Cisco AMP for Endpoints

cisco amp for endpoints is a security solution that protects endpoints from advanced threats through continuous monitoring and response cisco amp for endpoints is a comprehensive security solution that provides advanced threat protection for endpoints this connector allows swimlane turbine users to automate various security tasks such as policy management, device control, and firewall configuration by integrating with cisco amp for endpoints, users can enhance their security operations with automated threat detection, policy enforcement, and endpoint isolation, leading to improved response times and reduced manual effort limitations the asset uses http basic authentication with your api client id as the username and api key as the password this is application style access to the amp api on behalf of your integration, not an interactive user session capabilities depend on what your cisco account and api credentials are entitled to (for example, regional api hosts, v3 organization apis, and forensic endpoints) api v1 / legacy endpoints (computers, groups, events, isolation, forensics, and related actions) use paths under the configured base url (for example https //api amp cisco com ) as described in the v1 reference api v3 policy actions require a secure endpoint organization identifier in the path that identifier is the v3 organization id from your tenant, which may differ from identifiers used only in older v1 flows policy and device control operations apply per organization and policy guid as defined in the policies api https //developer cisco com/docs/secure endpoint/policies/ supported version the connector is built against cisco amp for endpoints / secure endpoint http apis v1 (and related) api — used for computers, groups, events, isolation, move host, and forensic snapshot actions v3 api — used for organization policies, policy types, and policy device control (usb mass storage and windows portable device) actions, against the same configurable api base url when your deployment exposes v3 (for example north america https //api amp cisco com/v3 as the path prefix on the server documented in cisco’s openapi) refer to cisco’s documentation for the exact base url for your region (for example eu or other amp cloud instances) configuration prerequisites before you can use the cisco amp for endpoints connector for turbine, you'll need access to the cisco amp api this requires the following http basic authentication using the following parameters api url the base url for accessing the cisco amp api api client id a unique identifier for your api client api key a secret key used to authenticate api requests authentication methods http basic (api client id and api key) setup instructions sign in to the cisco secure endpoint (amp) management console for your organization create or open an api credential that exposes an api client id and api key (naming may vary slightly by console version) copy the client id and api key into the connector asset client id → username, api key → password set url to your tenant’s api base (for example https //api amp cisco com or your regional equivalent) the connector sends requests with authorization basic … encoding those two values per rfc 7617 document references secure endpoint api overview https //developer cisco com/docs/secure endpoint/#!overviewsecure endpoint authentication https //developer cisco com/docs/secure endpoint/authenticationpolicies api (v3) https //developer cisco com/docs/secure endpoint/policies/ troubleshoot tips a 401 response usually means the client id or api key is wrong, expired, or not enabled for the api you are calling if v3 policy calls fail with “not found” or organization errors, confirm you are using the v3 organization identifier from your tenant, not a legacy only identifier from older apis if v1 actions work but v3 actions do not, confirm your deployment and entitlements include the v3 api on the same or documented host capabilities apply an exclusion set to a policy assign policy usb mass storage device control assign policy windows portable device control create host firewall configuration create organization policy create rule for host firewall configuration delete host firewall rule delete host firewall configuration delete a policy display the xml for the policy find a policy by id get computer information get computers get events get forensic snapshot by id and so on apply an exclusion set to a policy api reference https //developer cisco com/docs/secure endpoint/policies/ assign policy usb mass storage device control api reference https //developer cisco com/docs/secure endpoint/device control/ assign policy windows portable device control api reference https //developer cisco com/docs/secure endpoint/device control/ create host firewall configuration api reference https //developer cisco com/docs/secure endpoint/policies/ create organization policy api reference https //developer cisco com/docs/secure endpoint/policies/ create rule for host firewall configuration api reference https //developer cisco com/docs/secure endpoint/host firewall/ delete host firewall rule api reference https //developer cisco com/docs/secure endpoint/policies/ delete host firewall configuration api reference https //developer cisco com/docs/secure endpoint/host firewall/ delete a policy api reference https //developer cisco com/docs/secure endpoint/policies/ display the xml for the policy api reference https //developer cisco com/docs/secure endpoint/policies/ find a policy by id api reference https //developer cisco com/docs/secure endpoint/policies/ get computer information api reference https //developer cisco com/docs/secure endpoint/computers/#get a computer get computers api reference https //developer cisco com/docs/secure endpoint/computers/#list computers get events api reference https //developer cisco com/docs/secure endpoint/events/ get forensic snapshot by id api reference https //developer cisco com/docs/secure endpoint/forensic snapshots/ get forensic snapshots api reference https //developer cisco com/docs/secure endpoint/forensic snapshots/ get groups api reference https //developer cisco com/docs/secure endpoint/groups/ get host firewall configuration api reference https //developer cisco com/docs/secure endpoint/host firewall/ get policy usb mass storage device control api reference https //developer cisco com/docs/secure endpoint/device control/ get policy windows portable device control api reference https //developer cisco com/docs/secure endpoint/device control/ isolate computer api reference https //developer cisco com/docs/secure endpoint/isolate or restore endpoint/ list computers using a policy api reference https //developer cisco com/docs/secure endpoint/policies/ list exclusion