Cisco AMP for Endpoints

Version: 1.2
Updated: Jun 21, 2023
Perform a wide variety of Enrichment and Containment actions for endpoint investigation and response with Cisco AMP for Endpoints.
Actions
- Get Computer (Enrichment) - Get information about a specific endpoint.
- Get Computers (Enrichment) - Get a list of computers matching a query.
- Get Computer Activity (Enrichment) - Get the activity from a computer.
- Get Computer Trajectory (Enrichment) - Get the trajectory from a computer with an optional query.
- Get Computer User Activity (Enrichment) - Get the user activity from a computer.
- Get Computer User Trajectory (Enrichment) - Get the user trajectory from a computer with an optional query.
- Get File List (Enrichment) - Get the results of a file list.
- Get File List Files (Enrichment) - Get a list of files from the file list.
- Get SHA256 From File List (Enrichment) - Get a list of SHA256 values from the file list.
- Get Group Info (Enrichment) - Get group information.
- Get Groups (Enrichment) - Get a list of groups.
- Get Policy (Enrichment) - Get policy information.
- Get Simple Custom Detection File Lists (Enrichment) -
- List Computers (Enrichment) - List all computers.
- List Event Types (Enrichment) - Get a list of event types.
- List Events (Enrichment) -Get a list of events matching a query.
- List Vulnerabilities (Enrichment) - Get a list of all vulnerabilities.
- List Application Blocking Lists (Enrichment) - Get the application blocking file lists.
- List Simple Custom Detections Lists (Enrichment) - Get a file list from simple custom detection rules.
- List Indicators (Enrichment) - Get a list of all indicators.
- List Policies (Enrichment) - Get a list of policies.
- Add SHA256 To File List (Containment) - Add a SHA256 value to a file list.
- Delete SHA256 From File List (Containment) - Delete a SHA256 value from a file list.
- Delete Computer (Containment) - Delete a specific computer.
- Isolate Computer (Containment) - Isolate a specific computer.
- Remove Isolation (Containment) - Remove a specific computer from isolation.
Configure Cisco AMP for Endpoints in Automation Service and Cloud SOAR
Before you can use the integration, you must configure it so that the vendor can communicate with Sumo Logic. For general guidance, see Configure Authentication for Integrations.
- Access App Central and install the integration.
- Select the installed integration in the Integrations page.
Classic UI. In the main Sumo Logic menu, select Automation and then select Integrations in the left nav bar.
New UI. In the main Sumo Logic menu, select Automation > Integrations. You can also click the Go To... menu at the top of the screen and select Integrations. - Select the integration.
- Hover over the resource name and click the Edit button that appears.
- In the Add Resource dialog, enter the authentication needed by the resource. When done, click TEST to test the configuration, and click SAVE to save the configuration.
For information about Cisco Secure Endpoint (formerly AMP for Endpoints), see Secure Endpoint documentation.
Change Log
- January 29, 2019 - First upload
- May 22, 2020 - Added additional actions
- June 21, 2023 (v1.2) - Updated the integration with Environmental Variables