Cisco AMP
Integration version: 17.0
Configure Cisco Secure Endpoint to work with Google Security Operations SOAR
Generating Client ID and API Key:
Log into Cisco Secure Endpoint console for North America or Cisco Secure Endpoint console for Europe.
Go to Accounts > Business and click Edit.
Under features, click Regenerate to generate the Client ID and secure API Key.
Once you have the API client ID and API key, you can make the API calls as
follows: https://<your_client_id>:<your_api_key>@<api_endpoint>
Alternatively, you can use Basic HTTP Authentication. Base64 encode the string
":", and send that prefixed with the string "Basic" as the authorization header.
For instance, if your client_id was 1234, and your api_key was "atest", then it
would be base64 encoded to MTIzNDphdGVzdA==, and your header would be:
Authorization: Basic MTIzNDphdGVzdA==
Base64 encoding
The client ID, API key can be encoded through Base64 Decode and Encode.
Type the client ID and API key in the format Client_ID:API key and encode it to generate a Basic HTTP Authentication.
Network
| Function | Default Port | Direction | Protocol |
|---|---|---|---|
| API | Multivalues | Outbound | apikey |
Configure Cisco AMP integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| API Root | String | https://api.amp.cisco.com |
Yes | Specify the Cisco Secure Endpoint API root URl. |
| Client ID | String | N/A | Yes | Specify the Client ID. |
| API Key | Password | N/A | Yes | Specify the Cisco Secure Endpoint API key. |
| Use SSL | Checkbox | Unchecked | No | If enabled, verifies that the SSL certificate for the connection to the Cisco Secure Endpoint server is valid. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Add File to File List
Description
Add a SHA-256 for a specific file list.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| File Name List | String | N/A | Yes | File Blacklist. |
| Description | String | N/A | Yes | Description of the file. |
Run On
This action runs on the File entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
Create Group
Description
Create a new group.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Group Name | String | N/A | Yes | The name of the new group. |
| Group Description | String | N/A | Yes | The description of the new group. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| group_name | True/False | group_name:False |
JSON Result
{
"source": "CreatedviaAPI",
"guid": "c5e2099d-3aeb-4dc2-add4-42fb01d05c51",
"name": "test", "policies":
[{
"product": "windows",
"description": "ThispolicyputstheAMPforEndpointsConnectorinamodethatwillonlydetectmaliciousfilesbutnotquarantinethem.Maliciousnetworktrafficisalsodetectedbutnotblocked.",
links":
{
"policy": "https: //api.amp.cisco.com/v1/policies/a8ba7d10-de10-42a6-a6e4-8d679f5b1ec2", "policy_xml": "https: //api.amp.cisco.com/v1/policies/a8ba7d10-de10-42a6-a6e4-8d679f5b1ec2.xml"
},
"default": true,
"File_lists":
[{
"guid": "cef9b12e-4a25-4f1a-93f4-3836ebd97ed5",
"type": "simple_custom_detections",
"name": "FileBlacklist"
},
{
"guid": "38c1a9eb-0389-4f12-8084-96f5ee62d72e",
"type": "application_blocking",
"name": "ExecutionBlacklist"
},
{
"guid": "3133128e-5455-4e74-82c5-1ff3c816c414",
"type": "application_whitelist",
"name": "FileWhitelist"
}],
"ip_lists": [],
"Used_in_groups":
[{
"guid": "d3f8be3c-e53b-4b31-a8b7-a78a69b74ea1",
"name": "Audit",
"description": "AuditGroupforPartner-Siemplify"
}],
"inherited": false,
"serial_number": 28,
"guid": "a8ba7d10-de10-42a6-a6e4-8d679f5b1ec2",
"Exclusion_sets":
[{
"guid": "43fc08b5-c603-4c24-9b4d-501d342f443c",
"name": "WorkstationExclusions"
}],
"name": "Audit"
}],
"description": "added by siemplify!"
}
Get Computer Info
Description
Get details about a computer.
