Fortinet black logo

Cisco AMP for Endpoints

Home FortiSOAR Connectors Cisco AMP for Endpoints
1.0.1
1.0.1
1.0.0

Cisco AMP for Endpoints v1.0.1

About the connector

Cisco Advanced Malware Protection (AMP) for Endpoints is a cloud-managed endpoint security solution that not only provides the visibility, context, and control to prevent breaches, but also the ability to rapidly detect, contain, and remediate threats if they evade front-line defenses and get inside, all cost-effectively and without affecting operational efficiency.

This document provides information about the Cisco AMP For Endpoints connector, which facilitates automated interactions, with the Cisco AMP cloud using FortiSOAR™ playbooks. Add the Cisco AMP For Endpoints connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about computers, moving computers to a group, and hunting indicators on the Cisco AMP cloud.

Version information

Connector Version: 1.0.1

Authored By: Community

Certified: No

Release Notes for version 1.0.1

Following enhancements have been made to the Cisco AMP For Endpoints connector in version 1.0.1:

  • Added support for pagination offset.

Installing the connector

Use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-cisco-amp-endpoints

Prerequisites to configuring the connector

  • You must have the URL of the Cisco AMP cloud to which you will connect and perform the automated operations.
  • You must have the API key used to access the Cisco AMP REST API.
  • The FortiSOAR™ UI server should have outbound connectivity to port 443 on the Cisco AMP cloud.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Cisco AMP For Endpoints connector and click Configure to configure the following parameters:

Parameter Description
Server URL IP address or Hostname URL of the Cisco AMP cloud to which you will connect and perform the automated operations.
If you do not specify either the http or https protocol in this field, then by default the https protocol is used.
Client ID Client ID that is provided for your account by the Cisco AMP administrator.
API Key API key that is configured for your account to access the Cisco AMP REST API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Minimum Permissions Required

  • Not applicable

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function Description Annotation and Category
Get All Computers Retrieves a list of all computers and their details from the Cisco AMP cloud. search_endpoints
Investigation
Get Computer Information Retrieves details for a particular computer from the Cisco AMP cloud, based on the connector GUID that you have specified. get_endpoint_info
Investigation
Search Computers Retrieves details for a filtered list of computers from the Cisco AMP cloud, based on the parameters that you have specified. search_endpoints
Investigation
Hunt Indicator Retrieves details for a particular endpoint from Cisco AMP cloud, based on the input parameters and indicator value type that you have specified. search_endpoints
Investigation
Get Device Trajectory Retrieves details of all events associated with a particular computer from Cisco AMP cloud, based on the parameters that you have specified. get_trajectory
Investigation
Get Device Trajectory By User Retrieves details of all events associated with a particular computer and particular user from Cisco AMP cloud, based on the parameters that you have specified. get_trajectory
Investigation
Move Computer to Group Moves a computer to a group in Cisco AMP cloud, based on the computer GUID and group GUID that you have specified. update_group
Investigation
Search Events Searches for events on Cisco AMP cloud, based on the parameters that you have specified. search_event
Investigation
Get Event Types Retrieves a list of all event types and their details from Cisco AMP cloud. get_event_types
Investigation
Get Application Blocking Filelist Retrieves details for all application blocking filelists or details for a specific application blocking filelist from Cisco AMP cloud, based on the filelist name that you have specified. get_hash_blacklist
Investigation
Get Specific Filelist Retrieves details for a specific filelist from Cisco AMP cloud, based on the Filelist ID that you have specified. get_hash_blacklist
Investigation
Get Simple Custom Detection Filelist Retrieves details for all Simple Custom Detection List files or details for a specific Simple Custom Detection List file from Cisco AMP cloud, based on the filelist name that you have specified.
You can use the Simple Custom Detection List files list retrieved from Cisco AMP cloud to detect and quarantine files for your organization.		 get_hash_blacklist
Investigation
Add Hash to Blacklist Adds a filehash that you have specified in the SHA256 format to a filelist that you have specified on Cisco AMP cloud. update_hash_blacklist
Investigation
Get Items from Filelist Retrieves a list of items and their details from Cisco AMP cloud, based on the filelist name that you have specified. get_blacklist_items
Investigation
Get Item from Filelist Retrieves details for a specific item from a specified filelist from Cisco AMP cloud, based on the filehash and filelist name that you have specified. get_blacklist_items
Investigation
Delete Filelist Item Deletes a specific item from a specified filelist from Cisco AMP cloud, based on the filehash and filelist name that you have specified. update_hash_blacklist
Remediation
Create Group Creates a new group in Cisco AMP cloud based on the group name that you have specified. create_group
Investigation
Get Group List Retrieves details for all groups or details for a specific group from Cisco AMP cloud, based on the group name that you have specified. search_group
Investigation
Get Specific Group Retrieves details for a specific group from Cisco AMP cloud, based on the group GUID that you have specified. search_group
Investigation
Update Group Updates a specified group on Cisco AMP cloud, with the policy you have specified. update_group
Investigation
Get All Policies Retrieves details of all policies from Cisco AMP cloud. search_policy
Investigation
Get Specific Policy Retrieves details for a particular policy from Cisco AMP cloud, based on the policy GUID that you have specified. search_policy
Investigation

operation: Get All Computers

Input parameters

None

Output

The JSON output contains a list of all the computers and their details from Cisco AMP cloud. Details include connector GUID, connector version, hostname, external IP, internal IP, network Address, operating system, and policy.

The output contains the following populated JSON schema:
{
"data": [
{
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
},
"connector_version": "",
"operating_system": "",
"internal_ips": [],
"external_ip": "",
"group_guid": "",
"install_date": "",
"network_addresses": [
{
"mac": "",
"ip": ""
}
],
"policy": {
"guid": "",
"name": ""
}
}
]
}

operation: Get Computer Information

Input parameters

Parameter Description
Connector GUID GUID of the connector installed on the computer (endpoint) for which you want to retrieve information from Cisco AMP cloud.

Output

The JSON output contains details for the computer retrieved based on the connector GUID you have specified from Cisco AMP cloud. Details include connector GUID, connector version, hostname, external IP, internal IP, network Address, operating system, and policy.

Output

The output contains the following populated JSON schema:
{
"data": {
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
},
"connector_version": "",
"operating_system": "",
"internal_ips": [
""
],
"external_ip": "",
"group_guid": "",
"install_date": "",
"network_addresses": [
{
"mac": "",
"ip": ""
}
],
"policy": {
"guid": "",
"name": ""
}
}
}

operation: Search Computers

Input parameters

Note: None of the input parameters are mandatory. However, if you do not provide any parameter, this operation will return unfiltered results, i.e. it will return details of all computers from Cisco AMP cloud.

