Cisco Advanced Malware Protection (AMP)
App Vendor: Cisco
App Category: Network Security, Forensics & Malware Analysis
API Version: 1.0.0
Connector Version: 2.0.0
About App
Cisco Advanced Malware Protection (AMP) application allows security teams to get details of threat intelligence, advanced sandboxing, and real-time malware blocking to prevent breaches. AMP lets users continuously analyze file activity across your extended network to quickly detect, contain, and remove malware.
The Cisco Advanced Malware Protection (AMP) connector application for Orchestrate can perform the following actions.
Action Name | Description |
|---|---|
Get Forensic Snapshot List | This action is used to get a list of forensic snapshots from Cisco AMP. |
Get Forensic Snapshot Details | This action is used to get details of a forensic snapshot. |
Get a List of Computer Vulnerabilities | This action is used to get a list of vulnerabilities observed on a specific computer. |
Get Computer Details | This action is used to get information about a specific computer. |
Get a List of User Activity | This action is used to search all computers for user activity across your organization. You can search for any events or activities associated with a file or network operation. |
Get a List of Indicators | This action is used to get a list of indicators. |
Get Indicator Details | This action is used to get the details of an Indicator. |
Stop Requested Isolation for Computer | This action is used to stop requested isolation for a computer. |
Request Isolation for Computer | This action is used to submit a request to isolate a computer. |
Check Computer Isolation Status | This action is used to get the isolation status of a computer. |
Get a List of Vulnerable Computers | This action is used to get a list of computers on which the vulnerability has been observed with respect to a given SHA-256 hash. |
Move Computer | This action is used to move a computer to a group with a given connector GUID and GROUP GUID. |
Get a List of Vulnerabilities | This action is used to get a list of vulnerabilities. |
Get Policy Details | This action is used to get details of a policy. |
Get a List of Policies | This action is used to get a list of policies. |
Get a List of Groups | This action is used to get a list of groups. |
Get Group Details | This action is used to get the details of a particular group. |
Get File Item Details from File List | This action is used to get the details of a particular item for a given file list. |
Get a List of Files from File List | This action is used to get a list of files from a particular file list. |
Get File List Details | This action is used to get the details of a file list for application blocking or simple custom detections. |
Get a List of Events | This action is used to get a list of events. |
Get Event Types | This action is used to get a list of event types. |
Get a List of Computers | This action is used to get a list of computers that has an agent installed. |
Get Computer Trajectory Details | This action is used to get a list of all activities associated with a particular computer. |
Get a List of Computer Activity | This action is used to search all computers across your organization for any events or activities associated with a file or network operation. |
Get Computer User Trajectory Details | This action is used to get a specific computer's trajectory for events with user name activity. |
Delete File Item from File List | This action is used to delete an item from a file list. |
Add SHA-256 to File List | This action is used to add a SHA-256 hash to a file list. |
Get a List of Blocked Applications | This action is used to get a list of blocked applications. |
Configuration Parameters
The below configuration parameters can be used to configure the Cisco Advanced Malware Protection app in the Orchestrate application.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the Base URL for the Cisco AMP API Endpoint. For example, https://<your_client_id>:<your_api_key>@<api_endpoint> | Text | Required | |
Client Key | Enter the Cisco AMP client key. | Text | Required | |
API Key | Enter the API Key to access the Cisco AMP API Endpoints. | Text | Required |
Action: Get Forensic Snapshot List
This action is used to get a list of forensic snapshots from Cisco AMP.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Connector GUID | Specify the connector unique ID to filter the snapshot list. | Text | Optional | |
Limit | Specify the response limit. | Text | Optional |
Example Request
[
{
"connector_guid":"Example Unique ID",
"limit":"10",
}
]Action: Get Forensic Snapshot Details
This action is used to get details of a forensic snapshot.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Snapshot ID | Specify the Snapshot ID to get the details. | Text | Required |
Example Request
[
{
"snapshot_id":"Example Unique ID",
}
]Action: Get a List of Computer Vulnerabilities
This action is used to get a list of vulnerabilities observed on a specific computer.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Connector GUID | Specify the connector unique ID to filter the vulnerabilities list. | Text | Required | |
Extra Params | Specify any extra parameters to filter the results. | Key-Value | Optional |
Example Request
[
{
"connector_guid":"Example Connector ID",
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Get Computer Details
This action is used to get information about a specific computer.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Connector GUID | Specify the connector unique ID to filter the list. | Text | Required |
Example Request
[
{
"connector_guid": "xxxc3d-46de-4476-xxxx-37xx059d"
}
]Action: Get a List of User Activity
This action is used to search all computers for user activity across your organization. You can search for any events or activities associated with a file or network operation.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query String | Enter the Query String to get the user activity. | Text | Required | |
Extra Params | Specify any extra parameters to filter the results. | Key-Value | Optional |
Example Request
[
{
"query_string":"Example Query",
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Get a List of Indicators
This action is used to get a list of indicators.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Specify any extra parameters to filter the results. | Key-Value | Optional |
Example Request
[
{
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Get Indicator Details
This action is used to get information about a specific computer.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator ID | Specify the ID for the indicator. | Text | Required |
Example Request
[
{
"indicator_guid": "3axxxxxb35-e8f4-483c-912f-dxxx48"
}
]Action: Stop Requested Isolation for Computer
This action is used to stop requested isolation for a computer.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Connector ID | Specify the connector unique ID to filter the list. | Text | Required | |
Comment | Enter the comment to describe the request. | Text | Required |
Example Request
[
{
"comment": "The isolation request is not valid",
"connector_guid": "984xx94-61e4-4bdf-9533-5axxxxx63"
}
]Action: Request Isolation for Computer
This action is used to submit a request to isolate a computer.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Connector ID | Specify the connector unique ID to filter the list. | Text | Required | |
