FireAMP

This App allows for querying endpoints connected to Cisco FireAMP while also providing investigative hunting capabilities

Supported Actions

• test connectivity: Validate the asset configuration by attempting to connect and getting the version of the API endpoint
• list endpoints: List all of the endpoints connected to FireAMP
• hunt file: Search for a file matching a SHA256 hash across all endpoints
• hunt ip: Search for a given IP
• hunt url: Search for a given URL
• list groups: List all of the groups are present in FireAMP
• list policies: List all of the policies present in FireAMP
• change policy: Updates group to given windows policy
• change group: Change the group of provided GUID endpoint
• unquarantine device: Stop host isolation based on connector GUID
• quarantine device: Isolate host based on connector GUID
• find device: Finds system with search parameters
• get device info: Get information about a device, given its connector GUID
• block hash: Add a file hash (sha256 only) to a file list specified by GUID
• unblock hash: Remove a file hash (sha256 only) from a file list specified by GUID
• allow hash: Add a file hash (sha256 only) to a file list specified by GUID
• disallow hash: Remove all sha256 file hashes from a file list specified by GUID
• list filelists: List all of the File Lists (application blocking & simple custom detections) in FireAMP
• get filelist: Get all of the hashes in a File List in FireAMP. Lists can be retrieved by UUID, or file list name and type
• remove listitem: Removes file hash from file list
• add listitem: Add file hash as listitem to file list
• find listitem: Finds file hash in specified file list
• get device trajectory: Retrieve trajectory info about a device
• get device events: Retrieve device events