Skip to main content

AMP

This Integration is part of the Cisco AMP Pack.#

Uses CISCO AMP Endpoint This integration was integrated and tested with API version v1 of AMP

Configure AMP on Cortex XSOAR#


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for AMP.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Server URL (e.g. https://api.amp.cisco.com)
    • Client ID
    • Trust any certificate (not secure)
  4. Click Test to validate the URLs, token, and connection.

Commands#


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. amp_get_computers
  2. amp_get_computer_by_connector
  3. amp_get_computer_trajctory
  4. amp_move_computer
  5. amp_get_computer_activity
  6. amp_get_events
  7. amp_get_event_types
  8. amp_get_application_blocking
  9. amp_get_file_list_by_guid
  10. amp_get_simple_custom_detections
  11. amp_get_file_list_files
  12. amp_get_file_list_files_by_sha
  13. amp_set_file_list_files_by_sha
  14. amp_delete_file_list_files_by_sha
  15. amp_get_groups
  16. amp_get_group
  17. amp_set_group_policy
  18. amp_get_policies
  19. amp_get_policy
  20. amp_get_version
  21. amp_delete_computers_isolation
  22. amp_put_computers_isolation
  23. amp_get_computers_isolation

1. amp_get_computers#


Returns a list of computers on which agents are deployed. You can use filters (arguments) to narrow the search.

Base Command#

amp_get_computers

Input#
Argument NameDescriptionRequired
limitMaximum number of results to return.Optional
hostnameFilter results by hostname.Optional
internal_ipFilter results by internal IP address.Optional
external_ipFilter results by external IP address.Optional
group_guidFilter results by group GUID.Optional
Context Output#

There is no context output for this command.

Command Example#
!amp_get_computers limit=10 hostname='demisto.com'

2. amp_get_computer_by_connector#


Returns information for the specified computer.

Base Command#

amp_get_computer_by_connector

Input#
Argument NameDescriptionRequired
connector_guidThe connector GUID for which to return information.Required
Command Example#
!amp_get_computer_by_connector connector_guid=12345abcde

3. amp_get_computer_trajctory#


Returns a list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP Console. Use the Q argument to search for an IP address, SHA256 hash, or URL.

Base Command#

amp_get_computer_trajctory

Input#
Argument NameDescriptionRequired
qThe IP address, SHA256 hash, or URL.Optional
limitMaximum number of results to return.Optional
connector_guidThe connector GUID.Required
Command Example#
!amp_get_computer_trajctory q='8.8.8.8' limit=10 connector_guid=12345abdce

4. amp_move_computer#


Moves a computer to a group with the corresponding connector_guid and group_guid, respectively.

Base Command#

amp_move_computer

Input#
Argument NameDescriptionRequired
connector_guidThe connector GUID.Required
group_guidThe group GUID.Required
Command Example#
!amp_move_computer connector_guid='abcde12345' group_guid='demisto123'

5. amp_get_computer_activity#


This endpoint enables you to search all computers across your organization for any events or activities associated with a file or network operation, and returns computers that match the specified criteria. You can then query the /computers/{connector-guid}/trajectory endpoint for specific details.

Base Command#

amp_get_computer_activity

Input#
Argument NameDescriptionRequired
qAn IPv4 address, SHA256 hash, filename, or URL fragment.Required
limitMaximum number of results to return.Optional
offsetoffsetOptional
Context Output#

There is no context output for this command.

Command Example#
!amp_get_computer_activity q='8.8.8.8'

6. amp_get_events#


A general query interface for events. This is analogous to the Events view on the FireAMP Console.

Base Command#

amp_get_events

Input#
Argument NameDescriptionRequired
limitMaximum number of results to return.Optional
connector_guidThe connector GUID.Optional
group_guidThe group GUID.Optional
detection_sha256The detected SHA256 hash.Optional
application_sha256The application SHA256.Optional
event_typeThe event type.Optional
offsetThe offset.Optional
start_dateThe start date for the query, in ISO8601 format.Optional
Context Output#

There is no context output for this command.

Command Example#
!amp_get_events connector_guid='abcde12345'

7. amp_get_event_types#


Events are identified and filtered by a unique ID. This endpoint provides a human readable name and short description of each event (by ID).

Base Command#

amp_get_event_types

Input#

There is no input for this command.

Context Output#

There is no context output for this command.

Command Example#
!amp_get_event_types

8. amp_get_application_blocking#


Returns a list of application blocking file lists. You can filter this list by name

Base Command#

amp_get_application_blocking

Input#
Argument NameDescriptionRequired
limitMaximum number of results to return.Optional
offsetThe offset.Optional
nameName of the file.Optional
Context Output#

There is no context output for this command.

Command Example#
!amp_get_application_blocking name='abcde12345'

9. amp_get_file_list_by_guid#


Returns a particular file list for application blocking or simple custom detection. You need to specify the file_list_guid argument to retrieve information about a particular file_list.

Base Command#

amp_get_file_list_by_guid

Input#
Argument NameDescriptionRequired
file_list_guidRetrieves information about a particular file_list.Required
Context Output#

There is no context output for this command.

Command Example#
!amp_get_file_list_by_guid file_list_guid='abcde12345'

10. amp_get_simple_custom_detections#


Returns a list of simple custom detection file lists. You can filter this list by detection name.

Base Command#

amp_get_simple_custom_detections

Input#
Argument NameDescriptionRequired
limitMaximum number of results to return.Optional
offsetThe offset.Optional
nameName of the detection.Optional
Context Output#

There is no context output for this command.