Comment | Enter the comment to describe the request. | Text | Required | |
Unlock Code | Specify the Unlock Code for the computer. | Text | Required |
Example Request
[
{
"comment": "test value ",
"unlock_code": "088",
"connector_guid": "98xx4-61e4-4bdf-9533-5axx763"
}
]Action: Check Computer Isolation Status
This action is used to get the isolation status of a computer.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Connector ID | Specify the connector unique ID to filter the list. | Text | Required |
Example Request
[
{
"connector_guid": "98x94-61e4-4bdf-9533-5axxa763"
}
]Action: Get a List of Vulnerable Computers
This action is used to get a list of computers on which the vulnerability has been observed with respect to a given SHA-256 hash.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
SHA-256 Hash | Specify the SHA Hash to look for vulnerable computers. | Text | Required | |
Extra Params | Specify any Extra Params required for filtering. | Key-Value | Optional |
Example Request
[
{
"sha256":"Example hash",
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Move Computer
This action is used to move a computer to a group with a given connector GUID and GROUP GUID.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Connector ID | Specify the connector unique ID to filter the list. | Text | Required | |
Group ID | Specify the Group ID to move the computer. | Text | Required |
Example Request
[
{
"group_guid": "2fx7e7-49ad-42ae-acc7-4xxfc",
"connector_guid": "984xe94-61e4-4bdf-9533-5a1fxx763"
}
]Action: Get a List of Vulnerabilities
This action is used to get a list of vulnerabilities.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Specify any Extra Params required for filtering. | Key-Value | Optional |
Example Request
[
{
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Get Policy Details
This action is used to get details of a policy.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Policy ID | Specify the Policy ID to get the details. | Text | Required |
Example Request
[
{
"policy_guid": "d4xc2-d4ab-49f4-b2e8-a5xx4754",
}
]Action: Get a List of Policies
This action is used to get a list of policies.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Specify any Extra Params required for filtering. | Key-Value | Optional |
Example Request
[
{
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Get a List of Groups
This action is used to get a list of groups.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Specify any Extra Params required for filtering. | Key-Value | Optional |
Example Request
[
{
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Get Group Details
This action is used to get the details of a particular group.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Group ID | Specify the group ID to get the details. | Text | Required |
Example Request
[
{
"group_guid": "2f0xx7e7-49ad-42ae-acc7-49b4xxx9cfc",
}
]Action: Get File Item Details from File List
This action is used to get the details of a particular item for a given file list.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File List ID | Specify the ID for the list. | Text | Required | |
SHA-256 Hash | Specify the Hash for the file. | Text | Required |
Example Request
[
{
"file_list_guid": "Example ID",
"sha256": "Example SHA Hash",
}
]Action: Get a List of Files from File List
This action is used to get a list of files from a particular file list.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File List ID | Specify the ID for the list. | Text | Required | |
Extra Params | Specify any Extra Params required for filtering. | Key-Value | Optional |
Example Request
[
{
"file_list_guid": "Example ID""sha256",
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Get File List Details
This action is used to get the details of a file list for application blocking or simple custom detections.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File List ID | Specify the ID for the list. | Text | Required |
Example Request
[
{
"file_list_guid": "Example ID",
}
]Action: Get a List of Events
This action is used to get a list of events.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Specify any Extra Params required for filtering. | Key-Value | Optional |
Example Request
[
{
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Get Event Types
This action is used to get a list of event types.
Input Parameters
No input parameters are required for this action.
Action: Get a List of Computers
This action is used to get a list of computers that has an agent installed.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Specify any Extra Params required for filtering. | Key-Value | Optional |
Example Request
[
{
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Get Computer Trajectory Details
This action can be used to get a list of all activities associated with a particular computer.
Input Parameters
Parameters | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Connector ID | Specify the connector unique ID to filter the list. | Text | Required | |
Extra Params | Specify any extra parameters to filter the results. | Key-Value | Optional |
Example Request
[
{
"connector_guid":"Example Connector ID",
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Get a List of Computer Activity
This action is used to search all computers across your organization for any events or activities associated with a file or network operation.
Input Parameters
Parameters | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query String | Specify the Query String to get the list of activities. | Text | Required | Allowed Values:
|
Extra Params | Specify any extra parameters to filter the results. | Key-Value | Optional |
Example Request
[
{
"query_string":"Example Query",
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Get Computer User Trajectory Details
This action is used to get a specific computer's trajectory for events with user name activity.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Connector ID | Specify the connector unique ID to filter the list. | Text | Required | |
Extra Params | Specify any extra parameters to filter the results. | Key-Value | Optional |
Example Request
[
{
"connector_guid":"Example Connector ID",
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]Action: Delete File Item from File List
This action is used to delete an item from a file list.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File List ID | Specify the ID for the list. | Text | Required | |
SHA-256 Hash | Specify the Hash for the file. | Text | Required |
Example Request
[
{
"file_list_guid": "Example ID",
"sha256": "Example SHA Hash",
}
]Action: Add SHA-256 to File List
This action is used to add a SHA-256 hash to a file list.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File List ID | Specify the ID for the list. | Text | Required | |
SHA-256 Hash | Specify the Hash for the file. | Text | Required | |
Description | Enter the description to add to the file list. | Text | Required |
Example Request
[
{
"file_list_guid": "Example ID",
"sha256": "Example SHA Hash",
"description": "Example description",
}
]Action: Get a List of Blocked Applications
This action is used to get a list of blocked applications.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Specify any extra parameters to filter the results. | Key-Value | Optional |
Example Request
[
{
"extra_params": {
"limit":"10",
"offset":"10"
}
}
]