Parameter Description
Hostname (In CSV or List Format) A serialized list containing the Hostname of the endpoint for which you want to retrieve system information from Cisco AMP cloud.
For example: Demo_Cta, Demo_Dridex.
Group GUID (In CSV or List Format) A serialized list containing the Group GUID that contains the endpoints for which you want to retrieve system information from Cisco AMP cloud.
For example: "31aa857b-xxxx-xxxx-xxxx-a3878f869bc2", "31aa857b-xxxx-xxxx-xxxx-a3878f869bd3".
Internal IP Address The internal IP address of the endpoint for which you want to retrieve system information from Cisco AMP cloud. The input format that is acceptable for this field is either single IPv4 or CIDR.
For example: 192.168.0.1 or 192.168.0.0/24.
External IP Address The external IP address of the endpoint for which you want to retrieve system information from Cisco AMP cloud. The input format acceptable for this field is either single IPv4 or CIDR.
For example: 192.168.0.1 or 192.168.0.0/24.
Limit (Optional) Maximum number of endpoints that this operation should return. By default, this is set to 0, which fetches all the available records available.

Output

The JSON output contains details for all computers or details for a specific computer based on the input parameters you have specified from Cisco AMP cloud. Details include connector GUID, connector version, hostname, external IP, internal IP, network Address, operating system, and policy.

The output contains the following populated JSON schema:
{
"data": [
{
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
},
"connector_version": "",
"operating_system": "",
"internal_ips": [],
"external_ip": "",
"group_guid": "",
"install_date": "",
"network_addresses": [
{
"mac": "",
"ip": ""
}
],
"policy": {
"guid": "",
"name": ""
}
}
]
}

operation: Hunt Indicator

Input parameters

Parameter Description
Filter Options Filter option based on which you want to search for indicators on Cisco AMP cloud.
Choose between Computer Activity and Computer User Activity.
Value Type The value type of the indicator based on which you want to search for indicators on Cisco AMP cloud. Choose from the following options:
IP Address: Single IPv4 address. CIRD is not supported.
SHA256: SHA256 of the file that is observed on endpoints.
Filename: Name of the file that is observed on endpoints.
URL: URL fragment.
Note: The above options are used when you select the filter as Computer Activity.
Username (Use in case of Computer User Activity): Name of the user whose activities you want to fetch from Cisco AMP cloud.
Note: The option is used when you select the filter as Computer User Activity.
Limit (Optional) Maximum number of indicators that this operation should return. By default, this is set to 0, which fetches all the available records.
Offset (Optional) The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset.

Output

The JSON output contains the details for the endpoint(s) retrieved from Cisco AMP cloud, based on the input parameters and indicator value type you have specified. Details include hostname, connector GUID, and links.

The output contains the following populated JSON schema:
{
"data": [
{
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
}
}
]
}

operation: Get Device Trajectory

Input parameters

Parameter Description
Connector GUID GUID of the connector installed on the computer (endpoint) whose associated events (activities) you want to search for from Cisco AMP cloud.
Filter Options (Optional) Filter option based on which you want to filter events associated with the particular computer on Cisco AMP cloud.
Choose from the following options: IP Address, SHA256, and URL.
Value (Optional) Specify the value of the filter you have selected.
For example, if you select IP Address, then enter the IP address based on which you want to filter activities.
Limit (Optional) Maximum number of activities associated with a particular endpoint that this operation should return. By default, this is set to 0, which fetches all the available records.

Output

The JSON output contains the details of events retrieved from Cisco AMP cloud, based on the input parameters you have specified. Details include id, event type, detection id, and computer details, such as connector version, hostname, and links.

The output contains the following populated JSON schema:
{
"data": {
"computer": {
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
},
"connector_version": "",
"operating_system": "",
"internal_ips": [
""
],
"external_ip": "",
"group_guid": "",
"install_date": "",
"network_addresses": [
{
"mac": "",
"ip": ""
}
],
"policy": {
"guid": "",
"name": ""
}
},
"events": [
{
"timestamp": "",
"timestamp_nanoseconds": "",
"date": "",
"event_type": "",
"group_guids": [
""
],
"network_info": {
"dirty_url": "",
"remote_ip": "",
"remote_port": "",
"local_ip": "",
"local_port": "",
"nfm": {
"direction": "",
"protocol": ""
},
"parent": {
"disposition": "",
"identity": {
"sha256": ""
}
}
}
}
]
}
}

operation: Get Device Trajectory By User

Input parameters

Parameter Description
Connector GUID GUID of the connector installed on the computer (endpoint) whose associated events (activities) you want to search for on Cisco AMP cloud.
User Name of the user whose associated events are on the specified computer you want to search for on Cisco AMP cloud.
Limit (Optional) Maximum number of activities associated with a particular user that this operation should return. By default, this is set to 0, which fetches all the available records.

Output

The JSON output contains the details of events and computers retrieved from Cisco AMP cloud, based on the input parameters you have specified. Event details include id, event type, and detection id and computer details include connector version, hostname, and links.

The output contains the following populated JSON schema:
{
"data": {
"computer": {
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
}
},
"events": [
{
"id": "",
"timestamp": "",
"timestamp_nanoseconds": "",
"date": "",
"event_type": "",
"event_type_id": "",
"detection": "",
"detection_id": "",
"file": {
"disposition": "",
"file_name": "",
"file_path": "",
"identity": {
"sha256": "",
"sha1": "",
"md5": ""
},
"archived_file": {
"disposition": "",
"identity": {
"sha256": ""
}
},
"parent": {
"process_id": "",
"disposition": "",
"file_name": "",
"identity": {
"sha256": "",
"sha1": "",
"md5": ""
}
}
},
"user_name": ""
}
]
}
}

operation: Move Computer to Group

Input parameters

Parameter Description
Connector GUID GUID of the connector installed on the computer (endpoint) that requires to be moved to another group in Cisco AMP cloud based on the GUID of the group you specify.
Group GUID GUID of the group to which you want to move the endpoint.

Output

The JSON output contains the details of the computer that you want to move to another group in Cisco AMP cloud, based on the input parameters you have specified. Details include connector GUID, connector version, hostname, Group GUID, external IP, and internal IP.