sets assigned to a policy api reference https //developer cisco com/docs/secure endpoint/policies/ list host firewall configurations api reference https //developer cisco com/docs/secure endpoint/host firewall/ list organization policies api reference https //developer cisco com/docs/secure endpoint/policies/ list organization policy types api reference https //developer cisco com/docs/secure endpoint/policies/ list of groups used by a policy api reference https //developer cisco com/docs/secure endpoint/policies/ list the network control lists for a policy api reference https //developer cisco com/docs/secure endpoint/policies/ list the proxy settings for a policy api reference https //developer cisco com/docs/secure endpoint/policies/ move host to group api reference https //developer cisco com/docs/secure endpoint/groups/#move a computer to an endpoint group remove policy usb mass storage device control api reference https //developer cisco com/docs/secure endpoint/device control/ remove policy windows portable device control api reference https //developer cisco com/docs/secure endpoint/device control/ remove an exclusion set from a policy api reference https //developer cisco com/docs/secure endpoint/policies/ show host firewall configuration rules api reference https //developer cisco com/docs/secure endpoint/policies/ unisolate computer api reference https //developer cisco com/docs/secure endpoint/isolate or restore endpoint/ update host firewall rule api reference https //developer cisco com/docs/secure endpoint/policies/ configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url amp for endpoints api url string required username amp for endpoints api client id string required password amp for endpoints api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions apply an exclusion set to a policy apply an exclusion set to a specified policy and organization in cisco amp for endpoints using organizationidentifier, policyguid, and exclusionsetguid endpoint url /organizations/{{organizationidentifier}}/policies/{{policyguid}}/exclusion sets method post input argument name type required description path parameters organizationidentifier string required the identifier of the organization path parameters policyguid string required the guid of the policy exclusionsetguid string optional the guid of the exclusion set input example {"json body" {"exclusionsetguid" "3b8b0233 bcdd 484f 8954 21d24a93544b"},"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","policyguid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 201,"response headers" {},"reason" "created","json body" {}} assign policy usb mass storage device control assign a usb mass storage device control configuration to a policy in cisco amp for endpoints using organization identifier, policy guid, and configuration guid endpoint url /v3/organizations/{{organization identifier}}/policies/{{policy guid}}/device control configuration/usb mass storage method put input argument name type required description path parameters organization identifier string required organization identifier for the secure endpoint tenant path parameters policy guid string required guid of the policy to update device control on configurationguid string optional guid of the device control configuration to assign input example {"json body" {"configurationguid" "8999990f 122c 4d40 a173 f124f5a323a2"},"path parameters" {"organization identifier" "nha6c9dgeyfdeeihe1hdagav","policy guid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta errors array error message if any output example {"status code" 204,"response headers" {},"reason" "no content"} assign policy windows portable device control assign a windows portable device control configuration to a policy in cisco amp for endpoints using organization identifier, policy guid, and configuration guid endpoint url /v3/organizations/{{organization identifier}}/policies/{{policy guid}}/device control configuration/windows portable device method put input argument name type required description path parameters organization identifier string required organization identifier for the secure endpoint tenant path parameters policy guid string required guid of the policy to update wpd device control on configurationguid string optional guid of the device control configuration to assign input example {"json body" {"configurationguid" "8999990f 122c 4d40 a173 f124f5a323a2"},"path parameters" {"organization identifier" "nha6c9dgeyfdeeihe1hdagav","policy guid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta errors array error message if any output example {"status code" 204,"response headers" {},"reason" "no content"} create host firewall configuration create a new host firewall configuration for an organization in cisco amp for endpoints requires organizationidentifier, name, and defaultaction endpoint url /organizations/{{organizationidentifier}}/host firewall/configurations method post input argument name type required description path parameters organizationidentifier string required the identifier of the organization name string optional name of the configuration description string optional description of the configuration defaultaction string optional default action for the configuration input example {"json body" {"name" "configuration name","description" "configuration description","defaultaction" "allow"},"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta data object response data data id number response data data guid string response data data name string response data data description string response data data defaultaction string response data data updatedat string response data data updatedby string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"meta" {},"data" {"id" 3345,"guid" "aa4d84e2 cfbe 4d35 ad96 44e57188a2ab","name" "configuration name","description" "configuration description","defaultaction" "allow","updatedat" "2023 09 12t21 19 53 201z","updatedby" "jane doe"}}} create organization policy create a new policy from the default for the organization in cisco amp for endpoints requires organization identifier, name, policy type, and operating system endpoint url /v3/organizations/{{organization identifier}}/policies method post input argument name type required description path parameters organization identifier string required organization identifier for the secure endpoint tenant name string optional display name for the new policy description string optional optional human readable description of the policy policytype string optional policy type network, mobile, or workstation operatingsystem string optional target os windows, mac, linux, android, or ios input example {"json body" {"name" "audit","description" "report malicious files, but take no other action ","policytype" "workstation","operatingsystem" "windows"},"path parameters" {"organization identifier" "nha6c9dgeyfdeeihe1hdagav"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta delete string output field meta delete meta proxy string output field meta proxy meta networkcontrollists string output field meta networkcontrollists meta exclusionsets string output field meta exclusionsets meta devicecontrolconfiguration string output field meta devicecontrolconfiguration meta hostfirewallconfiguration string output field meta hostfirewallconfiguration data object response data data name string response data data guid string response data data description string response data data createdat string response data data updatedat string response data data serialnumber number response data data orbital object response data data orbital enabled boolean response data data operatingsystem string response data data policytype string response data data default boolean response data data protectionsettings object response data data protectionsettings files string response data data protectionsettings network string response data data protectionsettings maliciousactivityprotection string response data output example {"status code" 201,"response headers" {"content type" "application/json"},"reason" "created","json body" {"meta" {"delete" "/v3/organizations/mtizndu2nzg5mdeymzq1njc/policies/73c9a3a1 e97d 4bc2 8597 a11b5 ","proxy" "/v3/organizations/mtizndu2nzg5mdeymzq1njc/policies/73c9a3a1 e97d 4bc2 8597 a11b5 ","networkcontrollists" "/v3/organizations/mtizndu2nzg5mdeymzq1njc/policies/73c9a3a1 e97d 4bc2 8597 a11b5 ","exclusionsets" "/v3/organizations/mtizndu2nzg5mdeymzq1njc/policies/73c9a3a1 e97d 4bc2 85 create rule for host firewall configuration create a new rule for a host firewall configuration in cisco amp for endpoints requires organizationidentifier, configurationguid, and json body parameters like name, action, direction, and more endpoint url /organizations/{{organizationidentifier}}/host firewall/configurations/{{configurationguid}}/rules method post input argument name type required description path parameters organizationidentifier string required the identifier of the organization path parameters configurationguid string required the guid of the configuration name string optional name of the configuration rule action string optional action to take when a request matches the rule direction string optional direction of the rule protocol string optional protocol of the rule audit boolean optional whether to audit the rule localip string optional valid ipv4 addresses, cidr blocks and comma or new line separated lists localports string optional local address port remoteip string optional valid ipv4 addresses, cidr blocks and comma or new line separated lists remoteports string optional remote address port ipfamily string optional ip family of the rule applicationpaths string optional a comma separated list of absolute paths input example {"json body" {"name" "rule name","action" "block","direction" "any","protocol" "any","audit"\ false,"localip" "any","localports" "any","remoteip" "any","remoteports" "any","ipfamily" "ipv4","applicationpaths" "any"},"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","configurationguid" "d44d84e2 cfbe 4d35 ad96 3de57188a2ad"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta self string output field meta self data object response data data guid string response data data action string response data data name string response data data direction string response data data localip string response data data localports string response data data remoteip string response data data remoteports string response data data protocol string response data output example {"status code" 201,"response headers" {},"reason" "created","json body" {"meta" {"self" "https //api amp cisco com/v3/organizations/vyjrlylfhqtwxfo1celzdpjk/host firewal "},"data" {"guid" "da6c4b7b cbb5 4922 a443 2771f580eabe","action" "block","name" "rule name","direction" "out","localip" "10 0 0 0","localports" "3600","remoteip" "0 0 0 0/0","remoteports" "any","protocol" "any"}}} delete a policy delete a specified policy from the organization in cisco amp for endpoints using organizationidentifier and policyguid as path parameters endpoint url /organizations/{{organizationidentifier}}/policies/{{policyguid}} method delete input argument name type required description path parameters organizationidentifier string required the identifier of the organization path parameters policyguid string required the guid of the policy input example {"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","policyguid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {},"reason" "no content","response text" ""} delete host firewall configuration delete a host firewall configuration and associated rules in cisco amp for endpoints using organizationidentifier and configurationguid endpoint url /organizations/{{organizationidentifier}}/host firewall/configurations/{{configurationguid}} method delete input argument name type required description path parameters organizationidentifier string required the identifier of the organization path parameters configurationguid string required the guid of the configuration input example {"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","configurationguid" "d44d84e2 cfbe 4d35 ad96 3de57188a2ad"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {},"reason" "no content","response text" ""} delete host firewall rule remove a host firewall rule from its configuration in cisco amp for endpoints using organizationidentifier and ruleguid endpoint url /organizations/{{organizationidentifier}}/host firewall/rules/{{ruleguid}} method delete input argument name type required description path parameters organizationidentifier string required the identifier of the organization path parameters ruleguid string required the guid of the rule input example {"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","ruleguid" "9ac85fb4 9f68 4c9b b2b9 004ed167d912"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {},"reason" "no content","response text" ""} display the xml for the policy return the policy xml content for a specified policy and organization in cisco amp for endpoints using organizationidentifier and policyguid endpoint url /organizations/{{organizationidentifier}}/policies/{{policyguid}}/xml method get input argument name type required description path parameters organizationidentifier string required the identifier of the organization path parameters policyguid string required the guid of the policy input example {"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","policyguid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} find a policy by id retrieve policy data