+00:00Network Queryhttps://configuration.apple.com/configurations/internetservices/safari/SafeBrowsingRemoteConfiguration-0.plist
0f6ee17f-a31b-4b76-902f-7cf68a79089d2022-10-23T13:48:38+00:00Network Queryhttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch
0f6ee17f-a31b-4b76-902f-7cf68a79089d2022-10-23T13:18:16+00:00Network Queryhttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch
8aa97bc7-3cc1-47aa-ad0a-0e23d5493aff2022-10-23T12:30:46+00:00Network Queryhttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch
8aa97bc7-3cc1-47aa-ad0a-0e23d5493aff2022-10-23T12:00:54+00:00Network Queryhttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch

cisco-amp-version-get#


Get API version.

Base Command#

cisco-amp-version-get

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CiscoAMP.Version.versionStringAPI version.

Command example#

!cisco-amp-version-get

Context Example#

{
"CiscoAMP": {
"Version": {
"version": "CiscoAMP_Version_version"
}
}
}

Human Readable Output#

Version: v1.2.0

cisco-amp-vulnerability-list#


Fetch a list of vulnerabilities. This is analogous to the Vulnerable Software view on the AMP for Endpoints Console. The list can be filtered to show only the vulnerable programs detected for a specific time range. Provide a list of computers on which the vulnerability has been observed with a given SHA-256. The list item contains a summary of information on the vulnerability, including: application name and version, SHA-256 value for the executable file, connectors on which the vulnerable application was observed and the most recent CVSS score. IMPORTANT: The computer's key returns information about the last 1000 connectors on which the vulnerable application was observed.

Base Command#

cisco-amp-vulnerability-list

Input#

Argument NameDescriptionRequired
sha256SHA-256 that has been observed as a vulnerability.Optional
group_guidComma-separated list for group GUIDs to filter by.Optional
start_timeThe start date and time expressed according to ISO 8601. The retrieved list will include vulnerable programs detected at start_time.Optional
end_timeThe end date and/or time expressed according to ISO 8601. Exclusive - if end_time is a time, the list will only include vulnerable programs detected before end_time). Inclusive - if end_time is a date, the list will include vulnerable programs detected on the date.Optional
pagePage number to return.Optional
page_sizeNumber of results in a page. Maximum is 500.Optional
limitNumber of total results to return.Optional

Context Output#

PathTypeDescription
CiscoAMP.Vulnerability.applicationStringName of the application.
CiscoAMP.Vulnerability.versionStringVersion of the application.
CiscoAMP.Vulnerability.file.filenameStringName of the file.
CiscoAMP.Vulnerability.file.identity.sha256StringFile's SHA-256.
CiscoAMP.Vulnerability.latest_timestampNumberVulnerability latest timestamp.
CiscoAMP.Vulnerability.latest_dateDateVulnerability latest date.
CiscoAMP.Vulnerability.computers_total_countNumberNumber of computers.
CiscoAMP.Vulnerability.connector_guidStringGUID of the connector.
CiscoAMP.Vulnerability.hostnameStringHost's name.
CiscoAMP.Vulnerability.windows_processor_idStringWindows processor ID.
CiscoAMP.Vulnerability.activeBooleanWhether the computer is active.
CiscoAMP.Vulnerability.group_guidStringGroup's GUID.
CiscoAMP.Vulnerability.cves.idStringCommon vulnerability exposure ID.
CiscoAMP.Vulnerability.cves.linkStringCommon vulnerability exposure link.
CiscoAMP.Vulnerability.cves.cvssNumberCommon vulnerability scoring system.
CiscoAMP.Vulnerability.groups.nameStringGroup's name.
CiscoAMP.Vulnerability.groups.descriptionStringGroup's description.
CiscoAMP.Vulnerability.groups.guidStringGroup's GUID.
CiscoAMP.Vulnerability.groups.sourceStringGroup's source of creation.
CiscoAMP.Vulnerability.computers.connector_guidStringGUID of the connector.
CiscoAMP.Vulnerability.computers.hostnameStringHost's name.
CiscoAMP.Vulnerability.computers.windows_processor_idStringWindows processor ID.
CiscoAMP.Vulnerability.computers.activeBooleanWhether the computer is active.