The output contains the following populated JSON schema:
{
"data": {
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
},
"connector_version": "",
"operating_system": "",
"internal_ips": [
""
],
"external_ip": "",
"group_guid": "",
"install_date": "",
"network_addresses": [
{
"mac": "",
"ip": ""
}
],
"policy": {
"guid": "",
"name": ""
}
}
}

operation: Search Events

Input parameters

Parameter Description
Connector GUID (In CSV or List Format) Serialized comma-separated list containing the GUIDs of the connector whose associated events you want to search for on Cisco AMP cloud.
For example: "1e2af190-57a2-4ea1-871e-cb12b9ed7594", "a2ea7f96-a84c-4ebb-9fed-fe673f132b01".
Group GUID (In CSV or List Format) Serialized comma-separated list containing the Group GUID whose associated events you want search for on Cisco AMP cloud.
For example: "07df7062-dc9e-4c96-934f-7b230395b21f", "55f15d0c-637d-4540-96ce-bb4c1ad53b03".
Event Type IDs (In CSV or List Format) (Optional) Serialized comma-separated list containing the IDs of the event types whose associated events you want to search for on Cisco AMP cloud.
File Detection (SHA256) (Optional) Filehash whose associated events you want to search for on Cisco AMP cloud.
Only SHA256 value is allowed in this field.
Application (SHA256) (Optional) Application hash whose associated events you want to search for on Cisco AMP cloud.
Only SHA256 value is allowed in this field.
Start From (Optional) Starting DateTime from which you want to search events on Cisco AMP cloud.
Limit (Optional) Maximum number of events associated with a particular endpoint that this operation should return. By default, this is set to 0, which fetches all the available records.
Offset (Optional) The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset.

Output

The JSON output contains the event details retrieved from Cisco AMP cloud, based on the input parameters you have specified. Event details include event type id, id, date detection id, and group GUID.

The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"timestamp": "",
"timestamp_nanoseconds": "",
"date": "",
"event_type": "",
"event_type_id": "",
"detection": "",
"detection_id": "",
"group_guids": [
""
],
"computer": {
"connector_guid": "",
"hostname": "",
"external_ip": "",
"user": "",
"active": "",
"network_addresses": [
{
"ip": "",
"mac": ""
}
],
"links": {
"computer": "",
"trajectory": "",
"group": ""
}
},
"file": {
"disposition": "",
"file_name": "",
"file_path": "",
"identity": {
"sha256": "",
"sha1": "",
"md5": ""
},
"archived_file": {
"disposition": "",
"identity": {
"sha256": ""
}
},
"parent": {
"process_id": "",
"disposition": "",
"file_name": "",
"identity": {
"sha256": "",
"sha1": "",
"md5": ""
}
}
}
}
]
}

operation: Get Event Types

Input parameters

None

Output

The JSON output contains a list of all the event types and their details from Cisco AMP cloud. Details include id, name, and description.

The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"name": "",
"description": ""
}
]
}

operation: Get Application Blocking Filelist

Input parameters

Note: None of the input parameters are mandatory. However, if you do not provide any parameter, this operation will return unfiltered results, i.e. it will return details of all application blocking filelists from Cisco AMP cloud.

Parameter Description
Filelist Name Name of the application blocking filelist for which you want to retrieve details from Cisco AMP cloud.
Limit Maximum number of filelists that this operation should return. By default, this is set to 0, which fetches all the available records.
Offset The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset.

Output

The JSON output contains details for all application blocking lists or details for a specific application blocking list based on the filelist name you have specified from Cisco AMP cloud. Blocking list details include GUID, name, links, and type.

The output contains the following populated JSON schema:
{
"data": [
{
"name": "",
"guid": "",
"type": "",
"links": {
"file_list": ""
}
}
]
}

operation: Get Specific Filelist

Input parameters

Parameter Description
Filelist GUID GUID of the filelist for which you want to retrieve details from Cisco AMP cloud.

Output

The JSON output contains the filelist details retrieved from Cisco AMP cloud, based on the filelist ID you have specified. Filelist details include GUID, name, links, and type.

The output contains the following populated JSON schema:
{
"data": {
"name": "",
"guid": "",
"type": "",
"links": {
"file_list": ""
}
}
}

operation: Get Simple Custom Detection Filelist

Input parameters

Note: None of the input parameters are mandatory. However, if you do not provide any parameter, this operation will return unfiltered results, i.e. it will return details of all simple custom detection filelists from Cisco AMP cloud.

Parameter Description
Filelist Name Name of the simple custom detection filelist for which you want to retrieve details from Cisco AMP cloud.
Limit Maximum number of filelists that this operation should return. By default, this is set to 0, which fetches all the available records.

Output

The JSON output contains details for all simple custom detection filelists or details for a specific simple custom detection filelist based on the filelist name you have specified from Cisco AMP cloud. Simple Custom Detection Filelist details include GUID, name, links, and type.

The output contains the following populated JSON schema:
{
"data": [
{
"name": "",
"guid": "",
"type": "",
"links": {
"file_list": ""
}
}
]
}

operation: Add Hash to Blacklist

Input parameters

Parameter Description
Filelist GUID GUID of the filelist to which you want to add the specified filehash.
Filehash Filehash that you want to add to a specified filelist in Cisco AMP cloud.
Description Description of the filehash that you want to add to a specified filelist in Cisco AMP cloud.

Output

The JSON output contains the filehash details you have added to the specified filelist in Cisco AMP cloud. Filelist details include description, sha256, source, and links.

The output contains the following populated JSON schema:
{
"data": {
"sha256": "",
"description": "",
"source": "",
"links": {
"file_list": ""
}
}
}

operation: Get Items for Filelist

Input parameters

Parameter Description
Filelist GUID GUID of the filelist from which you want to retrieve details of items.
Limit (Optional) Maximum number of items associated with a particular filelist that this operation should return. By default, this is set to 0, which fetches all the available records.
Offset (Optional) The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset.

Output

The JSON output contains a list of items and their details retrieved from Cisco AMP cloud, based on the filelist name you have specified. Item details include the description, sha256, source, and links.

The output contains the following populated JSON schema:
{
"data": {
"name": "",
"guid": "",
"policies": [
{
"name": "",
"guid": "",
"links": {
"policy": ""
}
}
],
"items": [
{
"description": "",
"links": {
"file_list": ""
},
"source": "",
"sha256": ""
}
]
}
}

operation: Get Item for Filelist

Input parameters

Parameter Description
Filelist GUID GUID of the filelist from which you want to retrieve details of the specified item.
Filehash Filehash that is associated with the filelist that you have specified for which you want to retrieve item details from Cisco AMP cloud.