for a specified policy and organization in cisco amp for endpoints using organizationidentifier and policyguid endpoint url /organizations/{{organizationidentifier}}/policies/{{policyguid}} method get input argument name type required description path parameters organizationidentifier string required the identifier of the organization path parameters policyguid string required the guid of the policy input example {"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","policyguid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta delete string output field meta delete meta proxy string output field meta proxy meta networkcontrollists string output field meta networkcontrollists meta exclusionsets string output field meta exclusionsets meta devicecontrolconfiguration string output field meta devicecontrolconfiguration data object response data data name string response data data guid string response data data description string response data data createdat string response data data updatedat string response data data serialnumber number response data data orbital object response data data orbital enabled boolean response data data operatingsystem string response data data policytype string response data data default boolean response data data protectionsettings object response data data protectionsettings files string response data data protectionsettings network string response data data protectionsettings maliciousactivityprotection string response data data protectionsettings systemprocessprotection string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"meta" {"delete" "/v3/organizations/nha6c9dgeyfdeeihe1hdagav/policies/d44d84e2 cfbe 4d35 ad96 3de5 ","proxy" "/v3/organizations/nha6c9dgeyfdeeihe1hdagav/policies/d44d84e2 cfbe 4d35 ad96 3de5 ","networkcontrollists" "/v3/organizations/nha6c9dgeyfdeeihe1hdagav/policies/d44d84e2 cfbe 4d35 ad96 3de5 ","exclusionsets" "/v3/organizations/nha6c9dgeyfdeeihe1hdagav/policies/d44d84e2 cfbe 4d35 ad96 3de5 ","devicecontrolconfigurati get computer information retrieve detailed information about a specific computer in cisco amp for endpoints using the connector guid endpoint url /v1/computers/{{connector guid}} method get input argument name type required description path parameters connector guid string required parameters for the get computer information action input example {"path parameters" {"connector guid" "bad2c522 3052 4d75 93a0 832d6283c299"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data data object response data data connector guid string response data data hostname string response data data windows processor id string response data data active boolean response data data links object response data data links computer string response data data links trajectory string response data data links group string response data data connector version string response data data operating system string response data data os version string response data data internal ips array response data data external ip string response data data group guid string response data data install date string response data data is compromised boolean response data data demo boolean response data data csc id string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {}},"data" {"connector guid" "bad2c522 3052 4d75 93a0 832d6283c299","hostname" "demo amp","windows processor id" "195b0d8736e2af4","active"\ true,"links" {},"connector version" "99 0 99 20946","operating system" "windows 10","os version" "10 0 19044 1466","internal ips" \[],"external ip" "xxx xxx xx get computers fetch information about a specific computer in cisco amp for endpoints using the provided connector guid endpoint url /v1/computers method get input argument name type required description parameters last seen over number optional providing information by last seen over number of days ago parameters last seen within number optional providing information by last seen within number of days parameters group guid string optional providing information by group guid parameters external ip string optional providing information by external ip parameters internal ip string optional providing information by internal ip parameters hostname string optional providing information by hostname parameters kenna risk score string optional providing information by kenna risk score parameters processor id string optional providing information by windows processor id or mac hardware id parameters limit number optional to prevent the response from becoming too large, the number of items returned is limited by default to 5000 you can override this value by using the limit query parameter to specify a different number parameters offset number optional the number of items to skip before starting to collect the result set input example {"parameters" {"last seen over" 25,"last seen within" 30,"group guid" "6c3c2005 4c74 4ba7 8dbb c4d5b6bafe03","external ip" "10 23 154 46","internal ip" "192 168 100 101","hostname" "connector 1657546677","kenna risk score" "low","processor id" "b3sd42gb568s42n","limit" 100,"offset" 10}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data metadata results object response data metadata results total number response data metadata results current item count number response data metadata results index number response data metadata results items per page number response data data array response data data connector guid string response data data hostname string response data data windows processor id string response data data active boolean response data data links object response data data links computer string response data data links trajectory string response data data links group string response data data connector version string response data data operating system string response data data os version string response data data internal ips array response data data internal ips file name string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {},"results" {}},"data" \[{}]}} get events fetch a list of security events from cisco amp for endpoints to monitor and analyze endpoint activities endpoint url /v1/events method get input argument name type required description parameters event type number optional parameters for the get events action parameters limit number optional parameters for the get events action parameters start date string optional parameters for the get events action parameters offset number optional parameters for the get events action parameters detection sha256 string optional parameters for the get events action parameters application sha256 string optional parameters for the get events action parameters group guid string optional parameters for the get events action parameters connector guid string optional parameters for the get events action input