Italy is a major cycling destination from folks from around the world. As part of the Giro coverage also highlight routes and places of interest for casual travelers.
" - } + }, + "ideas": [ + { + "id": "6877998175658332354", + "reference_num": "DEMO-I-299", + "name": "Highlight places of interest for casual travelers.", + "workflow_status": { + "id": "7142047390668922035", + "name": "Open", + "position": 7, + "complete": false, + "color": "#7f7f7f" + } + }] }, { "id": "7142047390531708532", @@ -48,7 +61,8 @@ "description": { "id": "7142047390570897954", "body": "Enhance the mobile getting started guide with a picture diagram that explains how best to get started.
" - } + }, + "ideas" : [] }, { "id": "7142047390632056703", @@ -73,7 +87,33 @@ "description": { "id": "7142047390668922035", "body": "Many cities want to make their roads safer and more convenient for cyclists, but they have a problem. They have very little data on where people ride and what influences their choices. We have tons of data that we can make anonymous and sell to these cities.
" - } + }, + "ideas": [ + { + "id": "6877998175658332354", + "reference_num": "DEMO-I-301", + "name": "make roads more convenient", + "workflow_status": { + "id": "7142047390668922035", + "name": "Shipped", + "position": 7, + "complete": false, + "color": "#7f7f7f" + } + }, + { + "id": "6852713789499497935", + "reference_num": "DEMO-I-41", + "name": "[Feature Request] make roads safer", + "workflow_status": { + "id": "7142047390668922035", + "name": "Shipped", + "position": 7, + "complete": false, + "color": "#7f7f7f" + } + } + ] } ], "pagination": { diff --git a/Packs/AHA/Integrations/AHA/test_data/get_all_ideas.json b/Packs/AHA/Integrations/AHA/test_data/get_all_ideas.json new file mode 100644 index 000000000000..2a4561ec154e --- /dev/null +++ b/Packs/AHA/Integrations/AHA/test_data/get_all_ideas.json @@ -0,0 +1,89 @@ +{ + "ideas": [ + { + "id": "7172566722654275503", + "reference_num": "DEMO-I-3078", + "name": "Create an alert exception command", + "created_at": "2022-12-02T15:02:06.684Z", + "updated_at": "2022-12-02T15:32:15.214Z", + "workflow_status": { + "id": "6836873525456343266", + "name": "Request Received", + "position": 1, + "complete": false, + "color": "#c1e39d" + }, + "description": { + "id": "7172566723341028779", + "body": "Some analysts needs to add regularly alerts exception.", + "created_at": "2022-12-02T15:02:06.844Z", + "attachments": [] + } + }, + { + "id": "7172551313548762563", + "reference_num": "DEMO-I-3077", + "name": "Adding MFA feature on local admin account. only", + "created_at": "2022-12-02T14:02:18.971Z", + "updated_at": "2022-12-02T19:27:20.486Z", + "workflow_status": { + "id": "6836873525456343266", + "name": "Request Received", + "position": 1, + "complete": false, + "color": "#c1e39d" + }, + "description": { + "id": "7172551313663237690", + "body": "Hello,
We would like to see a new feature in order to enforce security.", + "created_at": "2022-12-02T14:02:18.998Z", + "attachments": [] + } + }, + { + "id": "7172480677120868256", + "reference_num": "DEMO-I-3076", + "name": "Ability to amend the color of the favicons", + "created_at": "2022-12-02T09:28:12.646Z", + "updated_at": "2022-12-03T01:24:37.165Z", + "workflow_status": { + "id": "6836873525456343266", + "name": "Request Received", + "position": 1, + "complete": false, + "color": "#c1e39d" + }, + "description": { + "id": "7172480677226219366", + "body": "
Ability to amend the color of the favicons.
", + "created_at": "2022-12-02T09:28:12.671Z", + "attachments": [] + } + }, + { + "id": "7172305193792846103", + "reference_num": "DEMO-I-3075", + "name": "Include a creation timestamp for API Keys", + "created_at": "2022-12-01T22:07:14.749Z", + "updated_at": "2022-12-03T01:24:30.489Z", + "workflow_status": { + "id": "6836873525456343266", + "name": "Request Received", + "position": 1, + "complete": false, + "color": "#c1e39d" + }, + "description": { + "id": "7172305193907051640", + "body": "It would be helpful to see a timestamp of when an API key was created.
", + "created_at": "2022-12-01T22:07:14.776Z", + "attachments": [] + } + } + ], + "pagination": { + "total_records": 3021, + "total_pages": 101, + "current_page": 1 + } +} \ No newline at end of file diff --git a/Packs/AHA/Integrations/AHA/test_data/get_specific_idea.json b/Packs/AHA/Integrations/AHA/test_data/get_specific_idea.json new file mode 100644 index 000000000000..011723553abf --- /dev/null +++ b/Packs/AHA/Integrations/AHA/test_data/get_specific_idea.json @@ -0,0 +1,15 @@ +{ + "idea": { + "id": "7144646026151911047", + "name": "[Test] Mirroring", + "reference_num": "DEMO-I-2895", + "product_id": "6836114877834670881", + "workflow_status": { + "id": "6836873525456343266", + "name": "Request Received", + "position": 1, + "complete": false, + "color": "#c1e39d" + } + } +} \ No newline at end of file diff --git a/Packs/AHA/Integrations/AHA/test_data/update_feature_field.json b/Packs/AHA/Integrations/AHA/test_data/update_feature_field.json index a97a355426e4..e7d0afbb43c1 100644 --- a/Packs/AHA/Integrations/AHA/test_data/update_feature_field.json +++ b/Packs/AHA/Integrations/AHA/test_data/update_feature_field.json @@ -1,7 +1,7 @@ { "feature": { "id": "7142047393121670680", - "name": "Demo-10", + "name": "change just name", "reference_num": "DEMO-10", "created_by_user": { "id": "7142047370286614216", @@ -21,7 +21,7 @@ }, "description": { "id": "7142047393165357275", - "body": "change just description" + "body": "description" } } } \ No newline at end of file diff --git a/Packs/AHA/Integrations/AHA/test_data/update_idea_status.json b/Packs/AHA/Integrations/AHA/test_data/update_idea_status.json new file mode 100644 index 000000000000..4d21faab9c4b --- /dev/null +++ b/Packs/AHA/Integrations/AHA/test_data/update_idea_status.json @@ -0,0 +1,79 @@ +{ + "idea": { + "id": "7144646026151911047", + "name": "[Test] Mirroring", + "reference_num": "DEMO-I-2895", + "score": 3, + "created_at": "2022-09-18T09:15:32.943Z", + "updated_at": "2022-12-05T10:17:47.065Z", + "product_id": "6836114877834670881", + "votes": 2, + "status_changed_at": "2022-12-05T10:17:47.065Z", + "workflow_status": { + "id": "6904419099755086274", + "name": "Shipped", + "position": 7, + "complete": false, + "color": "#7f7f7f" + }, + "description": { + "id": "7144646026273598263", + "body": "Aha Jira Mirroring", + "created_at": "2022-09-18T09:15:32.971Z", + "attachments": [] + }, + "visibility": "Visible to all ideas portal users", + "url": "test/ideas/ideas/DEMO-I-2895", + "resource": "test/api/v1/ideas/DEMO-I-2895", + "product": { + "id": "6836114877834670881", + "reference_prefix": "DEMO", + "name": "Customer Feature Requests", + "product_line": false, + "created_at": "2020-06-08T22:57:07.099Z", + "workspace_type": "product_workspace" + }, + "created_by_portal_user": { + "id": "6866738214309336808", + "name": "Test Tester", + "email": "user@email.com", + "created_at": "2020-08-30T11:31:18.238Z" + }, + "created_by_idea_user": { + "id": "6951900696067621885", + "name": "Test Tester", + "email": "user@email.com", + "created_at": "2021-04-16T23:25:13.678Z" + }, + "assigned_to_user": { + "id": "6878244936949625239", + "name": "Test Tester", + "email": "user@email.com", + "created_at": "2020-09-30T11:43:15.879Z", + "updated_at": "2022-12-02T09:46:27.293Z", + "default_assignee": false + }, + "feature": { + "id": "7144646339649854720", + "reference_num": "DEMO-1019", + "name": "[Test] Mirroring", + "created_at": "2022-09-18T09:16:45.939Z", + "url": "test/features/DEMO-1019", + "resource": "test/api/v1/features/DEMO-1019", + "product_id": "6836114877834670881" + }, + "endorsements_count": 2, + "comments_count": 0, + "score_facts": [], + "tags": [], + "full_tags": [], + "categories": [ + { + "id": "6871298164875917780", + "name": "New Integration Request", + "parent_id": null, + "created_at": "2020-09-11T18:26:14.464Z" + } + ] + } +} \ No newline at end of file diff --git a/Packs/AHA/ReleaseNotes/1_0_3.md b/Packs/AHA/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..de3d5f5b74d0 --- /dev/null +++ b/Packs/AHA/ReleaseNotes/1_0_3.md @@ -0,0 +1,3 @@ +#### Integrations +##### Aha +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/AHA/ReleaseNotes/1_0_4.md b/Packs/AHA/ReleaseNotes/1_0_4.md new file mode 100644 index 000000000000..137720104d82 --- /dev/null +++ b/Packs/AHA/ReleaseNotes/1_0_4.md @@ -0,0 +1,3 @@ +#### Integrations +##### Aha +- Added support for get ideas and edit ideas. \ No newline at end of file diff --git a/Packs/AHA/ReleaseNotes/1_0_5.md b/Packs/AHA/ReleaseNotes/1_0_5.md new file mode 100644 index 000000000000..e4e46ce4fc3d --- /dev/null +++ b/Packs/AHA/ReleaseNotes/1_0_5.md @@ -0,0 +1,3 @@ +#### Integrations +##### Aha +- Updated the Docker image to: *demisto/python3:3.10.9.42476*. diff --git a/Packs/AHA/ReleaseNotes/1_0_6.md b/Packs/AHA/ReleaseNotes/1_0_6.md new file mode 100644 index 000000000000..d910e9c827b3 --- /dev/null +++ b/Packs/AHA/ReleaseNotes/1_0_6.md @@ -0,0 +1,3 @@ +#### Integrations +##### Aha +- Updated the Docker image to: *demisto/python3:3.10.9.45313*. diff --git a/Packs/AHA/ReleaseNotes/1_0_7.md b/Packs/AHA/ReleaseNotes/1_0_7.md new file mode 100644 index 000000000000..c3321f27acad --- /dev/null +++ b/Packs/AHA/ReleaseNotes/1_0_7.md @@ -0,0 +1,3 @@ +#### Integrations +##### Aha +- Updated the Docker image to: *demisto/python3:3.10.10.47713*. diff --git a/Packs/AHA/ReleaseNotes/1_0_8.md b/Packs/AHA/ReleaseNotes/1_0_8.md new file mode 100644 index 000000000000..ed41ae119816 --- /dev/null +++ b/Packs/AHA/ReleaseNotes/1_0_8.md @@ -0,0 +1,3 @@ +#### Integrations +##### Aha +- Updated the Docker image to: *demisto/python3:3.10.10.48392*. diff --git a/Packs/AHA/ReleaseNotes/1_0_9.md b/Packs/AHA/ReleaseNotes/1_0_9.md new file mode 100644 index 000000000000..8266417555b7 --- /dev/null +++ b/Packs/AHA/ReleaseNotes/1_0_9.md @@ -0,0 +1 @@ +Documentation and metadata improvements. diff --git a/Packs/AHA/TestPlaybooks/AHA_TestPlaybook.yml b/Packs/AHA/TestPlaybooks/AHA_TestPlaybook.yml index b7acd46abebd..36a17a78c3c2 100644 --- a/Packs/AHA/TestPlaybooks/AHA_TestPlaybook.yml +++ b/Packs/AHA/TestPlaybooks/AHA_TestPlaybook.yml @@ -46,7 +46,7 @@ tasks: This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations scriptName: DeleteContext type: regular iscommand: false @@ -343,7 +343,7 @@ tasks: This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations scriptName: DeleteContext type: regular iscommand: false diff --git a/Packs/AHA/pack_metadata.json b/Packs/AHA/pack_metadata.json index bd0b244f803e..a2afc20dcbf4 100644 --- a/Packs/AHA/pack_metadata.json +++ b/Packs/AHA/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AHA", "description": "Use the Aha! integration to edit name/title description and status of features in Aha! according to their status in Jira", "support": "xsoar", - "currentVersion": "1.0.2", + "currentVersion": "1.0.9", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AMP/Integrations/AMPv2/AMPv2.py b/Packs/AMP/Integrations/AMPv2/AMPv2.py new file mode 100644 index 000000000000..d1761bad9d95 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/AMPv2.py @@ -0,0 +1,3735 @@ +""" +CiscoAMP (Advanced Malware Protection) API Integration for Cortex XSOAR (aka Demisto). +""" +import copy +import math +from typing import Callable, Dict, Any, MutableMapping, MutableSequence, Tuple, Optional +from http import HTTPStatus +from collections import namedtuple +import demistomock as demisto +from CommonServerPython import * # pylint: disable=redefined-builtin, wildcard-import, unused-wildcard-import +from CommonServerUserPython import * # pylint: disable=wildcard-import + + +""" GLOBAL/PARAMS """ # pylint: disable=pointless-string-statement + + +DEFAULT_INTERVAL = 30 +DEFAULT_TIMEOUT = 600 +FETCH_LIMIT = 200 +MAX_PAGE_SIZE = 100 + +FILENAME_REGEX = r"[\w\-\.]+[\w\-\. ]*" +ISO_8601_FORMAT = "%Y-%m-%dT%H:%M:%S.000Z" + +XSOAR_SEVERITY_BY_AMP_SEVERITY = { + "Low": IncidentSeverity.LOW, + "Medium": IncidentSeverity.MEDIUM, + "High": IncidentSeverity.HIGH, + "Critical": IncidentSeverity.CRITICAL, +} + +PAGINATION_FIELDS = ( + "page", + "page_size", + "limit", + "offset", + "number_of_requests", + "offset_multiplier", + "is_automatic", + "is_manual", +) +Pagination = namedtuple( + "Pagination", + ( + "page", + "page_size", + "limit", + "offset", + "number_of_requests", + "offset_multiplier", + "is_automatic", + "is_manual", + ), + defaults=(None, None, None, None, None, None, None, None), +) + +TRAJECTORY_TITLE = "Event Information" +TRAJECTORY_HEADERS_BY_KEYS = { + "ID": ["id"], + "Date": ["date"], + "Event Type": ["event_type"], + "Detection": ["detection"], + "Severity": ["severity"], + "Group GUIDs": ["group_guids"], +} +ACTIVITY_TITLE = "Activity Information" +ACTIVITY_HEADERS_BY_KEYS = { + "Connector GUID": ["connector_guid"], + "Host Name": ["hostname"], + "Windows Processor ID": ["windows_processor_id"], + "Active": ["active"], +} +VULNERABILITY_TITLE = "Vulnerabilities Information" +VULNERABILITY_HEADERS_BY_KEYS = { + "Application": ["application"], + "Version": ["version"], + "Latest Date": ["latest_date"], + "File Name": ["file", "filename"], + "SHA-256": ["file", "identity", "sha256"], +} +EVENT_TYPE_TITLE = "Event Type Information" +EVENT_TYPE_HEADERS_BY_KEYS = { + "ID": ["id"], + "Name": ["name"], + "Description": ["description"], +} +EVENT_TITLE = "Event Information" +EVENT_HEADERS_BY_KEYS = { + "ID": ["id"], + "Date": ["date"], + "Event Type": ["event_type"], + "Detection": ["detection"], + "Connector GUID": ["connector_guid"], + "Severity": ["severity"], +} +GROUPS_TITLE = "Groups Information" +GROUPS_HEADERS_BY_KEYS = { + "Name": ["name"], + "Description": ["description"], + "GUID": ["guid"], + "Source": ["source"], +} +GROUP_TITLE = "Group Information" +GROUP_HEADERS_BY_KEYS = { + "Name": ["name"], + "Description": ["description"], + "Creator": ["creator"], + "Created At": ["created_at"], + "Computers Count": ["computers_count"], + "Descendant Computers Count": ["descendant_computers_count"], +} +VULNERABLE_COMPUTER_TITLE = "Vulnerable Computers Information" +VULNERABLE_COMPUTER_HEADERS_BY_KEYS = { + "Connector GUID": ["connector_guid"], + "Hostname": ["hostname"], + "Windows Processor ID": ["windows_processor_id"], + "Active": ["active"], + "Group GUID": ["group_guid"], +} +POLICY_TITLE = "Policy Information" +POLICY_HEADERS_BY_KEYS = { + "GUID": ["guid"], + "Name": ["name"], + "Description": ["description"], + "Product": ["product"], + "Serial Number": ["serial_number"], +} +FILE_LIST_TITLE = "File List Information" +FILE_LIST_HEADERS_BY_KEYS = { + "GUID": ["guid"], + "Name": ["name"], + "Type": ["type"], +} +FILE_LIST_ITEM_TITLE = "File List Item Information" +FILE_LIST_ITEM_HEADERS_BY_KEYS = { + "SHA-256": ["sha256"], + "Source": ["source"], + "Description": ["description"], +} +ISOLATION_TITLE = "Isolation Information" +ISOLATION_HEADERS_BY_KEYS = { + "Available": ["available"], + "Status": ["status"], + "Unlock Code": ["unlock_code"], + "Comment": ["comment"], + "Isolated By": ["isolated_by"], +} +APP_TRAJECTORY_TITLE = "App Trajectory Information" +APP_TRAJECTORY_HEADERS_BY_KEYS = { + "Connector GUID": ["connector_guid"], + "Date": ["date"], + "Query Type": ["query_type"], + "Dirty URL": ["network_info", "dirty_url"], +} +INDICATOR_TITLE = "Indicator Information" +INDICATOR_HEADERS_BY_KEYS = { + "GUID": ["guid"], + "Name": ["name"], + "Description": ["description"], + "Severity": ["severity"], + "Observed Compromises": ["observed_compromises"], +} +MITRE_TACTIC_TITLE = "Mitre Tactic Information" +MITRE_TECHNIQUE_TITLE = "Mitre Technique Information" +MITRE_HEADERS_BY_KEYS = { + "External ID": ["external_id"], + "Name": ["name"], + "Mitre URL": ["mitre_url"], +} + + +""" CLIENT CLASS """ + + +class Client(BaseClient): + """ + API Client to communicate with CiscoAMP API. + """ + + API_VERSION = "v1" + + def __init__( + self, + server_url: str, + api_key: str, + client_id: str, + reliability: str, + verify: bool = False, + proxy: bool = False, + ): + """ + Build URL with authorization arguments to provide the required Basic Authentication. + + Args: + server_url (str): CiscoAMP API URL. + api_key (str): API key to connect to the server. + client_id (str): 3rd Party API Client ID. + reliability (str): Reliability of the source providing the intelligence data. + verify (bool, optional): SSL verification handled by BaseClient. Defaults to False. + proxy (bool, optional): System proxy is handled by BaseClient. Defaults to False. + """ + super().__init__( + base_url=urljoin(server_url, self.API_VERSION), + verify=verify, + proxy=proxy, + auth=(client_id, api_key), + ) + + self.reliability = reliability + + def computer_list_request( + self, + limit: int = None, + offset: int = None, + hostnames: List[str] = None, + internal_ip: str = None, + external_ip: str = None, + group_guids: List[str] = None, + last_seen_within: int = None, + last_seen_over: int = None, + ) -> Dict[str, Any]: + """ + Return a single computer with a connector_guid or a list filtered by the other arguments. + + Args: + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + hostnames (List[str], optional): Hostname to filter by. + Defaults to None. + internal_ip (str, optional): Internal IP to filter by. + Defaults to None. + external_ip (str, optional): External IP to filter by. + Defaults to None. + group_guid (List[str], optional): Group GUID to filter by. + Defaults to None. + last_seen_within (str, optional): Number of days the last time the computer has been seen within. + Defaults to None. + last_seen_over (str, optional): Number of days the last time the computer has been seen. + Defaults to None. + + Returns: + Dict[str, Any]: Information about a list of computers or a single computer. + """ + params = remove_empty_elements( + { + "limit": limit, + "offset": offset, + "hostname[]": hostnames, + "internal_ip": internal_ip, + "external_ip": external_ip, + "group_guid[]": group_guids, + "last_seen_within": last_seen_within, + "last_seen_over": last_seen_over, + } + ) + + return self._http_request( + method="GET", + url_suffix="/computers", + params=params, + ) + + def computer_get_request( + self, + connector_guid: str, + ) -> Dict[str, Any]: + """ + Return a single computer with a connector_guid. + + Args: + connector_guid (str): Specific computer to return. + + Returns: + Dict[str, Any]: Information about a computer. + """ + return self._http_request( + method="GET", + url_suffix=f"/computers/{connector_guid}", + ) + + def computer_trajectory_list_request( + self, connector_guid: str, limit: int = None, query_string: str = None + ) -> Dict[str, Any]: + """ + Get information about a computer and its trajectory which be set in a list of events. + + Args: + connector_guid (str): Specific computer to return. + limit (int, optional): Maximum number of items to return. + Defaults to None. + query_string (str, optional): Freeform query string which accepts: IP address, SHA-256 or URL. + Defaults to None. + + Returns: + Dict[str, Any]: Information about a computer and its trajectory. + """ + params = remove_empty_elements( + { + "limit": limit, + "q": query_string, + } + ) + + return self._http_request( + method="GET", + url_suffix=f"/computers/{connector_guid}/trajectory", + params=params, + ) + + def computer_user_activity_get_request( + self, + username: str, + limit: int = None, + offset: int = None, + ) -> Dict[str, Any]: + """ + Get computers that have observed activity by given username. + + Args: + username (str): Username to filter by. + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + + Returns: + Dict[str, Any]: List of computers. + """ + params = remove_empty_elements( + {"q": username, "limit": limit, "offset": offset} + ) + + return self._http_request( + method="GET", + url_suffix="/computers/user_activity", + params=params, + ) + + def computer_user_trajectory_list_request( + self, connector_guid: str, limit: int = None, username: str = None + ) -> Dict[str, Any]: + """ + Get information about a computer and its trajectory which be set in a list of events. + + Args: + connector_guid (str): Specific computer to return. + limit (int, optional): Maximum number of items to return. + Defaults to None. + username (str, optional): Username to filter by. + Defaults to None. + + Returns: + Dict[str, Any]: Information about a computer and its trajectory. + """ + params = remove_empty_elements( + { + "limit": limit, + "q": username, + } + ) + + return self._http_request( + method="GET", + url_suffix=f"/computers/{connector_guid}/user_trajectory", + params=params, + ) + + def computer_vulnerabilities_list_request( + self, + connector_guid: str, + start_time: str = None, + end_time: str = None, + limit: int = None, + offset: int = None, + ) -> Dict[str, Any]: + """ + Return vulnerabilities observed on a specific computer. + + Args: + connector_guid (str): Specific computer to return. + start_time (str, optional): Inclusive, include vulnerable programs detected at start_time. + Defaults to None. + end_time (str, optional): Exclusive if end_time is a time, inclusive if end_time is a date, + include vulnerable programs detected before end_time. + Defaults to None. + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + + Returns: + Dict[str, Any]: Information about a computer and its vulnerabilities. + """ + params = remove_empty_elements( + { + "start_time": start_time, + "end_time": end_time, + "limit": limit, + "offset": offset, + } + ) + + return self._http_request( + method="GET", + url_suffix=f"/computers/{connector_guid}/vulnerabilities", + params=params, + ) + + def computer_move_request( + self, connector_guid: str, group_guid: str + ) -> Dict[str, Any]: + """ + Moves the computer with the input connector_guid to a group with the input group_guid. + + Args: + connector_guid (str): Connector GUID of the selected computer. + group_guid (str): Group GUID of the group to move the computer to.s + + Returns: + Dict[str, Any]: Information about the computer. + """ + return self._http_request( + method="PATCH", + url_suffix=f"/computers/{connector_guid}", + json_data={ + "group_guid": group_guid, + }, + ) + + def computer_delete_request(self, connector_guid: str) -> Dict[str, Any]: + """ + Deletes the computer with the connector_guid. + + Args: + connector_guid (str): Connector GUID of the selected computer. + + Returns: + Dict[str, Any]: Information about the delete operation, if it has succeeded. + """ + return self._http_request( + method="DELETE", + url_suffix=f"/computers/{connector_guid}", + ) + + def computer_activity_list_request( + self, query_string: str, limit: int = None, offset: str = None + ) -> Dict[str, Any]: + """ + Get computers that have observed activity by given username. + + Args: + query_string (str): Query string which accepts: IPv4 address, SHA-256, File Name and a URL Fragment. + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + + Returns: + Dict[str, Any]: List of computers. + """ + params = remove_empty_elements( + { + "q": query_string, + "limit": limit, + "offset": offset, + } + ) + + return self._http_request( + method="GET", + url_suffix="/computers/activity", + params=params, + ) + + def computer_isolation_feature_availability_get_request( + self, connector_guid: str + ) -> requests.Response: + """ + Get information about available options for a computer's isolation. + + Args: + connector_guid (str): Computer to get information about. + + Returns: + requests.Response: Information about a computer's isolation. + """ + return self._http_request( + method="OPTIONS", + url_suffix=f"/computers/{connector_guid}/isolation", + resp_type="response", + ) + + def computer_isolation_get_request(self, connector_guid: str) -> Dict[str, Any]: + """ + Get information about a computer's isolation. + + Args: + connector_guid (str): Computer to get information about. + + Returns: + Dict[str, Any]: Information about a computer's isolation. + """ + return self._http_request( + method="GET", + url_suffix=f"/computers/{connector_guid}/isolation", + ) + + def computer_isolation_create_request( + self, connector_guid: str, comment: str, unlock_code: str + ) -> Dict[str, Any]: + """ + Put a computer in isolation. + + Args: + connector_guid (str): Computer to put in isolation. + comment (str): Computer to put in isolation. + unlock_code (str): Unlock code. + + Returns: + Dict[str, Any]: Information about the computer's isolation. + """ + body = remove_empty_elements( + { + "comment": comment, + "unlock_code": unlock_code, + } + ) + + return self._http_request( + method="PUT", + url_suffix=f"/computers/{connector_guid}/isolation", + json_data=body, + ) + + def computer_isolation_delete_request( + self, + connector_guid: str, + comment: str = None, + ) -> Dict[str, Any]: + """ + Stop a computer in isolation. + + Args: + connector_guid (str): Computer to put in isolation. + comment (str): Computer to put in isolation. + Defaults to None. + + Returns: + Dict[str, Any]: Information about the computer's isolation. + """ + body = remove_empty_elements( + { + "comment": comment, + } + ) + + return self._http_request( + method="DELETE", + url_suffix=f"/computers/{connector_guid}/isolation", + json_data=body, + ) + + def event_list_request( + self, + detection_sha256: str = None, + application_sha256: str = None, + connector_guids: List[str] = None, + group_guids: List[str] = None, + start_date: str = None, + event_types: List[int] = None, + limit: int = None, + offset: int = None, + ) -> Dict[str, Any]: + """ + Get a list of events that can be filtered by the input parameters. + + Args: + detection_sha256 (str, optional): Detection SHA-256 to filter by.. + Defaults to None. + application_sha256 (str, optional): Application SHA-256 to filter by. + Defaults to None. + connector_guids (List[str], optional): connector_guid for specific computer. + Defaults to None. + group_guids (List[str], optional): Group GUID to filter by. + Defaults to None. + start_date (str, optional): Fetch events that are newer than given time. + Defaults to None. + event_types (List[int], optional): Event type to filter by. + Defaults to None. + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + + Returns: + Dict[str, Any]: A list of events. + """ + params = remove_empty_elements( + { + "detection_sha256": detection_sha256, + "application_sha256": application_sha256, + "connector_guid[]": connector_guids, + "group_guid[]": group_guids, + "start_date": start_date, + "event_type[]": event_types, + "limit": limit, + "offset": offset, + } + ) + + return self._http_request( + method="GET", + url_suffix="/events", + params=params, + ) + + def event_type_list_request(self) -> Dict[str, Any]: + """ + Get a list of event types. + + Returns: + Dict[str, Any]: List of event types. + """ + return self._http_request( + method="GET", + url_suffix="/event_types", + ) + + def file_list_application_blocking_list_request( + self, names: List[str] = None, limit: int = None, offset: int = None + ) -> Dict[str, Any]: + """ + Get a file list of application blocking type. + + Args: + names (List[str], optional): Name to filter by. + Defaults to None. + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + + Returns: + Dict[str, Any]: File list of application blocking type. + """ + params = remove_empty_elements( + { + "name[]": names, + "limit": limit, + "offset": offset, + } + ) + + return self._http_request( + method="GET", + url_suffix="/file_lists/application_blocking", + params=params, + ) + + def file_list_get_request(self, file_list_guid: str) -> Dict[str, Any]: + """ + Get a file list. + + Args: + file_list_guid (str): GUID of the file list to get. + + Returns: + Dict[str, Any]: Information about a policy. + """ + return self._http_request( + method="GET", + url_suffix=f"/file_lists/{file_list_guid}", + ) + + def file_list_simple_custom_detections_list_request( + self, names: List[str] = None, limit: int = None, offset: int = None + ) -> Dict[str, Any]: + """ + Get a file list of simple custom detections type. + + Args: + names (List[str], optional): Name to filter by. + Defaults to None. + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + + Returns: + Dict[str, Any]: File list of simple custom detections type. + """ + params = remove_empty_elements( + { + "name[]": names, + "limit": limit, + "offset": offset, + } + ) + + return self._http_request( + method="GET", + url_suffix="/file_lists/simple_custom_detections", + params=params, + ) + + def file_list_item_list_request( + self, file_list_guid: str, limit: int = None, offset: int = None + ) -> Dict[str, Any]: + """ + Get information about a file list items. + + Args: + file_list_guid (str): GUID of the file list to get its items. + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + + Returns: + Dict[str, Any]: Information about a file list items. + """ + params = remove_empty_elements( + { + "limit": limit, + "offset": offset, + } + ) + + return self._http_request( + method="GET", + url_suffix=f"/file_lists/{file_list_guid}/files", + params=params, + ) + + def file_list_item_get_request( + self, file_list_guid: str, sha256: str + ) -> Dict[str, Any]: + """ + Get information about a file list item. + + Args: + file_list_guid (str): GUID of the file list to get its items. + sha256 (str): sha256 of item to get. + + Returns: + Dict[str, Any]: Information about a file list item. + """ + return self._http_request( + method="GET", + url_suffix=f"/file_lists/{file_list_guid}/files/{sha256}", + ) + + def file_list_item_create_request( + self, file_list_guid: str, sha256: str, description: str = None + ) -> Dict[str, Any]: + """ + Create a new file list item. + + Args: + file_list_guid (str): GUID of the file list to add the new item. + sha256 (str): sha256 of the item to create. + + Returns: + Dict[str, Any]: Information about