Output

The JSON output contains details for the specified item retrieved from Cisco AMP cloud, based on the filelist GUID and filehash you have specified. Item details include the description, sha256, source, and links.

The output contains the following populated JSON schema:
{
"data": {
"sha256": "",
"source": "",
"links": {
"file_list": ""
}
}
}

operation: Delete Filelist Item

Input parameters

Parameter Description
Filelist GUID GUID of the filelist from which you want to delete the specified item.
Filehash Filehash that is associated with the filelist that you have specified from which you want to delete the item from Cisco AMP cloud.

Output

The JSON output contains details for the specified item that you want to delete from Cisco AMP cloud, based on the filelist GUID and filehash you have specified. Item details include metadata, data, and links.

The output contains the following populated JSON schema:
{
"status": ""
}

operation: Create Group

Input parameters

Parameter Description
Name Name of the group that you want to create in Cisco AMP cloud.
Description Description of the group that you want to create in Cisco AMP cloud.

Output

The JSON output contains the details of the newly created group in Cisco AMP cloud. Group details include name, GUID, description, policies, and source.

The output contains the following populated JSON schema:
{
"data": {
"name": "",
"description": "",
"guid": "",
"source": "",
"policies": [
{
"name": "",
"description": "",
"guid": "",
"product": "",
"default": "",
"serial_number": "",
"links": {
"policy_xml": "",
"policy": ""
},
"file_lists": [
{
"name": "",
"guid": "",
"type": ""
}
],
"ip_lists": [
{
"type": "",
"name": "",
"guid": ""
}
],
"exclusion_set": {
"name": "",
"guid": ""
},
"used_in_groups": [
{
"name": "",
"description": "",
"guid": ""
}
],
"inherited": ""
}
]
}
}

operation: Get Group List

Input parameters

Note: None of the input parameters are mandatory. However, if you do not provide any parameter, this operation will return unfiltered results, i.e. it will return details of all available groups from Cisco AMP cloud.

Parameter Description
Name Name of the group for which you want to retrieve details from Cisco AMP cloud.
Limit Maximum number of groups that this operation should return. By default, this is set to 0, which fetches all the available records.

Output

The JSON output contains details for all groups or details for a specific group based on the group name you have specified from Cisco AMP cloud. Group details include GUID, name, source, and type.

The output contains the following populated JSON schema:
{
"data": [
{
"name": "",
"description": "",
"guid": "",
"source": "",
"links": {
"group": ""
}
}
]
}

operation: Get Specific Group

Input parameters

Parameter Description
Group GUID GUID of the group for which you want to retrieve details from Cisco AMP cloud.

Output

The JSON output contains the group details retrieved from Cisco AMP cloud, based on the group GUID you have specified. Group details include GUID, name, links, and source.

The output contains the following populated JSON schema:
{
"data": {
"name": "",
"description": "",
"guid": "",
"source": "",
"policies": [
{
"name": "",
"description": "",
"guid": "",
"product": "",
"default": "",
"serial_number": "",
"links": {
"policy_xml": "",
"policy": ""
},
"file_lists": [
{
"name": "",
"guid": "",
"type": ""
}
],
"ip_lists": [
{
"type": "",
"name": "",
"guid": ""
}
],
"exclusion_set": {
"name": "",
"guid": ""
},
"used_in_groups": [
{
"name": "",
"description": "",
"guid": ""
}
],
"inherited": ""
}
]
}
}

operation: Update Group

Input parameters

Note: You must specify one of the policies: Windows Policy GUID, MAC Policy GUID, Linux Policy GUID, or Android Policy GUID so that the specified group can be updated on Cisco AMP cloud with the specified policy.

Parameter Description
Group GUID GUID of the group that you want to update on Cisco AMP cloud.
Windows Policy GUID GUID of the Windows policy that you want to update on the group you have specified.
Mac Policy GUID GUID of the MAC policy that you want to update on the group you have specified.
Linux Policy GUID GUID of the Linux policy that you want to update on the group you have specified.
Android Policy GUID GUID of the Android policy that you want to update on the group you have specified.

Output

The JSON output contains the details of the group that you want to update on Cisco AMP cloud, based on the input parameters you have specified. Group details include GUID, name, description, policies, and source.

The output contains the following populated JSON schema:
{
"data": {
"name": "",
"description": "",
"guid": "",
"source": "",
"policies": [
{
"name": "",
"description": "",
"guid": "",
"product": "",
"default": "",
"serial_number": "",
"links": {
"policy_xml": "",
"policy": ""
},
"file_lists": [
{
"name": "",
"guid": "",
"type": ""
}
],
"ip_lists": [
{
"type": "",
"name": "",
"guid": ""
}
],
"exclusion_set": {
"name": "",
"guid": ""
},
"used_in_groups": [
{
"name": "",
"description": "",
"guid": ""
}
],
"inherited": ""
}
]
}
}

operation: Get All Policies

Input parameters

None

Output

The JSON output contains details for all policies retrieved from Cisco AMP cloud. Details include product, name, file lists, links, groups, and execution set.

The output contains the following populated JSON schema:
{
"data": [
{
"name": "",
"guid": "",
"product": "",
"default": "",
"serial_number": "",
"links": {
"policy": ""
}
}
]
}

operation: Get Specific Policy

Input parameters

Parameter Description
Policy GUID GUID of the policy for which you want to retrieve details from Cisco AMP cloud.

Output

The JSON output contains details for the policy retrieved based on the policy GUID you have specified from Cisco AMP cloud. Details include product, name, file lists, links, groups, and execution set.

The output contains the following populated JSON schema:
{
"data": {
"name": "",
"description": "",
"guid": "",
"product": "",
"default": "",
"serial_number": "",
"links": {
"policy_xml": ""
},
"file_lists": [
{
"name": "",
"guid": "",
"type": ""
}
],
"ip_lists": [
{
"type": "",
"name": "",
"guid": ""
}
],
"exclusion_set": {
"name": "",
"guid": ""
},
"used_in_groups": [
{
"name": "",
"description": "",
"guid": ""
}
]
}
}

Included playbooks

The Sample-Cisco AMP For Endpoints - 1.0.1 playbook collection comes bundled with the Cisco AMP For Endpoints connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco AMP For Endpoints connector.