example {"parameters" {"event type" 10,"limit" 9,"start date" "2022 03 18t11 20 06+00 00","offset" 3,"detection sha256" "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","application sha256" "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","group guid" "e766a0e9 96da 41b9 b1e8 87dd010d6b68","connector guid" "538738f5 3a14 4449 933b 86142553de06"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data metadata links next string response data metadata results object response data metadata results total number response data metadata results current item count number response data metadata results index number response data metadata results items per page number response data data array response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {},"results" {}},"data" \[{}]}} get forensic snapshot by id retrieve details of a specific forensic snapshot in cisco amp for endpoints using the forensic snapshot id path parameter the details are available under data snapshot endpoint url /v1/forensic snapshots/{{forensic snapshot id}} method get input argument name type required description path parameters forensic snapshot id string required parameters for the get forensic snapshot by id action input example {"path parameters" {"forensic snapshot id" "sz9ujioqudmahslsq r6oa"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get forensic snapshots return details of a specific forensic snapshot in cisco amp for endpoints, with information available under data snapshot endpoint url /v1/forensic snapshots method get input argument name type required description parameters limit number optional parameters for the get forensic snapshots action input example {"parameters" {"limit" 10}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data metadata results object response data metadata results total number response data metadata results current item count number response data metadata results index number response data metadata results items per page number response data data array response data data connector guid string response data data user email string response data data url string response data data triggered by string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {},"results" {}},"data" \[{},{}]}} get groups fetch a list of groups filtered by name in cisco amp for endpoints endpoint url /v1/groups method get input argument name type required description parameters name string optional parameters for the get groups action parameters limit number optional to prevent the response from becoming too large, the number of items returned is limited by default to 5000 you can override this value by using the limit query parameter to specify a different number input example {"parameters" {"name" "name","limit" 20}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data metadata results object response data metadata results total number response data metadata results current item count number response data metadata results index number response data metadata results items per page number response data data array response data data name string response data data description string response data data guid string response data data source string response data data links object response data data links group string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {},"results" {}},"data" \[{}]}} get host firewall configuration get the details of a host firewall configuration in cisco amp for endpoints using organizationidentifier and configurationguid as path parameters endpoint url /organizations/{{organizationidentifier}}/host firewall/configurations/{{configurationguid}} method get input argument name type required description path parameters organizationidentifier string required the identifier of the organization path parameters configurationguid string required the guid of the configuration input example {"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","configurationguid" "d44d84e2 cfbe 4d35 ad96 3de57188a2ad"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta edit string output field meta edit data object response data data id number response data data guid string response data data name string response data data description string response data data defaultaction string response data data updatedat string response data data updatedby string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"meta" {"edit" "/v3/organizations/sdfvsdfkn5nj3kjhn3we/host firewall/configurations/e2b62351 067 "},"data" {"id" 3345,"guid" "aa4d84e2 cfbe 4d35 ad96 44e57188a2ab","name" "configuration name","description" "configuration description","defaultaction" "allow","updatedat" "2023 09 12t21 19 53 201z","updatedby" "jane doe"}}} get policy usb mass storage device control retrieve usb mass storage device control settings for a specific policy in cisco amp for endpoints using organization identifier and policy guid endpoint url /v3/organizations/{{organization identifier}}/policies/{{policy guid}}/device control configuration/usb mass storage method get input argument name type required description path parameters organization identifier string required organization identifier for the secure endpoint tenant path parameters policy guid string required guid of the policy to read device control from input example {"path parameters" {"organization identifier" "nha6c9dgeyfdeeihe1hdagav","policy guid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta canonical string output field meta canonical meta errors array error message if any data object response data data guid string response data data name string response data data description string response data data permitted boolean response data output example {"status code" 200,"response headers" {"content type" "application/json"},"reason" "ok","json body" {"meta" {"canonical" "/v3/organizations/nha6c9dgeyfdeeihe1hdagav/device control/configurations/aa4d84e "},"data" {"guid" "aa4d84e2 cfbe 4d35 ad96 44e57188a2ad","name" "main config","description" "config description","permitted"\ true}}} get policy windows portable device control get windows portable device control configuration for a policy in cisco amp for endpoints using organization identifier and policy guid endpoint url /v3/organizations/{{organization identifier}}/policies/{{policy guid}}/device control configuration/windows portable device method get input argument name type required description path parameters organization identifier string required organization identifier for the secure endpoint tenant path parameters policy guid string required guid of the policy to read wpd device control from input example {"path parameters" {"organization identifier" "nha6c9dgeyfdeeihe1hdagav","policy guid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta canonical string output field