Command Example#
!amp_get_simple_custom_detections name='sample detections'

11. amp_get_file_list_files#


Returns a list of items for a particular file_list. You need to specify the file_list_guid argument to retrieve these items.

Base Command#

amp_get_file_list_files

Input#
Argument NameDescriptionRequired
limitMaximum number of results to return.Optional
offsetThe offset.Optional
file_list_guidRetrieves information about a particular file_list.Required
Context Output#

There is no context output for this command.

Command Example#
!amp_get_file_list_files file_list_guid='abcde12345'

12. amp_get_file_list_files_by_sha#


Returns a particular item for a given file_list. You need to specify the sha256 argument and the file_list_guid argument to retrieve an item.

Base Command#

amp_get_file_list_files_by_sha

Input#
Argument NameDescriptionRequired
file_list_guidRetrieves information about a particular file_list.Required
sha256SHA256 hash.Required
Context Output#

There is no context output for this command.

Command Example#
!amp_get_file_list_files_by_sha file_list_guid='abcde12345' sha256='samplesha256'

13. amp_set_file_list_files_by_sha#


Adds a SHA256 hash to a file list, using file_list_guid.

Base Command#

amp_set_file_list_files_by_sha

Input#
Argument NameDescriptionRequired
file_list_guidRetrieves information about a particular file_list.Required
sha256SHA256 hash.Required
descriptionDescription of the SHA256 hash.Optional
Context Output#

There is no context output for this command.

Command Example#
!amp_set_file_list_files_by_sha file_list_guid='abcde12345' sha256='samplesha256' description='This is a sample SHA'

14. amp_delete_file_list_files_by_sha#


Deletes an item from a file_list using the SHA256 hash and file_list_guid.

Base Command#

amp_delete_file_list_files_by_sha

Input#
Argument NameDescriptionRequired
file_list_guidThe file_list_guid to retrieve information about a particular file_listRequired
sha256SHA256 hash.Required
Context Output#

There is no context output for this command.

Command Example#
!amp_delete_file_list_files_by_sha file_list_guid='abcde12345' sha256='samplesha256'

15. amp_get_groups#


Returns basic information about groups in your organization. You can map group names to GUIDs for filtering on the events endpoint.

Base Command#

amp_get_groups

Input#
Argument NameDescriptionRequired
limitamount of resultsOptional
namename of the groupOptional
Context Output#

There is no context output for this command.

Command Example#
!amp_get_groups limit=25

16. amp_get_group#


Returns a particular group

Base Command#

amp_get_group

Input#
Argument NameDescriptionRequired
group_guidThe particular group guidRequired
Context Output#

There is no context output for this command.

Command Example#
!amp_get_group group_guid='abcde12345'

17. amp_set_group_policy#


Sets a security policy to a group of endpoints.

Base Command#

amp_set_group_policy

Input#
Argument NameDescriptionRequired
group_guidThe group GUID.Required
linux_policy_guidThe Linux policy guide.Optional
android_policy_guidThe Android policy guide.Optional
mac_policy_guidThe Mac policy guide.Optional
windows_policy_guidThe Windows policy guide.Optional
Context Output#

There is no context output for this command.

Command Example#
!amp_set_group_policy group_guid='abcde12345'

18. amp_get_policies#


Returns a list of policies. You can filter this list by name and product.

Base Command#

amp_get_policies

Input#
Argument NameDescriptionRequired
limitMaximum number of results to return.Optional
offsetThe offset.Optional
nameThe policy name.Optional
productThe policy product.Optional
Context Output#

There is no context output for this command.

Command Example#
!amp_get_policies name='TestPolicy'

19. amp_get_policy#


Retrieves information about a particular policy, based on policy_guid.

Base Command#

amp_get_policy

Input#
Argument NameDescriptionRequired
policy_guidThe policy GUID.Required
Context Output#

There is no context output for this command.

Command Example#
!amp_get_policy policy_guid='abcde12345'

20. amp_get_version#


Fetches a list of versions.

Base Command#

amp_get_version

Input#

There is no input for this command.

Context Output#

There is no context output for this command.

Command Example#
!amp_get_version

21. amp_delete_computers_isolation#


Request to unlock an isolated computer. Can also be used as a course-grained isolation status request.

Base Command#

amp_delete_computers_isolation

Input#
Argument NameDescriptionRequired
connector_guidconnector GUID.Required
unlock_codeComment about unlocking the computer. Use the amp_get_computers_isolation command to retrieve the unlock_code.Optional
Context Output#

There is no context output for this command.

Command Example#
!amp_delete_computers_isolation connector_guid=12345abcde

22. amp_put_computers_isolation#


Requests isolation for a Computer. If a computer is already isolated a 409 conflict error status is returned.

Base Command#

amp_put_computers_isolation

Input#
Argument NameDescriptionRequired
connector_guidconnector GUID.Required
unlock_codeComment used when locking the computer. Use the amp_get_computers_isolation command to retrieve the unlock_code.Optional
Context Output#

There is no context output for this command.

Command Example#
!amp_put_computers_isolation connector_guid=12345abcde

23. amp_get_computers_isolation#


Returns a fine grained isolation status for a computer.

Base Command#

amp_get_computers_isolation

Input#
Argument NameDescriptionRequired
connector_guidconnector GUID.Required
statusThe status of the computer. Can be: "not_isolated", "pending_start", "isolated", or "pending_stop".Optional
Context Output#

There is no context output for this command.

Command Example#
!amp_get_computers_isolation connector_guid=12345abcde