  • Add Hash to Blacklist
  • Create Group
  • Delete Filelist Item
  • Get All Computers
  • Get All Policies
  • Get Application Blocking Filelist
  • Get Computer Information
  • Get Device Trajectory
  • Get Device Trajectory By User
  • Get Event Types
  • Get Group List
  • Get Item from Filelist
  • Get Items from Filelist
  • Get Simple Custom Detection Filelist
  • Get Specific Filelist
  • Get Specific Group
  • Get Specific Policy
  • Hunt Indicator
  • Move Computer to Group
  • Search Computers
  • Search Events
  • Update Group

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next

About the connector

Cisco Advanced Malware Protection (AMP) for Endpoints is a cloud-managed endpoint security solution that not only provides the visibility, context, and control to prevent breaches, but also the ability to rapidly detect, contain, and remediate threats if they evade front-line defenses and get inside, all cost-effectively and without affecting operational efficiency.

This document provides information about the Cisco AMP For Endpoints connector, which facilitates automated interactions, with the Cisco AMP cloud using FortiSOAR™ playbooks. Add the Cisco AMP For Endpoints connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about computers, moving computers to a group, and hunting indicators on the Cisco AMP cloud.

Version information

Connector Version: 1.0.1

Authored By: Community

Certified: No

Release Notes for version 1.0.1

Following enhancements have been made to the Cisco AMP For Endpoints connector in version 1.0.1:

Installing the connector

Use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-cisco-amp-endpoints

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Cisco AMP For Endpoints connector and click Configure to configure the following parameters:

Parameter Description
Server URL IP address or Hostname URL of the Cisco AMP cloud to which you will connect and perform the automated operations.
If you do not specify either the http or https protocol in this field, then by default the https protocol is used.
Client ID Client ID that is provided for your account by the Cisco AMP administrator.
API Key API key that is configured for your account to access the Cisco AMP REST API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Minimum Permissions Required

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function Description Annotation and Category
Get All Computers Retrieves a list of all computers and their details from the Cisco AMP cloud. search_endpoints
Investigation
Get Computer Information Retrieves details for a particular computer from the Cisco AMP cloud, based on the connector GUID that you have specified. get_endpoint_info
Investigation
Search Computers Retrieves details for a filtered list of computers from the Cisco AMP cloud, based on the parameters that you have specified. search_endpoints
Investigation
Hunt Indicator Retrieves details for a particular endpoint from Cisco AMP cloud, based on the input parameters and indicator value type that you have specified. search_endpoints
Investigation
Get Device Trajectory Retrieves details of all events associated with a particular computer from Cisco AMP cloud, based on the parameters that you have specified. get_trajectory
Investigation
Get Device Trajectory By User Retrieves details of all events associated with a particular computer and particular user from Cisco AMP cloud, based on the parameters that you have specified. get_trajectory
Investigation
Move Computer to Group Moves a computer to a group in Cisco AMP cloud, based on the computer GUID and group GUID that you have specified. update_group
Investigation
Search Events Searches for events on Cisco AMP cloud, based on the parameters that you have specified. search_event
Investigation
Get Event Types Retrieves a list of all event types and their details from Cisco AMP cloud. get_event_types
Investigation
Get Application Blocking Filelist Retrieves details for all application blocking filelists or details for a specific application blocking filelist from Cisco AMP cloud, based on the filelist name that you have specified. get_hash_blacklist
Investigation
Get Specific Filelist Retrieves details for a specific filelist from Cisco AMP cloud, based on the Filelist ID that you have specified. get_hash_blacklist
Investigation
Get Simple Custom Detection Filelist Retrieves details for all Simple Custom Detection List files or details for a specific Simple Custom Detection List file from Cisco AMP cloud, based on the filelist name that you have specified.
You can use the Simple Custom Detection List files list retrieved from Cisco AMP cloud to detect and quarantine files for your organization.		 get_hash_blacklist
Investigation
Add Hash to Blacklist Adds a filehash that you have specified in the SHA256 format to a filelist that you have specified on Cisco AMP cloud. update_hash_blacklist
Investigation
Get Items from Filelist Retrieves a list of items and their details from Cisco AMP cloud, based on the filelist name that you have specified. get_blacklist_items
Investigation
Get Item from Filelist Retrieves details for a specific item from a specified filelist from Cisco AMP cloud, based on the filehash and filelist name that you have specified. get_blacklist_items
Investigation
Delete Filelist Item Deletes a specific item from a specified filelist from Cisco AMP cloud, based on the filehash and filelist name that you have specified. update_hash_blacklist
Remediation
Create Group Creates a new group in Cisco AMP cloud based on the group name that you have specified. create_group
Investigation
Get Group List Retrieves details for all groups or details for a specific group from Cisco AMP cloud, based on the group name that you have specified. search_group
Investigation
Get Specific Group Retrieves details for a specific group from Cisco AMP cloud, based on the group GUID that you have specified. search_group
Investigation
Update Group Updates a specified group on Cisco AMP cloud, with the policy you have specified. update_group
Investigation
Get All Policies Retrieves details of all policies from Cisco AMP cloud. search_policy
Investigation
Get Specific Policy Retrieves details for a particular policy from Cisco AMP cloud, based on the policy GUID that you have specified. search_policy
Investigation

operation: Get All Computers

Input parameters

None

Output

The JSON output contains a list of all the computers and their details from Cisco AMP cloud. Details include connector GUID, connector version, hostname, external IP, internal IP, network Address, operating system, and policy.

The output contains the following populated JSON schema:
{
"data": [
{
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
},
"connector_version": "",
"operating_system": "",
"internal_ips": [],
"external_ip": "",
"group_guid": "",
"install_date": "",
"network_addresses": [
{
"mac": "",
"ip": ""
}
],
"policy": {
"guid": "",
"name": ""
}
}
]
}

operation: Get Computer Information

Input parameters

Parameter Description
Connector GUID GUID of the connector installed on the computer (endpoint) for which you want to retrieve information from Cisco AMP cloud.

Output

The JSON output contains details for the computer retrieved based on the connector GUID you have specified from Cisco AMP cloud. Details include connector GUID, connector version, hostname, external IP, internal IP, network Address, operating system, and policy.

Output

The output contains the following populated JSON schema:
{
"data": {
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
},
"connector_version": "",
"operating_system": "",
"internal_ips": [
""
],
"external_ip": "",
"group_guid": "",
"install_date": "",
"network_addresses": [
{
"mac": "",
"ip": ""
}
],
"policy": {
"guid": "",
"name": ""
}
}
}

operation: Search Computers

Input parameters

Note: None of the input parameters are mandatory. However, if you do not provide any parameter, this operation will return unfiltered results, i.e. it will return details of all computers from Cisco AMP cloud.