Parameters
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed threshold. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Demo_AMP | Returns if it exists in JSON result |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
{
"Demo_AMP":
{
"operating_system": "Windows 7, SP 1.0",
"connector_guid": "f719857b-5474-467f-803c-00393616cdcf",
"network_addresses":
[{
"ip": "1.1.1.1",
"mac": "18:ac:08:1f:49:13"
}],
"faults": [],
"external_ip": "1.1.1.1",
"group_guid": "bcaafdfb-bf15-4f65-81e0-58b14624ff26",
"hostname": "Demo_AMP",
"install_date": "2018-05-09T14:51:04Z",
"connector_version": "1.1.1.1",
"internal_ips": ["92.168.133.146"],
"Policy":
{
"guid": "d04fbbc0-fc5d-45d9-94f6-9e53f5079c2f",
"name": "Triage"
},
"active": true,
"last_seen": "2018-05-09T14:51:04Z"
}
}
Get Computers by File Hash
Description
Fetch a list of computers that have observed files with the given SHA-256 value.
Run On
This action runs on the Filehash entity.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed threshold. Else: False.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
[{
"EntityResult":
{
"0":
{
"connector_guid": "abfe956e-8b67-4d5c-9353-1b490cdad8b2",
"links":
{
"trajectory": "https://api.amp.cisco.com/v1/computers/abfe956e-8b67-4d5c-9353-1b490cdad8b2/trajectory",
"computer": "https://api.amp.cisco.com/v1/computers/abfe956e-8b67-4d5c-9353-1b490cdad8b2",
"group": "https://api.amp.cisco.com/v1/groups/1d7e90f6-b6b6-49ba-90ab-a8fe13d8f3d4"
},
"group_guid": "1d7e90f6-b6b6-49ba-90ab-a8fe13d8f3d4",
"active": "True",
"operating_system": "Windows Server 2012 R2, SP 0.0",
"network_addresses":
[{
"ip": "10.0.0.4",
"mac": "00:0d:3a:4e:fc:6e"
},
{
"ip": "10.212.134.201",
"mac": "00:09:0f:aa:00:01"
}],
"faults": [],
"external_ip": "13.72.107.194",
"hostname": "poc-JuanV",
"install_date": "2019-04-29T19:37:06Z",
"connector_version": "6.2.9.10881",
"internal_ips": ["10.0.0.4", " 10.212.134.201"],
"policy":
{
"guid": "9d8be508-fbec-457a-a0eb-c0cb82be482c",
"name": "Server"
},
"last_seen": "2019-05-28T11:46:32Z"
}
},
"Entity": "entityIdentifier"
}]
Get Computers by File Name
Description
Fetch a list of computers that have observed files with the given file name.
Run On
This action runs on the Filehash entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
[{
"EntityResult":
{
"0":
{
"connector_guid": "abfe956e-8b67-4d5c-9353-1b490cdad8b2",
"Links":
{
"trajectory": "https://api.amp.cisco.com/v1/computers/abfe956e-8b67-4d5c-9353-1b490cdad8b2/trajectory",
"computer": "https://api.amp.cisco.com/v1/computers/abfe956e-8b67-4d5c-9353-1b490cdad8b2",
"group": "https://api.amp.cisco.com/v1/groups/1d7e90f6-b6b6-49ba-90ab-a8fe13d8f3d4"
},
"group_guid": "1d7e90f6-b6b6-49ba-90ab-a8fe13d8f3d4",
"active": "True",
"operating_system": "Windows Server 2012 R2, SP 0.0",
"network_addresses":
[{
"ip": "10.0.0.4",
"mac": "00:0d:3a:4e:fc:6e"
},
{
"ip": "10.212.134.201",
"mac": "00:09:0f:aa:00:01"
}],
"faults": [],
"external_ip": "13.72.107.194",
"hostname": "poc-JuanV",
"install_date": "2019-04-29T19:37:06Z",
"connector_version": "6.2.9.10881",
"internal_ips": ["10.0.0.4", " 10.212.134.201"],
"policy":
{
"guid": "9d8be508-fbec-457a-a0eb-c0cb82be482c",
"name": "Server"
},
"last_seen": "2019-05-28T11:46:32Z"
}
},
"Entity": "entityIdentifier"
}]
Get Computers by Network Activity (IP)
Description
Fetch a list of computers that have connected to the given IP address.
