Cisco AMP for Endpoints

42 min

the cisco amp for endpoints connector integrates with swimlane to get computer, get group, and move host to group prerequisites the cisco amp for endpoints asset requires an api client id , api key , and an api url capabilities the cisco amp for endpoints connector has the following capabilities get computers get computer information get events get forensic snapshots get forensic snapshot by id get groups isolate computer move host to group unisolate computer api documentation for more information, click https //developer cisco com/docs/secure endpoint/#!overview configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url amp for endpoints api url string required username amp for endpoints api client id string required password amp for endpoints api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get computer information shows information about a specific computer endpoint url /v1/computers/{{connector guid}} method get input argument name type required description path parameters connector guid string required parameters for the get computer information action input example {"path parameters" {"connector guid" "bad2c522 3052 4d75 93a0 832d6283c299"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data data object response data data connector guid string response data data hostname string response data data windows processor id string response data data active boolean response data data links object response data data links computer string response data data links trajectory string response data data links group string response data data connector version string response data data operating system string response data data os version string response data data internal ips array response data data external ip string response data data group guid string response data data install date string response data data is compromised boolean response data data demo boolean response data data csc id string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {}},"data" {"connector guid" "bad2c522 3052 4d75 93a0 832d6283c299","hostname" "demo amp","windows processor id" "195b0d8736e2af4","active"\ true,"links" {},"connector version" "99 0 99 20946","operating system" "windows 10","os version" "10 0 19044 1466","internal ips" \[],"external ip" "xxx xxx xx get computers fetch information about a specific computer with given connector guid endpoint url /v1/computers method get input argument name type required description parameters last seen over number optional providing information by last seen over number of days ago parameters last seen within number optional providing information by last seen within number of days parameters group guid string optional providing information by group guid parameters external ip string optional providing information by external ip parameters internal ip string optional providing information by internal ip parameters hostname string optional providing information by hostname parameters kenna risk score string optional providing information by kenna risk score parameters processor id string optional providing information by windows processor id or mac hardware id parameters limit number optional to prevent the response from becoming too large, the number of items returned is limited by default to 5000 you can override this value by using the limit query parameter to specify a different number parameters offset number optional the number of items to skip before starting to collect the result set input example {"parameters" {"last seen over" 25,"last seen within" 30,"group guid" "6c3c2005 4c74 4ba7 8dbb c4d5b6bafe03","external ip" "10 23 154 46","internal ip" "192 168 100 101","hostname" "connector 1657546677","kenna risk score" "low","processor id" "b3sd42gb568s42n","limit" 100,"offset" 10}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data metadata results object response data metadata results total number response data metadata results current item count number response data metadata results index number response data metadata results items per page number response data data array response data data connector guid string response data data hostname string response data data windows processor id string response data data active boolean response data data links object response data data links computer string response data data links trajectory string response data data links group string response data data connector version string response data data operating system string response data data os version string response data data internal ips array response data data internal ips file name string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {},"results" {}},"data" \[{}]}} get events fetch list of events endpoint url /v1/events method get input argument name type required description parameters event type number optional parameters for the get events action parameters limit number optional parameters for the get events action parameters start date string optional parameters for the get events action parameters offset number optional parameters for the get events action parameters detection sha256 string optional parameters for the get events action parameters application sha256 string optional parameters for the get events action parameters group guid string optional parameters for the get events action parameters connector guid string optional parameters for the get events action input example {"parameters" {"event type" 10,"limit" 9,"start date" "2022 03 18t11 20 06+00 00","offset" 3,"detection sha256" "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","application sha256" "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","group guid" "e766a0e9 96da 41b9 b1e8 87dd010d6b68","connector guid" "538738f5 3a14 4449 933b 86142553de06"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data metadata links next string response data metadata results object response data metadata results total number response data metadata results current item count number response data metadata results index number response data metadata results items per page number response data data array response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {},"results" {}},"data" \[{}]}} get forensic snapshot by id returns details for a specific available forensic snapshot the details are under data snapshot endpoint url /v1/forensic snapshots/{{forensic snapshot id}} method get input argument name type required description path parameters forensic snapshot id string required parameters for the get forensic snapshot by id action input example {"path parameters" {"forensic snapshot id" "sz9ujioqudmahslsq r6oa"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get forensic snapshots returns details for a specific available forensic snapshot the details are under data snapshot endpoint url /v1/forensic snapshots method get input argument name type required description parameters limit number optional parameters for the get forensic snapshots action input example {"parameters" {"limit" 10}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data metadata results object response data metadata results total number response data metadata results current item count number response data metadata results index number response data metadata results items per page number response data data array response data data connector guid string response data data user email string response data data url string response data data triggered by string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {},"results" {}},"data" \[{},{}]}} get groups fetch list of groups filtered by name endpoint url /v1/groups method get input argument name type required description parameters name string optional parameters for the get groups action parameters limit number optional to prevent the response from becoming too large, the number of items returned is limited by default to 5000 you can override this value by using the limit query parameter to specify a different number input example {"parameters" {"name" "name","limit" 20}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data metadata results object response data metadata results total number response data metadata results current item count number response data metadata results index number response data metadata results items per page number response data data array response data data name string response data data description string response data data guid string response data data source string response data data links object response data data links group string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {},"results" {}},"data" \[{}]}} isolate computer request isolation for a computer endpoint url /v1/computers/{{connector guid}}/isolation method put input argument name type required description path parameters connector guid string required parameters for the isolate computer action comment string optional parameter for isolate computer input example {"json body" {"comment" "a comment"},"path parameters" {"connector guid" "bad2c522 3052 4d75 93a0 832d6283c299"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data data object response data data available boolean response data data status string response data data unlock code string response data data comment string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {}},"data" {"available"\ true,"status" "pending start","unlock code" "unlockme","comment" "this is a comment about locking the computer"}}} move host to group move host to a specified group endpoint url /v1/computers/{{connector guid}} method patch input argument name type required description path parameters connector guid string required parameters for the move host to group action parameters group guid string required parameters for the move host to group action input example {"parameters" {"group guid" "6c3c2005 4c74 4ba7 8dbb c4d5b6bafe03"},"path parameters" {"connector guid" "bad2c522 3052 4d75 93a0 832d6283c299"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data data object response data data connector guid string response data data hostname string response data data windows processor id string response data data active boolean response data data links object response data data links computer string response data data links trajectory string response data data links group string response data data connector version string response data data operating system string response data data os version string response data data internal ips array response data data external ip string response data data group guid string response data data install date string response data data is compromised boolean response data data demo boolean response data data csc id string response data output example {"status code" 202,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {}},"data" {"connector guid" "bad2c522 3052 4d75 93a0 832d6283c299","hostname" "demo amp","windows processor id" "195b0d8736e2af4","active"\ true,"links" {},"connector version" "99 0 99 20946","operating system" "windows 10","os version" "10 0 19044 1466","internal ips" \[],"external ip" "xxx xxx xx unisolate computer stop isolation on a computer endpoint url /v1/computers/{{connector guid}}/isolation method delete input argument name type required description path parameters connector guid string required parameters for the unisolate computer action comment string optional parameter for unisolate computer input example {"json body" {"comment" "a comment"},"path parameters" {"connector guid" "bad2c522 3052 4d75 93a0 832d6283c299"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data data object response data data available boolean response data data status string response data data unlock code string response data data comment string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {}},"data" {"available"\ true,"status" "pending stop","unlock code" "unlockme","comment" "this is a comment about unlocking"}}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated thu, 09 nov 2023 20 37 23 gmt