Parameter Description
Hostname (In CSV or List Format) A serialized list containing the Hostname of the endpoint for which you want to retrieve system information from Cisco AMP cloud.
For example: Demo_Cta, Demo_Dridex.
Group GUID (In CSV or List Format) A serialized list containing the Group GUID that contains the endpoints for which you want to retrieve system information from Cisco AMP cloud.
For example: "31aa857b-xxxx-xxxx-xxxx-a3878f869bc2", "31aa857b-xxxx-xxxx-xxxx-a3878f869bd3".
Internal IP Address The internal IP address of the endpoint for which you want to retrieve system information from Cisco AMP cloud. The input format that is acceptable for this field is either single IPv4 or CIDR.
For example: 192.168.0.1 or 192.168.0.0/24.
External IP Address The external IP address of the endpoint for which you want to retrieve system information from Cisco AMP cloud. The input format acceptable for this field is either single IPv4 or CIDR.
For example: 192.168.0.1 or 192.168.0.0/24.
Limit (Optional) Maximum number of endpoints that this operation should return. By default, this is set to 0, which fetches all the available records available.

Output

The JSON output contains details for all computers or details for a specific computer based on the input parameters you have specified from Cisco AMP cloud. Details include connector GUID, connector version, hostname, external IP, internal IP, network Address, operating system, and policy.

The output contains the following populated JSON schema:
{
"data": [
{
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
},
"connector_version": "",
"operating_system": "",
"internal_ips": [],
"external_ip": "",
"group_guid": "",
"install_date": "",
"network_addresses": [
{
"mac": "",
"ip": ""
}
],
"policy": {
"guid": "",
"name": ""
}
}
]
}

operation: Hunt Indicator

Input parameters

Parameter Description
Filter Options Filter option based on which you want to search for indicators on Cisco AMP cloud.
Choose between Computer Activity and Computer User Activity.
Value Type The value type of the indicator based on which you want to search for indicators on Cisco AMP cloud. Choose from the following options:
IP Address: Single IPv4 address. CIRD is not supported.
SHA256: SHA256 of the file that is observed on endpoints.
Filename: Name of the file that is observed on endpoints.
URL: URL fragment.
Note: The above options are used when you select the filter as Computer Activity.
Username (Use in case of Computer User Activity): Name of the user whose activities you want to fetch from Cisco AMP cloud.
Note: The option is used when you select the filter as Computer User Activity.
Limit (Optional) Maximum number of indicators that this operation should return. By default, this is set to 0, which fetches all the available records.
Offset (Optional) The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset.

Output

The JSON output contains the details for the endpoint(s) retrieved from Cisco AMP cloud, based on the input parameters and indicator value type you have specified. Details include hostname, connector GUID, and links.

The output contains the following populated JSON schema:
{
"data": [
{
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
}
}
]
}

operation: Get Device Trajectory

Input parameters

Parameter Description
Connector GUID GUID of the connector installed on the computer (endpoint) whose associated events (activities) you want to search for from Cisco AMP cloud.
Filter Options (Optional) Filter option based on which you want to filter events associated with the particular computer on Cisco AMP cloud.
Choose from the following options: IP Address, SHA256, and URL.
Value (Optional) Specify the value of the filter you have selected.
For example, if you select IP Address, then enter the IP address based on which you want to filter activities.
Limit (Optional) Maximum number of activities associated with a particular endpoint that this operation should return. By default, this is set to 0, which fetches all the available records.

Output

The JSON output contains the details of events retrieved from Cisco AMP cloud, based on the input parameters you have specified. Details include id, event type, detection id, and computer details, such as connector version, hostname, and links.

The output contains the following populated JSON schema:
{
"data": {
"computer": {
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
},
"connector_version": "",
"operating_system": "",
"internal_ips": [
""
],
"external_ip": "",
"group_guid": "",
"install_date": "",
"network_addresses": [
{
"mac": "",
"ip": ""
}
],
"policy": {
"guid": "",
"name": ""
}
},
"events": [
{
"timestamp": "",
"timestamp_nanoseconds": "",
"date": "",
"event_type": "",
"group_guids": [
""
],
"network_info": {
"dirty_url": "",
"remote_ip": "",
"remote_port": "",
"local_ip": "",
"local_port": "",
"nfm": {
"direction": "",
"protocol": ""
},
"parent": {
"disposition": "",
"identity": {
"sha256": ""
}
}
}
}
]
}
}

operation: Get Device Trajectory By User

Input parameters

Parameter Description
Connector GUID GUID of the connector installed on the computer (endpoint) whose associated events (activities) you want to search for on Cisco AMP cloud.
User Name of the user whose associated events are on the specified computer you want to search for on Cisco AMP cloud.
Limit (Optional) Maximum number of activities associated with a particular user that this operation should return. By default, this is set to 0, which fetches all the available records.

Output

The JSON output contains the details of events and computers retrieved from Cisco AMP cloud, based on the input parameters you have specified. Event details include id, event type, and detection id and computer details include connector version, hostname, and links.

The output contains the following populated JSON schema:
{
"data": {
"computer": {
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
}
},
"events": [
{
"id": "",
"timestamp": "",
"timestamp_nanoseconds": "",
"date": "",
"event_type": "",
"event_type_id": "",
"detection": "",
"detection_id": "",
"file": {
"disposition": "",
"file_name": "",
"file_path": "",
"identity": {
"sha256": "",
"sha1": "",
"md5": ""
},
"archived_file": {
"disposition": "",
"identity": {
"sha256": ""
}
},
"parent": {
"process_id": "",
"disposition": "",
"file_name": "",
"identity": {
"sha256": "",
"sha1": "",
"md5": ""
}
}
},
"user_name": ""
}
]
}
}

operation: Move Computer to Group

Input parameters

Parameter Description
Connector GUID GUID of the connector installed on the computer (endpoint) that requires to be moved to another group in Cisco AMP cloud based on the GUID of the group you specify.
Group GUID GUID of the group to which you want to move the endpoint.

Output

The JSON output contains the details of the computer that you want to move to another group in Cisco AMP cloud, based on the input parameters you have specified. Details include connector GUID, connector version, hostname, Group GUID, external IP, and internal IP.