meta canonical meta errors array error message if any data object response data data guid string response data data name string response data data description string response data data permitted boolean response data output example {"status code" 200,"response headers" {"content type" "application/json"},"reason" "ok","json body" {"meta" {"canonical" "/v3/organizations/nha6c9dgeyfdeeihe1hdagav/device control/configurations/aa4d84e "},"data" {"guid" "aa4d84e2 cfbe 4d35 ad96 44e57188a2ad","name" "main config","description" "config description","permitted"\ true}}} isolate computer request isolation for a computer in cisco amp for endpoints using the connector guid as a path parameter endpoint url /v1/computers/{{connector guid}}/isolation method put input argument name type required description path parameters connector guid string required parameters for the isolate computer action comment string optional parameter for isolate computer input example {"json body" {"comment" "a comment"},"path parameters" {"connector guid" "bad2c522 3052 4d75 93a0 832d6283c299"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data data object response data data available boolean response data data status string response data data unlock code string response data data comment string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {}},"data" {"available"\ true,"status" "pending start","unlock code" "unlockme","comment" "this is a comment about locking the computer"}}} list computers using a policy retrieve a list of computers associated with a specified policy and organization in cisco amp for endpoints requires organizationidentifier, policyguid, and size parameters endpoint url /organizations/{{organizationidentifier}}/policies/{{policyguid}}/exclusion sets method get input argument name type required description parameters size number required limits the number of computers returned parameters start number optional zero based index of first computer to include (api default 0) path parameters organizationidentifier string required the identifier of the organization path parameters policyguid string required the guid of the policy input example {"parameters" {"size" 50,"start" 0},"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","policyguid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta start number output field meta start meta size number output field meta size meta total number output field meta total data array response data data hostname string response data data guid string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"meta" {"start" 0,"size" 10,"total" 11},"data" \[{"hostname" "demo sfeicar","guid" "c47e67f4 acc9 42da 8af7 16ed2c990f7d"},{"hostname" "demo tinba","guid" "84e4216a 4aee 484b 920d 78c6ae04321b"},{"hostname" "demo command line arguments meterpreter","guid" "8cd2efa5 4fd6 4b3a 9d67 963b5238899a"}]}} list exclusion sets assigned to a policy retrieve a list of exclusion sets assigned to a specified policy and organization in cisco amp for endpoints requires organizationidentifier, policyguid, and size parameters endpoint url /organizations/{{organizationidentifier}}/policies/{{policyguid}}/exclusion sets method get input argument name type required description parameters size number required number of exclusion sets to include (api default 50) parameters start number optional zero based index of first exclusion set to include (api default 0) path parameters organizationidentifier string required the identifier of the organization path parameters policyguid string required the guid of the policy input example {"parameters" {"size" 50,"start" 0},"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","policyguid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta start number output field meta start meta size number output field meta size meta total number output field meta total data array response data data name string response data data guid string response data data operatingsystem string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"meta" {"start" 0,"size" 1,"total" 40},"data" \[{}]}} list host firewall configurations retrieve a list of host firewall configurations for a specified organization in cisco amp for endpoints requires organizationidentifier and size parameters endpoint url /organizations/{{organizationidentifier}}/host firewall/configurations method get input argument name type required description parameters size number required desired number of returned entries parameters start number optional starting position or offset of the desired first entry path parameters organizationidentifier string required the identifier of the organization input example {"parameters" {"size" 2,"start" 0},"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta start number output field meta start meta size number output field meta size meta total number output field meta total meta create string output field meta create data array response data data id number response data data guid string response data data name string response data data description string response data data defaultaction string response data data updatedat string response data data updatedby string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"meta" {"start" 0,"size" 2,"total" 10,"create" "/v3/organizations/\<organizationidentifier>/host firewall/configurations"},"data" \[{},{}]}} list of groups used by a policy retrieve a list of groups associated with a specified policy and organization in cisco amp for endpoints requires organizationidentifier, policyguid, and size parameters endpoint url /organizations/{{organizationidentifier}}/policies/{{policyguid}}/groups method get input argument name type required description parameters size number required number of groups to include (api default 50) parameters start number optional zero based index of first group to include (api default 0) path parameters organizationidentifier string required the identifier of the organization path parameters policyguid string required the guid of the policy input example {"parameters" {"size" 50,"start" 0},"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","policyguid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta start number output field meta start meta size number output field meta size meta total number output field meta total data array response data data name string response data data guid string response data data permitted boolean response data data parentguid string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"meta" {"start" 0,"size" 10,"total" 2},"data" \[{},{}]}} list organization policies list policies for an organization in cisco amp for endpoints using optional filters like organization identifier and size endpoint url /v3/organizations/{{organization identifier}}/policies