Parameter
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed threshold. Else: False.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
[{
"EntityResult":
{
"0":
{
"connector_guid": "abfe956e-8b67-4d5c-9353-1b490cdad8b2",
"links":
{
"trajectory": "https://api.amp.cisco.com/v1/computers/abfe956e-8b67-4d5c-9353-1b490cdad8b2/trajectory",
"computer": "https://api.amp.cisco.com/v1/computers/abfe956e-8b67-4d5c-9353-1b490cdad8b2",
"group":
"https://api.amp.cisco.com/v1/groups/1d7e90f6-b6b6-49ba-90ab-a8fe13d8f3d4"
},
"group_guid": "1d7e90f6-b6b6-49ba-90ab-a8fe13d8f3d4",
"active": "True",
"operating_system": "Windows Server 2012 R2, SP 0.0",
"network_addresses":
[{
"ip": "10.0.0.4",
"mac": "00:0d:3a:4e:fc:6e"
},
{
"ip": "10.212.134.201",
"mac": "00:09:0f:aa:00:01"
}],
"faults": [],
"external_ip": "13.72.107.194",
"hostname": "poc-JuanV",
"install_date": "2019-04-29T19:37:06Z",
"connector_version": "6.2.9.10881",
"internal_ips": ["10.0.0.4", " 10.212.134.201"],
"policy":
{
"guid": "9d8be508-fbec-457a-a0eb-c0cb82be482c",
"name": "Server"
},
"last_seen": "2019-05-28T11:46:32Z"
}
},
"Entity": "entityIdentifier"
}]
Get Computers by Network Activity (URL)
Description
Fetch a list of computers that have connected to the given hostname or URL.
Run On
This action runs on the following entities:
- Hostname
- URL
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed threshold. Else: False.
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
[{
"EntityResult":
{
"0":
{
"connector_guid": "abfe956e-8b67-4d5c-9353-1b490cdad8b2",
"links":
{
"trajectory": "https://api.amp.cisco.com/v1/computers/abfe956e-8b67-4d5c-9353-1b490cdad8b2/trajectory",
"computer": "https://api.amp.cisco.com/v1/computers/abfe956e-8b67-4d5c-9353-1b490cdad8b2",
"group": "https://api.amp.cisco.com/v1/groups/1d7e90f6-b6b6-49ba-90ab-a8fe13d8f3d4"
},
"group_guid": "1d7e90f6-b6b6-49ba-90ab-a8fe13d8f3d4",
"active": "True",
"operating_system": "Windows Server 2012 R2, SP 0.0",
"Network_addresses":
[{
"ip": "10.0.0.4",
"mac": "00:0d:3a:4e:fc:6e"
},
{
"ip": "10.212.134.201",
"mac": "00:09:0f:aa:00:01"
}],
"faults": [],
"external_ip": "13.72.107.194",
"hostname": "poc-JuanV",
"install_date": "2019-04-29T19:37:06Z",
"connector_version": "6.2.9.10881",
"internal_ips": ["10.0.0.4", " 10.212.134.201"],
"policy":
{
"guid": "9d8be508-fbec-457a-a0eb-c0cb82be482c",
"name": "Server"
},
"last_seen": "2019-05-28T11:46:32Z"
}
},
"Entity": "entityIdentifier"
}]
File List Items
Description
Get the items listed in a given file list.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| File List Name | String | N/A | Yes | Example: File Blacklist |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| Items | True/False | items:False |
JSON Result
{
"Items":
[{
"source": "Created by uploading 1_Credit Card Magnetic Tracks - Notepad (2).TXT via Web from 1.1.1.1.",
"sha256": "640e9583763fa553069a4984f8df5e81d6890897a6eb0f5de881218e3ed409c8", "description": ""
},
{
"source": "Created by entering SHA-256 via Public api.",
"sha256": "5fd924625f6ab16a19cc9807c7c506ae1813490e4ba675f843d5a10e0baacdb8",
"description": "Added by Siemplify"
},
{
"source": "Created by entering SHA-256 via Public api.",
"sha256": "1248712441dbbf43bb37f91d626a020e7e0f4486f050142034b8a267b06a2f0c",
"description": "Added by Siemplify"
}],
"guid": "cef9b12e-4a25-4f1a-93f4-3836ebd97ed5",
"name": "File Blacklist"
}
Get File Lists by Policy
Description
Get the file lists that are assigned in a policy.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Policy Name | String | N/A | Yes | The name of the policy e.g. Triage. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| File_Lists | N/A | N/A |
JSON Result
{
"1":
{
"guid": "38c1a9eb-0389-4f12-8084-96f5ee62d72e",
"type": "application_blocking",
"name": "Execution Blacklist"},
"0":
{
"guid": "cef9b12e-4a25-4f1a-93f4-3836ebd97ed5",
"type": "simple_custom_detections",
"name": "File Blacklist"
},
"2":
{
"guid": "3133128e-5455-4e74-82c5-1ff3c816c414",
"type": "application_whitelist",
"name": "File Whitelist"
}
}
Get Groups
Description
Get group details.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| Groups | N/A | N/A |
JSON Result
{
"1":
{
"source": "CreatedviaAPI",
"guid": "1111111111111111111111",
"name": "TestGroup",
"description": "GroupcreatedbySiemplify"
},
"0":
{
"source": null,
"guid": "1111111111111111111111",
"name": "Audit",
"description": "AuditGroupforPartner-Siemplify"
}
}
Get Policies
Description
Get policy details.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| Policies | N/A | N/A |
JSON Result
{
"1":
{
"product": "ios",
"name": "Audit",
"default": true,
"serial_number": 38,
"guid": "1111111111111111",
"description": "ThispolicyputsClarityinamodethatwilllogandalertonconvictionsbutnotblocktraffic."