The output contains the following populated JSON schema:
{
"data": {
"connector_guid": "",
"hostname": "",
"active": "",
"links": {
"computer": "",
"trajectory": "",
"group": ""
},
"connector_version": "",
"operating_system": "",
"internal_ips": [
""
],
"external_ip": "",
"group_guid": "",
"install_date": "",
"network_addresses": [
{
"mac": "",
"ip": ""
}
],
"policy": {
"guid": "",
"name": ""
}
}
}

operation: Search Events

Input parameters

Parameter Description
Connector GUID (In CSV or List Format) Serialized comma-separated list containing the GUIDs of the connector whose associated events you want to search for on Cisco AMP cloud.
For example: "1e2af190-57a2-4ea1-871e-cb12b9ed7594", "a2ea7f96-a84c-4ebb-9fed-fe673f132b01".
Group GUID (In CSV or List Format) Serialized comma-separated list containing the Group GUID whose associated events you want search for on Cisco AMP cloud.
For example: "07df7062-dc9e-4c96-934f-7b230395b21f", "55f15d0c-637d-4540-96ce-bb4c1ad53b03".
Event Type IDs (In CSV or List Format) (Optional) Serialized comma-separated list containing the IDs of the event types whose associated events you want to search for on Cisco AMP cloud.
File Detection (SHA256) (Optional) Filehash whose associated events you want to search for on Cisco AMP cloud.
Only SHA256 value is allowed in this field.
Application (SHA256) (Optional) Application hash whose associated events you want to search for on Cisco AMP cloud.
Only SHA256 value is allowed in this field.
Start From (Optional) Starting DateTime from which you want to search events on Cisco AMP cloud.
Limit (Optional) Maximum number of events associated with a particular endpoint that this operation should return. By default, this is set to 0, which fetches all the available records.
Offset (Optional) The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset.

Output

The JSON output contains the event details retrieved from Cisco AMP cloud, based on the input parameters you have specified. Event details include event type id, id, date detection id, and group GUID.

The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"timestamp": "",
"timestamp_nanoseconds": "",
"date": "",
"event_type": "",
"event_type_id": "",
"detection": "",
"detection_id": "",
"group_guids": [
""
],
"computer": {
"connector_guid": "",
"hostname": "",
"external_ip": "",
"user": "",
"active": "",
"network_addresses": [
{
"ip": "",
"mac": ""
}
],
"links": {
"computer": "",
"trajectory": "",
"group": ""
}
},
"file": {
"disposition": "",
"file_name": "",
"file_path": "",
"identity": {
"sha256": "",
"sha1": "",
"md5": ""
},
"archived_file": {
"disposition": "",
"identity": {
"sha256": ""
}
},
"parent": {
"process_id": "",
"disposition": "",
"file_name": "",
"identity": {
"sha256": "",
"sha1": "",
"md5": ""
}
}
}
}
]
}

operation: Get Event Types

Input parameters

None

Output

The JSON output contains a list of all the event types and their details from Cisco AMP cloud. Details include id, name, and description.

The output contains the following populated JSON schema:
{
"data": [
{
"id": "",
"name": "",
"description": ""
}
]
}

operation: Get Application Blocking Filelist

Input parameters

Note: None of the input parameters are mandatory. However, if you do not provide any parameter, this operation will return unfiltered results, i.e. it will return details of all application blocking filelists from Cisco AMP cloud.

Parameter Description
Filelist Name Name of the application blocking filelist for which you want to retrieve details from Cisco AMP cloud.
Limit Maximum number of filelists that this operation should return. By default, this is set to 0, which fetches all the available records.
Offset The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset.

Output

The JSON output contains details for all application blocking lists or details for a specific application blocking list based on the filelist name you have specified from Cisco AMP cloud. Blocking list details include GUID, name, links, and type.

The output contains the following populated JSON schema:
{
"data": [
{
"name": "",
"guid": "",
"type": "",
"links": {
"file_list": ""
}
}
]
}

operation: Get Specific Filelist

Input parameters

Parameter Description
Filelist GUID GUID of the filelist for which you want to retrieve details from Cisco AMP cloud.

Output

The JSON output contains the filelist details retrieved from Cisco AMP cloud, based on the filelist ID you have specified. Filelist details include GUID, name, links, and type.

The output contains the following populated JSON schema:
{
"data": {
"name": "",
"guid": "",
"type": "",
"links": {
"file_list": ""
}
}
}

operation: Get Simple Custom Detection Filelist

Input parameters

Note: None of the input parameters are mandatory. However, if you do not provide any parameter, this operation will return unfiltered results, i.e. it will return details of all simple custom detection filelists from Cisco AMP cloud.

Parameter Description
Filelist Name Name of the simple custom detection filelist for which you want to retrieve details from Cisco AMP cloud.
Limit Maximum number of filelists that this operation should return. By default, this is set to 0, which fetches all the available records.

Output

The JSON output contains details for all simple custom detection filelists or details for a specific simple custom detection filelist based on the filelist name you have specified from Cisco AMP cloud. Simple Custom Detection Filelist details include GUID, name, links, and type.

The output contains the following populated JSON schema:
{
"data": [
{
"name": "",
"guid": "",
"type": "",
"links": {
"file_list": ""
}
}
]
}

operation: Add Hash to Blacklist

Input parameters

Parameter Description
Filelist GUID GUID of the filelist to which you want to add the specified filehash.
Filehash Filehash that you want to add to a specified filelist in Cisco AMP cloud.
Description Description of the filehash that you want to add to a specified filelist in Cisco AMP cloud.

Output

The JSON output contains the filehash details you have added to the specified filelist in Cisco AMP cloud. Filelist details include description, sha256, source, and links.

The output contains the following populated JSON schema:
{
"data": {
"sha256": "",
"description": "",
"source": "",
"links": {
"file_list": ""
}
}
}

operation: Get Items for Filelist

Input parameters

Parameter Description
Filelist GUID GUID of the filelist from which you want to retrieve details of items.
Limit (Optional) Maximum number of items associated with a particular filelist that this operation should return. By default, this is set to 0, which fetches all the available records.
Offset (Optional) The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Limit' parameter, which determines how many records to retrieve starting from the offset.

Output

The JSON output contains a list of items and their details retrieved from Cisco AMP cloud, based on the filelist name you have specified. Item details include the description, sha256, source, and links.

The output contains the following populated JSON schema:
{
"data": {
"name": "",
"guid": "",
"policies": [
{
"name": "",
"guid": "",
"links": {
"policy": ""
}
}
],
"items": [
{
"description": "",
"links": {
"file_list": ""
},
"source": "",
"sha256": ""
}
]
}
}

operation: Get Item for Filelist

Input parameters

Parameter Description
Filelist GUID GUID of the filelist from which you want to retrieve details of the specified item.
Filehash Filehash that is associated with the filelist that you have specified for which you want to retrieve item details from Cisco AMP cloud.