method get input argument name type required description path parameters organization identifier string required organization identifier for the secure endpoint tenant parameters size number required maximum number of policies to return (api default 50) parameters start number optional zero based index of first policy to include (api default 0) parameters sortby string optional sort field name, product, or modified parameters direction string optional sort direction asc or desc (api default asc) parameters policytype string optional filter by policy type network, mobile, or workstation parameters operatingsystem string optional filter by windows, mac, linux, android, or ios parameters orbital string optional filter by orbital enabled or disabled parameters search string optional filter policies matching the search string parameters filter string optional filter by device control guid (e g devicecontrol==guid) input example {"parameters" {"size" 50,"start" 0,"sortby" "name","direction" "asc"},"path parameters" {"organization identifier" "nha6c9dgeyfdeeihe1hdagav"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta start number output field meta start meta size number output field meta size meta total number output field meta total meta create string output field meta create data array response data data name string response data data guid string response data data description string response data data createdat string response data data updatedat string response data data serialnumber number response data data operatingsystem string response data data policytype string response data output example {"status code" 200,"response headers" {"content type" "application/json"},"reason" "ok","json body" {"meta" {"start" 0,"size" 1,"total" 100,"create" "/v3/organizations/nha6c9dgeyfdeeihe1hdagav/policies"},"data" \[{}]}} list organization policy types list available policy types and operating systems for a specified organization in cisco amp for endpoints using the organization identifier endpoint url /v3/organizations/{{organization identifier}}/policy types method get input argument name type required description path parameters organization identifier string required organization identifier for the secure endpoint tenant input example {"path parameters" {"organization identifier" "nha6c9dgeyfdeeihe1hdagav"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta data array response data data name string response data data operatingsystems array response data data operatingsystems name string response data data operatingsystems hasconnectorsupport boolean response data data operatingsystems distributions array response data data operatingsystems distributions guid string response data data operatingsystems distributions name string response data data operatingsystems distributions version string response data data operatingsystems distributions organization string response data data operatingsystems distributions minimumsupportversion string response data output example {"status code" 200,"response headers" {"content type" "application/json"},"reason" "ok","json body" {"meta" {},"data" \[{},{},{}]}} list the network control lists for a policy return a list of network control lists for a specified policy and organization in cisco amp for endpoints requires organizationidentifier, policyguid, and size parameters endpoint url /organizations/{{organizationidentifier}}/policies/{{policyguid}}/network control lists method get input argument name type required description parameters size number required number of network control lists to include (api default 50) parameters start number optional zero based index of first network control list to include (api default 0) path parameters organizationidentifier string required the identifier of the organization path parameters policyguid string required the guid of the policy input example {"parameters" {"size" 50,"start" 0},"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","policyguid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta start number output field meta start meta size number output field meta size meta total number output field meta total data array response data data guid string response data data name string response data data type string response data data permitted boolean response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"meta" {"start" 0,"size" 5,"total" 2},"data" \[{},{}]}} list the proxy settings for a policy returns proxy settings for the specified policy and organization in cisco amp for endpoints requires organizationidentifier and policyguid as path parameters endpoint url /organizations/{{organizationidentifier}}/policies/{{policyguid}}/proxy method get input argument name type required description path parameters organizationidentifier string required the identifier of the organization path parameters policyguid string required the guid of the policy input example {"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","policyguid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data proxytype string response data data hostname string response data data port number response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"proxytype" "http proxy","hostname" "examplehostname","port" 1234}}} move host to group move a host to a specified group in cisco amp for endpoints using connector guid and group guid endpoint url /v1/computers/{{connector guid}} method patch input argument name type required description path parameters connector guid string required parameters for the move host to group action parameters group guid string required parameters for the move host to group action input example {"parameters" {"group guid" "6c3c2005 4c74 4ba7 8dbb c4d5b6bafe03"},"path parameters" {"connector guid" "bad2c522 3052 4d75 93a0 832d6283c299"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data data object response data data connector guid string response data data hostname string response data data windows processor id string response data data active boolean response data data links object response data data links computer string response data data links trajectory string response data data links group string response data data connector version string response data data operating system string response data data os version string response data data internal ips array response data data external ip string response data data group guid string response data data install date string response data data is compromised boolean response data data demo boolean response data data csc id string response data output example {"status code" 202,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {}},"data" {"connector guid" "bad2c522 3052 4d75 93a0 832d6283c299","hostname" "demo amp","windows processor