},
"0":
{
"product": "android",
"name": "Protect",
"default": true,
"serial_number": 11,
"guid": "1111111111111111",
"description": "ThisisthestandardpolicyfortheAMPforEndpointsConnectorthatwillquarantinemaliciousfilesandblockmaliciousnetworkconnections."
}
}
Ping
Description
Test connectivity to Cisco Secure Endpoint.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
Isolate Machine
Description
Isolate a host so it will stop network traffic to and from the isolated host.
Parameters
N/A
Use Cases
Ransomware Detected on a host:
- Stop ransomware process.
- Delete ransomware if possible.
- Isolate host.
Run On
This action runs on the following entities:
- Host
- Internal IP
- External IP
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
"data": {
"available": true,
"status": "isolated",
"unlock_code": "kzhduj",
"comment": "Host pending investigation",
"isolated_by": "Meny Har"
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: 'Target Host was isolated successfully:{host}/{Internal IP}/{External IP} If unsuccessful: 'Target Host was not isolated successfully' The action should fail and stop a playbook execution: If critical error, like wrong credentials or lost connectivity: 'Some errors occurred. Please check log.' |
General |
Unisolate Machine
Description
Stop isolation on a host to allow network traffic to and from the previously isolated host.
Run On
This action runs on the following entities:
- Host
- Internal IP
- External IP
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
"data": {
"available": true,
"status": "isolated",
"unlock_code": "kzhduj",
"comment": "Host confirmed:Infection free",
"isolated_by": "Meny Har"
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: print 'Target Host was unisolated successfully:{host}/{Internal IP}/{external IP} If unsuccessful: print 'Target Host was not unisolated successfully' The action should fail and stop a playbook execution: If critical error, like wrong credentials or lost connectivity: 'Some errors occurred. Please check log.' |
General |
Connector
Cisco AMP - Security Events Connector
Description
Pull security events from Cisco Secure Endpoint into Google Security Operations SOAR.
Configure Cisco AMP - Security Events Connector on Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | eventType | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https:/{{ip address}} | Yes | API root of the Cisco Secure Endpoint instance. |
| Client ID | String | Yes | Cisco Secure Endpoint Client ID. | |
| API Key | Password | Yes | Cisco Secure Endpoint API Key. | |
| Lowest Severity To Fetch | String | No | Severity that will be used to fetch events. If nothing is specified, connector will ingest events with all severities. Events without severity data are handled by the "Fetch Events Without Severity" parameter. Possible values: Low, Medium, High, Critical. |
|
| Fetch Events Without Severity | Checkbox | No | If enabled, the connector will fetch events that don't have severity. Those events will be assigned "Informational" severity. | |
| Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch events. |
| Max Events To Fetch | Integer | 100 | No | How many alerts to process per one connector iteration. Maximum is 1000. Default: 100. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist will be used as a blacklist. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the Cisco Secure Endpoint server is valid. |
| Proxy Server Address | String | No | The address of the proxy server to use. | |
| Proxy Username | String | No | The proxy username to authenticate with. | |
| Proxy Password | Password | No | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports Proxy.