Output

The JSON output contains details for the specified item retrieved from Cisco AMP cloud, based on the filelist GUID and filehash you have specified. Item details include the description, sha256, source, and links.

The output contains the following populated JSON schema:
{
"data": {
"sha256": "",
"source": "",
"links": {
"file_list": ""
}
}
}

operation: Delete Filelist Item

Input parameters

Parameter Description
Filelist GUID GUID of the filelist from which you want to delete the specified item.
Filehash Filehash that is associated with the filelist that you have specified from which you want to delete the item from Cisco AMP cloud.

Output

The JSON output contains details for the specified item that you want to delete from Cisco AMP cloud, based on the filelist GUID and filehash you have specified. Item details include metadata, data, and links.

The output contains the following populated JSON schema:
{
"status": ""
}

operation: Create Group

Input parameters

Parameter Description
Name Name of the group that you want to create in Cisco AMP cloud.
Description Description of the group that you want to create in Cisco AMP cloud.

Output

The JSON output contains the details of the newly created group in Cisco AMP cloud. Group details include name, GUID, description, policies, and source.

The output contains the following populated JSON schema:
{
"data": {
"name": "",
"description": "",
"guid": "",
"source": "",
"policies": [
{
"name": "",
"description": "",
"guid": "",
"product": "",
"default": "",
"serial_number": "",
"links": {
"policy_xml": "",
"policy": ""
},
"file_lists": [
{
"name": "",
"guid": "",
"type": ""
}
],
"ip_lists": [
{
"type": "",
"name": "",
"guid": ""
}
],
"exclusion_set": {
"name": "",
"guid": ""
},
"used_in_groups": [
{
"name": "",
"description": "",
"guid": ""
}
],
"inherited": ""
}
]
}
}

operation: Get Group List

Input parameters

Note: None of the input parameters are mandatory. However, if you do not provide any parameter, this operation will return unfiltered results, i.e. it will return details of all available groups from Cisco AMP cloud.

Parameter Description
Name Name of the group for which you want to retrieve details from Cisco AMP cloud.
Limit Maximum number of groups that this operation should return. By default, this is set to 0, which fetches all the available records.

Output

The JSON output contains details for all groups or details for a specific group based on the group name you have specified from Cisco AMP cloud. Group details include GUID, name, source, and type.

The output contains the following populated JSON schema:
{
"data": [
{
"name": "",
"description": "",
"guid": "",
"source": "",
"links": {
"group": ""
}
}
]
}

operation: Get Specific Group

Input parameters

Parameter Description
Group GUID GUID of the group for which you want to retrieve details from Cisco AMP cloud.

Output

The JSON output contains the group details retrieved from Cisco AMP cloud, based on the group GUID you have specified. Group details include GUID, name, links, and source.

The output contains the following populated JSON schema:
{
"data": {
"name": "",
"description": "",
"guid": "",
"source": "",
"policies": [
{
"name": "",
"description": "",
"guid": "",
"product": "",
"default": "",
"serial_number": "",
"links": {
"policy_xml": "",
"policy": ""
},
"file_lists": [
{
"name": "",
"guid": "",
"type": ""
}
],
"ip_lists": [
{
"type": "",
"name": "",
"guid": ""
}
],
"exclusion_set": {
"name": "",
"guid": ""
},
"used_in_groups": [
{
"name": "",
"description": "",
"guid": ""
}
],
"inherited": ""
}
]
}
}

operation: Update Group

Input parameters

Note: You must specify one of the policies: Windows Policy GUID, MAC Policy GUID, Linux Policy GUID, or Android Policy GUID so that the specified group can be updated on Cisco AMP cloud with the specified policy.

Parameter Description
Group GUID GUID of the group that you want to update on Cisco AMP cloud.
Windows Policy GUID GUID of the Windows policy that you want to update on the group you have specified.
Mac Policy GUID GUID of the MAC policy that you want to update on the group you have specified.
Linux Policy GUID GUID of the Linux policy that you want to update on the group you have specified.
Android Policy GUID GUID of the Android policy that you want to update on the group you have specified.

Output

The JSON output contains the details of the group that you want to update on Cisco AMP cloud, based on the input parameters you have specified. Group details include GUID, name, description, policies, and source.

The output contains the following populated JSON schema:
{
"data": {
"name": "",
"description": "",
"guid": "",
"source": "",
"policies": [
{
"name": "",
"description": "",
"guid": "",
"product": "",
"default": "",
"serial_number": "",
"links": {
"policy_xml": "",
"policy": ""
},
"file_lists": [
{
"name": "",
"guid": "",
"type": ""
}
],
"ip_lists": [
{
"type": "",
"name": "",
"guid": ""
}
],
"exclusion_set": {
"name": "",
"guid": ""
},
"used_in_groups": [
{
"name": "",
"description": "",
"guid": ""
}
],
"inherited": ""
}
]
}
}

operation: Get All Policies

Input parameters

None

Output

The JSON output contains details for all policies retrieved from Cisco AMP cloud. Details include product, name, file lists, links, groups, and execution set.

The output contains the following populated JSON schema:
{
"data": [
{
"name": "",
"guid": "",
"product": "",
"default": "",
"serial_number": "",
"links": {
"policy": ""
}
}
]
}

operation: Get Specific Policy

Input parameters

Parameter Description
Policy GUID GUID of the policy for which you want to retrieve details from Cisco AMP cloud.

Output

The JSON output contains details for the policy retrieved based on the policy GUID you have specified from Cisco AMP cloud. Details include product, name, file lists, links, groups, and execution set.

The output contains the following populated JSON schema:
{
"data": {
"name": "",
"description": "",
"guid": "",
"product": "",
"default": "",
"serial_number": "",
"links": {
"policy_xml": ""
},
"file_lists": [
{
"name": "",
"guid": "",
"type": ""
}
],
"ip_lists": [
{
"type": "",
"name": "",
"guid": ""
}
],
"exclusion_set": {
"name": "",
"guid": ""
},
"used_in_groups": [
{
"name": "",
"description": "",
"guid": ""
}
]
}
}

Included playbooks

The Sample-Cisco AMP For Endpoints - 1.0.1 playbook collection comes bundled with the Cisco AMP For Endpoints connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco AMP For Endpoints connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next