Command example#

!cisco-amp-vulnerability-list

Context Example#

{
"CiscoAMP": {
"Vulnerability": [
{
"application": "CiscoAMP_Vulnerability[0]_application",
"computers": [
{
"active": "CiscoAMP_Vulnerability[0]_computers[0]_active",
"connector_guid": "CiscoAMP_Vulnerability[0]_computers[0]_connector_guid",
"hostname": "CiscoAMP_Vulnerability[0]_computers[0]_hostname",
"windows_processor_id": "CiscoAMP_Vulnerability[0]_computers[0]_windows_processor_id"
}
],
"computers_total_count": "CiscoAMP_Vulnerability[0]_computers_total_count",
"cves": [
{
"cvss": "CiscoAMP_Vulnerability[0]_cves[0]_cvss",
"id": "CiscoAMP_Vulnerability[0]_cves[0]_id",
"link": "CiscoAMP_Vulnerability[0]_cves[0]_link"
}
],
"file": {
"filename": "CiscoAMP_Vulnerability[0]_file_filename",
"identity": {
"sha256": "CiscoAMP_Vulnerability[0]_file_identity_sha256"
}
},
"groups": [
{
"description": "CiscoAMP_Vulnerability[0]_groups[0]_description",
"guid": "CiscoAMP_Vulnerability[0]_groups[0]_guid",
"name": "CiscoAMP_Vulnerability[0]_groups[0]_name"
}
],
"latest_date": "CiscoAMP_Vulnerability[0]_latest_date",
"latest_timestamp": "CiscoAMP_Vulnerability[0]_latest_timestamp",
"version": "CiscoAMP_Vulnerability[0]_version"
},
{
"application": "CiscoAMP_Vulnerability[1]_application",
"computers": [
{
"active": "CiscoAMP_Vulnerability[1]_computers[0]_active",
"connector_guid": "CiscoAMP_Vulnerability[1]_computers[0]_connector_guid",
"hostname": "CiscoAMP_Vulnerability[1]_computers[0]_hostname",
"windows_processor_id": "CiscoAMP_Vulnerability[1]_computers[0]_windows_processor_id"
}
],
"computers_total_count": "CiscoAMP_Vulnerability[1]_computers_total_count",
"cves": [
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[0]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[0]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[0]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[1]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[1]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[1]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[2]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[2]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[2]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[3]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[3]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[3]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[4]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[4]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[4]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[5]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[5]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[5]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[6]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[6]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[6]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[7]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[7]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[7]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[8]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[8]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[8]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[9]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[9]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[9]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[10]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[10]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[10]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[11]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[11]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[11]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[12]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[12]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[12]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[13]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[13]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[13]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[14]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[14]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[14]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[15]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[15]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[15]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[16]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[16]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[16]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[17]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[17]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[17]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[18]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[18]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[18]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[19]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[19]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[19]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[20]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[20]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[20]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[21]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[21]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[21]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[22]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[22]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[22]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[23]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[23]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[23]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[24]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[24]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[24]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[25]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[25]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[25]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[26]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[26]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[26]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[27]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[27]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[27]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[28]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[28]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[28]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[29]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[29]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[29]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[30]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[30]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[30]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[31]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[31]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[31]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[32]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[32]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[32]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[33]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[33]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[33]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[34]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[34]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[34]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[35]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[35]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[35]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[36]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[36]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[36]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[37]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[37]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[37]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[38]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[38]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[38]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[39]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[39]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[39]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[40]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[40]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[40]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[41]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[41]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[41]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[42]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[42]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[42]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[43]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[43]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[43]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[44]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[44]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[44]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[45]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[45]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[45]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[46]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[46]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[46]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[47]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[47]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[47]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[48]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[48]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[48]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[49]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[49]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[49]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[50]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[50]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[50]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[51]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[51]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[51]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[52]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[52]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[52]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[53]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[53]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[53]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[54]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[54]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[54]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[55]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[55]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[55]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[56]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[56]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[56]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[57]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[57]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[57]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[58]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[58]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[58]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[59]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[59]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[59]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[60]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[60]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[60]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[1]_cves[61]_cvss",
"id": "CiscoAMP_Vulnerability[1]_cves[61]_id",
"link": "CiscoAMP_Vulnerability[1]_cves[61]_link"
}
],
"file": {
"filename": "CiscoAMP_Vulnerability[1]_file_filename",
"identity": {
"sha256": "CiscoAMP_Vulnerability[1]_file_identity_sha256"
}
},
"groups": [
{
"description": "CiscoAMP_Vulnerability[1]_groups[0]_description",
"guid": "CiscoAMP_Vulnerability[1]_groups[0]_guid",
"name": "CiscoAMP_Vulnerability[1]_groups[0]_name"
}
],
"latest_date": "CiscoAMP_Vulnerability[1]_latest_date",
"latest_timestamp": "CiscoAMP_Vulnerability[1]_latest_timestamp",
"version": "CiscoAMP_Vulnerability[1]_version"
},
{
"application": "CiscoAMP_Vulnerability[2]_application",
"computers": [
{
"active": "CiscoAMP_Vulnerability[2]_computers[0]_active",
"connector_guid": "CiscoAMP_Vulnerability[2]_computers[0]_connector_guid",
"hostname": "CiscoAMP_Vulnerability[2]_computers[0]_hostname",
"windows_processor_id": "CiscoAMP_Vulnerability[2]_computers[0]_windows_processor_id"
}
],
"computers_total_count": "CiscoAMP_Vulnerability[2]_computers_total_count",
"cves": [
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[0]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[0]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[0]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[1]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[1]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[1]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[2]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[2]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[2]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[3]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[3]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[3]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[4]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[4]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[4]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[5]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[5]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[5]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[6]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[6]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[6]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[7]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[7]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[7]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[8]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[8]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[8]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[9]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[9]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[9]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[10]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[10]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[10]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[11]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[11]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[11]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[12]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[12]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[12]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[13]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[13]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[13]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[14]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[14]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[14]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[15]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[15]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[15]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[16]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[16]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[16]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[17]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[17]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[17]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[18]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[18]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[18]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[19]_cvss",
"id": "CiscoAMP_Vulnerability[2]_cves[19]_id",
"link": "CiscoAMP_Vulnerability[2]_cves[19]_link"
},
{
"cvss": "CiscoAMP_Vulnerability[2]_cves[20]_cvss",