id" "195b0d8736e2af4","active"\ true,"links" {},"connector version" "99 0 99 20946","operating system" "windows 10","os version" "10 0 19044 1466","internal ips" \[],"external ip" "xxx xxx xx remove an exclusion set from a policy remove an exclusion set from a specified policy and organization in cisco amp for endpoints using organizationidentifier, policyguid, and exclusionsetguid endpoint url /organizations/{{organizationidentifier}}/policies/{{policyguid}}/exclusion sets/{{exclusionsetguid}} method delete input argument name type required description path parameters organizationidentifier string required the identifier of the organization path parameters policyguid string required the guid of the policy path parameters exclusionsetguid string required the guid of the exclusion set input example {"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","policyguid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8","exclusionsetguid" "3b8b0233 bcdd 484f 8954 21d24a93544b"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {},"reason" "no content","response text" ""} remove policy usb mass storage device control remove usb mass storage device control configuration from a policy in cisco amp for endpoints using organization identifier and policy guid endpoint url /v3/organizations/{{organization identifier}}/policies/{{policy guid}}/device control configuration/usb mass storage method delete input argument name type required description path parameters organization identifier string required organization identifier for the secure endpoint tenant path parameters policy guid string required guid of the policy to clear device control from input example {"path parameters" {"organization identifier" "nha6c9dgeyfdeeihe1hdagav","policy guid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta errors array error message if any output example {"status code" 204,"response headers" {},"reason" "no content"} remove policy windows portable device control remove windows portable device control configuration from a policy in cisco amp for endpoints using organization identifier and policy guid endpoint url /v3/organizations/{{organization identifier}}/policies/{{policy guid}}/device control configuration/windows portable device method delete input argument name type required description path parameters organization identifier string required organization identifier for the secure endpoint tenant path parameters policy guid string required guid of the policy to clear wpd device control from input example {"path parameters" {"organization identifier" "nha6c9dgeyfdeeihe1hdagav","policy guid" "dcbdc51f 5482 4add 8c33 ac7f161fc5e8"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta errors array error message if any output example {"status code" 204,"response headers" {},"reason" "no content"} show host firewall configuration rules retrieve a paginated list of host firewall configuration rules in cisco amp for endpoints using organizationidentifier, configurationguid, and size endpoint url /organizations/{{organizationidentifier}}/host firewall/configurations/{{configurationguid}}/rules method get input argument name type required description parameters size number required desired number of returned entries path parameters organizationidentifier string required the identifier of the organization path parameters configurationguid string required the guid of the configuration input example {"parameters" {"size" 2},"path parameters" {"organizationidentifier" "nha6c9dgeyfdeeihe1hdagav","configurationguid" "d44d84e2 cfbe 4d35 ad96 3de57188a2ad"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta start number output field meta start meta size number output field meta size meta total number output field meta total data array response data data 0 object response data data 0 name string response data data 0 guid string response data data 1 object response data data 1 name string response data data 1 guid string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"meta" {"start" 0,"size" 2,"total" 10},"data" \[\[]]}} unisolate computer stop isolation on a computer in cisco amp for endpoints using the connector guid endpoint url /v1/computers/{{connector guid}}/isolation method delete input argument name type required description path parameters connector guid string required parameters for the unisolate computer action comment string optional parameter for unisolate computer input example {"json body" {"comment" "a comment"},"path parameters" {"connector guid" "bad2c522 3052 4d75 93a0 832d6283c299"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version metadata object response data metadata links object response data metadata links self string response data data object response data data available boolean response data data status string response data data unlock code string response data data comment string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 09 nov 2023 20 37 23 gmt"},"reason" "ok","json body" {"version" "v1 2 0","metadata" {"links" {}},"data" {"available"\ true,"status" "pending stop","unlock code" "unlockme","comment" "this is a comment about unlocking"}}} update host firewall rule update the details of a host firewall rule in cisco amp for endpoints using organizationidentifier, ruleguid, and other parameters like name, action, direction, protocol, and more endpoint url /organizations/{{organizationidentifier}}/host firewall/rules/{{ruleguid}} method put input argument name type required description path parameters organizationidentifier string required the identifier of the organization path parameters ruleguid string required the guid of the rule name string optional name of the configuration rule action string optional action to take when a request matches the rule direction string optional direction of the rule protocol string optional protocol of the rule audit boolean optional whether to audit the rule localip string optional valid ipv4 addresses, cidr blocks and comma or new line separated lists localports string optional local address port remoteip string optional valid ipv4 addresses, cidr blocks and comma or new line separated lists remoteports string optional remote address port ipfamily string optional ip family of the rule applicationpaths string optional a comma separated list of absolute paths input example {"json body" {"name" "rule name","action" "block","direction" "any","protocol" "any","audit"\ false,"localip" "any","localports" "any","remoteip" "any","remoteports" "any","ipfamily" "ipv4","applicationpaths" "any"},"path parameters" {"organizationidentifier" "string","ruleguid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {},"reason" "no content","response text" ""} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated thu, 09 nov 2023 20 37 23 gmt