the new file list item. + """ + body = remove_empty_elements( + { + "description": description, + } + ) + + return self._http_request( + method="POST", + url_suffix=f"/file_lists/{file_list_guid}/files/{sha256}", + json_data=body, + ) + + def file_list_item_delete_request( + self, file_list_guid: str, sha256: str + ) -> Dict[str, Any]: + """ + Delete an item from a file list item. + + Args: + file_list_guid (str): GUID of the file list to delete item. + sha256 (str): sha256 of the item to delete. + + Returns: + Dict[str, Any]: Information about the deletion result. + """ + return self._http_request( + method="DELETE", + url_suffix=f"/file_lists/{file_list_guid}/files/{sha256}", + ) + + def group_list_request( + self, name: str = None, limit: int = None, offset: int = None + ) -> Dict[str, Any]: + """ + Get a list of groups information that can be filtered by a name. + + Args: + name (str, optional): Name to filter by. + Defaults to None. + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + + Returns: + Dict[str, Any]: List of group information. + """ + params = remove_empty_elements( + { + "name": name, + "limit": limit, + "offset": offset, + } + ) + + return self._http_request( + method="GET", + url_suffix="/groups", + params=params, + ) + + def group_get_request(self, group_guid: str) -> Dict[str, Any]: + """ + Get information about a group. + + Args: + group_guid (str): GUID of the group to get information about. + + Returns: + Dict[str, Any]: Information about a group. + """ + return self._http_request( + method="GET", + url_suffix=f"/groups/{group_guid}", + ) + + def group_policy_update_request( + self, + group_guid: str, + windows_policy_guid: str = None, + mac_policy_guid: str = None, + android_policy_guid: str = None, + linux_policy_guid: str = None, + ) -> Dict[str, Any]: + """ + Update a group's Policy to given Policy GUID. + + Args: + group_guid (str): The group to update. + windows_policy_guid (str, optional): Policy GUID for Windows. + Defaults to None. + mac_policy_guid (str, optional): Policy GUID for MAC. + Defaults to None. + android_policy_guid (str, optional): Policy GUID for Android. + Defaults to None. + linux_policy_guid (str, optional): Policy GUID for Linux. + Defaults to None. + + Returns: + Dict[str, Any]: Information about the updated group. + """ + body = remove_empty_elements( + { + "windows_policy_guid": windows_policy_guid, + "mac_policy_guid": mac_policy_guid, + "android_policy_guid": android_policy_guid, + "linux_policy_guid": linux_policy_guid, + } + ) + + return self._http_request( + method="PATCH", + url_suffix=f"groups/{group_guid}", + json_data=body, + ) + + def group_parent_update_request( + self, + child_guid: str, + parent_group_guid: str = None, + ) -> Dict[str, Any]: + """ + Converts an existing group to a child of another group or an existing + child group to a root group (that is, one with no parent groups). + + Args: + child_guid (str): Groups GUID to set as child or make as root. + parent_group_guid (str, optional): Group parent to set to child group. + Defaults to None. + + Returns: + Dict[str, Any]: Information about the updated group. + """ + return self._http_request( + method="PATCH", + url_suffix=f"groups/{child_guid}/parent", + json_data=remove_empty_elements({"parent_group_guid": parent_group_guid}), + ) + + def group_create_request(self, name: str, description: str) -> Dict[str, Any]: + """ + Create a new group and get its information. + + Args: + name (str): Name of the new group. + description (str): Description of the new group. + + Returns: + Dict[str, Any]: Information about the new group. + """ + body = { + "name": name, + "description": description, + } + + return self._http_request( + method="POST", + url_suffix="/groups", + json_data=body, + ) + + def group_delete_request(self, group_guid: str) -> Dict[str, Any]: + """ + Deletes the group with the group_guid. + + Args: + group_guid (str): Group GUID of the selected group to delete. + + Returns: + Dict[str, Any]: Information about the delete operation, if it has succeeded. + """ + return self._http_request( + method="DELETE", + url_suffix=f"groups/{group_guid}", + ) + + def indicator_get_request(self, indicator_guid: str) -> Dict[str, Any]: + """ + Get information about a indicator. + + Args: + indicator_guid (str): GUID of the indicator to get. + + Returns: + Dict[str, Any]: Information about a indicator. + """ + return self._http_request( + method="GET", + url_suffix=f"/indicators/{indicator_guid}", + ) + + def indicator_list_request( + self, limit: int = None, offset: int = None + ) -> Dict[str, Any]: + """ + Get a list of indicators information. + + Args: + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + + Returns: + Dict[str, Any]: List of indicators information. + """ + params = remove_empty_elements( + { + "limit": limit, + "offset": offset, + } + ) + + return self._http_request( + method="GET", + url_suffix="/indicators", + params=params, + ) + + def policy_list_request( + self, + products: List[str] = None, + names: List[str] = None, + limit: int = None, + offset: int = None, + ) -> Dict[str, Any]: + """ + Get a list of policies information. + + Args: + product (List[str], optional): OS product to filter by. + Defaults to None. + name (List[str], optional): Name to filter by. + Defaults to None. + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + + Returns: + Dict[str, Any]: List of policies information. + """ + params = remove_empty_elements( + { + "product[]": products, + "name[]": names, + "limit": limit, + "offset": offset, + } + ) + + return self._http_request( + method="GET", + url_suffix="/policies", + params=params, + ) + + def policy_get_request(self, policy_guid: str) -> Dict[str, Any]: + """ + Get information about a policy. + + Args: + policy_guid (str): GUID of the policy to get. + + Returns: + Dict[str, Any]: Information about a policy. + """ + return self._http_request( + method="GET", + url_suffix=f"/policies/{policy_guid}", + ) + + def app_trajectory_query_list_request(self, ios_bid: str) -> Dict[str, Any]: + """ + Get app trajectory query for a given IOS bundle ID. + + Args: + ios_bid (str): IOS bundle ID. + + Returns: + Dict[str, Any]: App Trajectory for IOS bundle ID. + """ + params = { + "ios_bid": ios_bid, + } + + return self._http_request( + method="GET", url_suffix="/app_trajectory/queries", params=params + ) + + def version_get_request(self) -> Dict[str, Any]: + """ + Get the current version of the API. + + Returns: + Dict[str, Any]: Current version of the API. + """ + return self._http_request( + method="GET", + url_suffix="/version", + ) + + def vulnerability_list_request( + self, + group_guids: List[str] = None, + start_time: str = None, + end_time: str = None, + limit: int = None, + offset: int = None, + ) -> Dict[str, Any]: + """ + Get a list of vulnerabilities. + + Args: + group_guids (List[str], optional): Group GUIDs to filter by. + Defaults to None. + start_time (str, optional): Inclusive (The list will include vulnerable programs detected at start_time). + Defaults to None. + end_time (str, optional): Exclusive - if end_time is a time (The list will only include vulnerable + programs detected before end_time); Inclusive - if end_time is a date (The + list will include vulnerable programs detected on the date). + Defaults to None. + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + + Returns: + Dict[str, Any]: List of vulnerabilities. + """ + params = remove_empty_elements( + { + "group_guid[]": group_guids, + "start_time": start_time, + "end_time": end_time, + "limit": limit, + "offset": offset, + } + ) + + return self._http_request( + method="GET", + url_suffix="/vulnerabilities", + params=params, + ) + + def vulnerable_computers_list_request( + self, + sha256: str, + group_guids: List[str] = None, + start_time: str = None, + end_time: str = None, + limit: int = None, + offset: int = None, + ) -> Dict[str, Any]: + """ + Get a list of computers observed with given SHA-256. + + Args: + sha256 (str): SHA-256 that has been observed as a vulnerability. + group_guid (List[str], optional): Group GUIDs to filter by. + Defaults to None. + start_time (str, optional): Inclusive (The list will include vulnerable programs detected at start_time). + Defaults to None. + end_time (str, optional): Exclusive - if end_time is a time (The list will only include vulnerable + programs detected before end_time); Inclusive - if end_time is a date (The + list will include vulnerable programs detected on the date). + Defaults to None. + limit (int, optional): Maximum number of items to return. + Defaults to None. + offset (int, optional): Item number to start looking from. + Defaults to None. + + Returns: + Dict[str, Any]: List of vulnerable computers. + """ + params = remove_empty_elements( + { + "group_guid[]": group_guids, + "start_time": start_time, + "end_time": end_time, + "limit": limit, + "offset": offset, + } + ) + + return self._http_request( + method="GET", + url_suffix=f"/vulnerabilities/{sha256}/computers", + params=params, + ) + + +""" COMMAND FUNCTIONS """ # pylint: disable=pointless-string-statement + + +def fetch_incidents( + client: Client, + last_run: Dict[str, Any], + first_fetch_time: str, + event_types: List[int] = None, + incident_severities: List[str] = None, + max_incidents_to_fetch: int = FETCH_LIMIT, +) -> Tuple[Dict[str, int], List[dict]]: + """ + Retrieves new alerts every interval (default is 1 minute). + Implements the logic of making sure that incidents are fetched only once. + By default it's invoked by XSOAR every minute. + It will use last_run to save the time of the last incident it processed and previous incident IDs. + If last_run is not provided, first_fetch_time will be used to determine when to start fetching the first time. + + Args: + client (Client): Cisco AMP client to run desired requests + last_run (Dict[str, Any]): + last_fetch: Time of the last processed incident. + previous_ids: List of incident IDs to that would not be repeated. + first_fetch_time (str): Determines the time of when fetching has been started. + event_types (List[int], optional): Event types to filter by. + Defaults to None. + incident_severities (List[str], optional): Incident severities to filter by. + Defaults to None. + max_incidents_to_fetch (int, optional): Max number of incidents to fetch in a single run. + Defaults to FETCH_LIMIT. + + Returns: + Tuple[Dict[str, int], List[dict]]: + next_run: Contains information that will be used in the next run. + incidents: List of incidents that will be created in XSOAR. + """ + last_fetch = last_run.get("last_fetch") + previous_ids = set(last_run.get("previous_ids", [])) + + # If a last fetch run doesn't exist, use the first fetch time. + if last_fetch is None: + last_fetch = first_fetch_time + + last_fetch_timestamp = date_to_timestamp(last_fetch, ISO_8601_FORMAT) + + response = client.event_list_request(start_date=last_fetch, event_types=event_types) + items = response["data"] + + incidents: List[Dict[str, Any]] = [] + incident_name = 'Cisco AMP Event ID:"{event_id}"' + + for item in items: + # Break once the maximum number of incidents has been achieved. + if len(incidents) >= max_incidents_to_fetch: + break + + # Continue if the incident severity isn't in the requested list (only if there is one). + severity = item.get("severity") + if severity and incident_severities and (severity not in incident_severities): + continue + + # Continue if the incident ID has been fetched already. + if (incident_id := str(item.get("id"))) in previous_ids: + continue + + previous_ids.add(incident_id) + + incident_timestamp = item["timestamp"] * 1000 + incident = remove_empty_elements( + { + "name": incident_name.format( + event_id=incident_id, + ), + "occurred": timestamp_to_datestring(incident_timestamp), + "rawJSON": json.dumps(item), + "severity": XSOAR_SEVERITY_BY_AMP_SEVERITY.get( + severity, IncidentSeverity.UNKNOWN + ), + "details": str(item.get("event_type")), + "dbotMirrorId": incident_id, + } + ) + + incidents.append(incident) + + # Update the latest incident time that was fetched. + if incident_timestamp > last_fetch_timestamp: + last_fetch_timestamp = incident_timestamp + + next_run = { + "last_fetch": timestamp_to_datestring(last_fetch_timestamp), + "previous_ids": list(previous_ids), + } + + return next_run, incidents + + +def test_module(client: Client) -> str: + """ + Tests API connectivity and authentication + Returning 'ok' indicates that the integration works like it is supposed to. + Connection to the service is successful. + Raises exceptions if something goes wrong. + + Args: + client (Client): Cisco AMP client to run desired requests + + Returns: + str: 'ok' if test passed, anything else will fail the test. + """ + try: + client.version_get_request() + + except DemistoException as exc: + if exc.res and exc.res.status_code == HTTPStatus.UNAUTHORIZED: + return "Authorization Error: Unknown API key or Client ID" + + return exc.message + + return "ok" + + +def computer_list_command(client: Client, args: Dict[str, Any]) -> List[CommandResults]: + """ + Get information about computers. + The command can get a list of filtered computers or a specific computer with connector_guid. + The command supports pagination. + If needed the response will be concatenated. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Raises: + ValueError: If there is a connector_guid other arguments must not exist. + + Returns: + List[CommandResults]: Information about a list of computers or a specific computer. + """ + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + connector_guid = args.get("connector_guid", "") + hostnames = argToList(args.get("hostname")) + internal_ip = args.get("internal_ip") + external_ip = args.get("external_ip") + group_guids = argToList(args.get("group_guid")) + last_seen_within = arg_to_number(args.get("last_seen_within")) + last_seen_over = arg_to_number(args.get("last_seen_over")) + + is_get_request = bool(connector_guid) + is_list_request = any( + ( + page, + page_size, + limit, + hostnames, + internal_ip, + external_ip, + group_guids, + last_seen_within, + last_seen_over, + ) + ) + + if is_get_request and is_list_request: + raise ValueError( + "connector_guid must be the only input, when fetching a specific computer." + ) + + if not is_get_request: + pagination = get_pagination_parameters(page, page_size, limit) + raw_response_list: List[Dict[str, Any]] = [] + + # Run multiple requests according to pagination inputs. + for request_number in pagination_range(pagination): + raw_response_list.append( + client.computer_list_request( + limit=pagination.limit, + offset=None + if pagination.offset is None + else pagination.offset * request_number, + hostnames=hostnames, + internal_ip=internal_ip, + external_ip=external_ip, + group_guids=group_guids, + last_seen_within=last_seen_within, + last_seen_over=last_seen_over, + ) + ) + + if not raw_response_list[-1]["data"]: + break + + raw_response: Dict[str, Any] = combine_response_results( + raw_response_list, pagination.is_automatic + ) + + else: + raw_response = client.computer_get_request( + connector_guid=connector_guid, + ) + + context_outputs = get_context_output(raw_response, ["links"]) + + readable_output = get_results_readable_output(raw_response) + readable_output += get_computer_readable_output(raw_response) + + command_results = [] + + for context_output in context_outputs: + endpoint_indicator = Common.Endpoint( + id=context_output["connector_guid"], + ip_address=context_output["internal_ips"][0], + hostname=context_output["hostname"], + mac_address=context_output["network_addresses"][0]["mac"], + os=context_output["operating_system"], + os_version=context_output["os_version"], + status="Online" if context_output["active"] else "Offline", + vendor="CiscoAMP Response", + ) + + command_results.append( + CommandResults( + outputs_prefix="CiscoAMP.Computer", + outputs_key_field="connector_guid", + outputs=context_output, + raw_response=raw_response, + indicator=endpoint_indicator, + ) + ) + + command_results.append(CommandResults(readable_output=readable_output)) + + return command_results + + +def computer_trajectory_list_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: + """ + Get information about a computer's trajectory. + The command supports pagination. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Raises: + ValueError: If the user hasn't entered one of the required query options wrong. + + Returns: + CommandResults: Information about a computer's trajectory. + """ + connector_guid = args["connector_guid"] + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + query_string = args.get("query_string") + + if not validate_query( + query=query_string, + accept_ipv4=True, + accept_sha256=True, + accept_url=True, + accept_filename=False, + ): + raise ValueError("query_string must be: SHA-256/IPv4/URL") + + pagination = get_pagination_parameters(page, page_size, limit) + + raw_response = client.computer_trajectory_list_request( + connector_guid=connector_guid, + limit=pagination.page * pagination.page_size + if pagination.is_manual + else (limit or None), + query_string=query_string, + ) + + context_output, readable_output = extract_pagination_from_response( + pagination, raw_response + ) + + return CommandResults( + outputs_prefix="CiscoAMP.ComputerTrajectory", + outputs_key_field="id", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def computer_user_activity_list_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: + """ + Get information about computers with user activity on them. + The command supports pagination. + If needed the response will be concatenated. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about computers with user activity on them. + """ + username = args["username"] + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + + pagination = get_pagination_parameters(page, page_size, limit) + raw_response_list: List[Dict[str, Any]] = [] + + # Run multiple requests according to pagination inputs. + for request_number in pagination_range(pagination): + raw_response_list.append( + client.computer_user_activity_get_request( + username=username, + limit=pagination.limit, + offset=None + if pagination.offset is None + else pagination.offset * request_number, + ) + ) + + if not raw_response_list[-1]["data"]: + break + + raw_response: Dict[str, Any] = combine_response_results( + raw_response_list, pagination.is_automatic + ) + + context_output = get_context_output(raw_response, ["links"]) + + readable_output = get_results_readable_output(raw_response) + readable_output += get_readable_output( + response=raw_response, + header_by_keys=ACTIVITY_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=ACTIVITY_TITLE, + ) + + return CommandResults( + outputs_prefix="CiscoAMP.ComputerUserActivity", + outputs_key_field="connector_guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def computer_user_trajectory_list_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: + """ + Get information about a computer's trajectory with the option filter by username. + The command supports pagination. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about a computer's trajectory. + """ + connector_guid = args["connector_guid"] + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + username = args.get("username") + + pagination = get_pagination_parameters(page, page_size, limit) + + raw_response = client.computer_user_trajectory_list_request( + connector_guid=connector_guid, + limit=pagination.page * pagination.page_size + if pagination.is_manual + else (limit or None), + username=username, + ) + + context_output, readable_output = extract_pagination_from_response( + pagination, raw_response + ) + + return CommandResults( + outputs_prefix="CiscoAMP.ComputerUserTrajectory", + outputs_key_field="id", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def computer_vulnerabilities_list_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: + """ + Get information about a computer's vulnerabilities. + The command supports pagination. + If needed the response will be concatenated. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about a computer's vulnerabilities. + """ + connector_guid = args["connector_guid"] + start_time = args.get("start_time") + end_time = args.get("end_time") + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + + pagination = get_pagination_parameters(page, page_size, limit) + raw_response_list: List[Dict[str, Any]] = [] + + # Run multiple requests according to pagination inputs. + for request_number in pagination_range(pagination): + raw_response_list.append( + client.computer_vulnerabilities_list_request( + connector_guid=connector_guid, + start_time=start_time, + end_time=end_time, + limit=pagination.limit, + offset=None + if pagination.offset is None + else pagination.offset * request_number, + ) + ) + + if not raw_response_list[-1]["data"]: + break + + raw_response: Dict[str, Any] = combine_response_results( + raw_response_list, pagination.is_automatic + ) + + context_output = get_context_output(raw_response, ["links"]) + context_output = context_output[0]["vulnerabilities"] + add_item_to_all_dictionaries( + context_output, + "connector_guid", + dict_safe_get(raw_response, ["data", "connector_guid"]), + ) + + readable_output = get_results_readable_output(raw_response) + readable_output += get_computer_readable_output(raw_response) + readable_output += get_readable_output( + response=raw_response, + header_by_keys=VULNERABILITY_HEADERS_BY_KEYS, + keys_to_items_option_1=["data", "vulnerabilities"], + keys_to_items_option_2=["data"], + title=VULNERABILITY_TITLE, + ) + + return CommandResults( + outputs_prefix="CiscoAMP.ComputerVulnerability", + outputs_key_field="connector_guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def computer_move_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Move a computer to another group. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about the moved computer. + """ + connector_guid = args["connector_guid"] + group_guid = args["group_guid"] + + raw_response = client.computer_move_request( + connector_guid=connector_guid, + group_guid=group_guid, + ) + + context_output = get_context_output(raw_response, ["links"]) + readable_output = get_computer_readable_output(raw_response) + + return CommandResults( + outputs_prefix="CiscoAMP.Computer", + outputs_key_field="connector_guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def computer_delete_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Deletes a computer and returns a result if the deletion has succeeded. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Raises: + ValueError: Incase the deletion has failed, raise an error. + + Returns: + CommandResults: Success message of the deleted computer. + """ + connector_guid = args["connector_guid"] + + raw_response = client.computer_delete_request(connector_guid=connector_guid) + + is_deleted = dict_safe_get(raw_response, ["data", "deleted"]) + + if not is_deleted: + raise DemistoException( + message=f'Failed to delete Connector GUID: "{connector_guid}".', + res=raw_response, + ) + + readable_output = f'Connector GUID: "{connector_guid}"\nSuccessfully deleted.' + + return CommandResults( + readable_output=readable_output, + raw_response=raw_response, + ) + + +def computer_activity_list_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: + """ + Get information about computers with query activity on them. + The command supports pagination. + If needed the response will be concatenated. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Raises: + ValueError: If the input query isn't an IP, URL + + Returns: + CommandResults: Information about computers with query activity on them. + """ + query_string = args["query_string"] + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + + # Check if the query is empty or of one of the following formats: SHA256, IPv4, URL or Filename. + if not validate_query( + query=query_string, + accept_ipv4=True, + accept_filename=True, + accept_sha256=True, + accept_url=True, + ): + raise ValueError("query_string must be: SHA-256/IPv4/URL/Filename") + + pagination = get_pagination_parameters(page, page_size, limit) + raw_response_list: List[Dict[str, Any]] = [] + + # Run multiple requests according to pagination inputs. + for request_number in pagination_range(pagination): + raw_response_list.append( + client.computer_activity_list_request( + query_string=query_string, + limit=pagination.limit, + offset=None + if pagination.offset is None + else pagination.offset * request_number, + ) + ) + + if not raw_response_list[-1]["data"]: + break + + raw_response: Dict[str, Any] = combine_response_results( + raw_response_list, pagination.is_automatic + ) + + context_output = get_context_output(raw_response, ["links"]) + + readable_output = get_results_readable_output(raw_response) + readable_output += get_readable_output( + response=raw_response, + header_by_keys=ACTIVITY_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=ACTIVITY_TITLE, + ) + + return CommandResults( + outputs_prefix="CiscoAMP.ComputerActivity", + outputs_key_field="connector_guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def computers_isolation_feature_availability_get_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: + """ + Get information about available isolation options for a computer. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about a computer's isolation options. + """ + connector_guid = args["connector_guid"] + + try: + raw_response = client.computer_isolation_feature_availability_get_request( + connector_guid=connector_guid, + ) + readable_output = get_isolation_options_readable_output(raw_response) + + except DemistoException as exc: + # this is an expected behavior, when isolation is not allowed. + if exc.res and exc.res.status_code == HTTPStatus.METHOD_NOT_ALLOWED: + readable_output = "Isolation is not allowed on policy." + + else: + raise # if there's a different HTTP status code, it's not an expected behavior. + + return CommandResults(readable_output=readable_output) + + +def computer_isolation_get_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: + """ + Get information about a computer's isolation. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about a computer's isolation. + """ + connector_guid = args["connector_guid"] + + raw_response = client.computer_isolation_get_request( + connector_guid=connector_guid, + ) + + readable_output = get_readable_output( + response=raw_response, + header_by_keys=ISOLATION_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=ISOLATION_TITLE, + ) + context_output = get_context_output( + response=raw_response, + contexts_to_delete=["links"], + item_to_add=("connector_guid", connector_guid), + )[0] + + return CommandResults( + outputs_prefix="CiscoAMP.ComputerIsolation", + outputs_key_field="connector_guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def computer_isolation_create_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: + """ + Put a computer in isolation. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about the computer's isolation. + """ + connector_guid = args["connector_guid"] + comment = args["comment"] + unlock_code = args["unlock_code"] + + raw_response = client.computer_isolation_create_request( + connector_guid=connector_guid, + comment=comment, + unlock_code=unlock_code, + ) + + readable_output = get_readable_output( + response=raw_response, + header_by_keys=ISOLATION_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=ISOLATION_TITLE, + ) + context_output = get_context_output( + response=raw_response, + contexts_to_delete=["links"], + item_to_add=("connector_guid", connector_guid), + )[0] + + return CommandResults( + outputs_prefix="CiscoAMP.ComputerIsolation", + outputs_key_field="connector_guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +@polling_function( + name="cisco-amp-computer-isolation-create", + interval=arg_to_number(demisto.args().get("interval_in_seconds", DEFAULT_INTERVAL)), + timeout=arg_to_number(demisto.args().get("timeout_in_seconds", DEFAULT_TIMEOUT)), + requires_polling_arg=False, +) +def computer_isolation_create_polling_command( + args: Dict[str, Any], **kwargs +) -> PollResult: + """ + Polling command to display the progress of computer isolation create command. + After the first run, progress will be shown through the computer isolation get command. + Computer isolation create command will run till its status is 'isolated' or 'pending_start'. + + Args: + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request and a Client. + + Returns: + PollResult: A result to return to the user which will be set as a CommandResults. + The result itself will depend on the stage of polling. + """ + return computer_isolation_polling_command( + client=kwargs["client"], + args=args, + computer_isolation_command=computer_isolation_create_command, + result_isolation_status=("isolated", "pending_start"), + ) + + +def computer_isolation_delete_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: + """ + Stop a computer's in isolation. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about the computer's isolation. + """ + connector_guid = args["connector_guid"] + comment = args.get("comment") + + raw_response = client.computer_isolation_delete_request( + connector_guid=connector_guid, + comment=comment, + ) + + readable_output = get_readable_output( + response=raw_response, + header_by_keys=ISOLATION_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=ISOLATION_TITLE, + ) + context_output = get_context_output(raw_response, ["links"]) + + return CommandResults( + outputs_prefix="CiscoAMP.ComputerIsolation", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +@polling_function( + name="cisco-amp-computer-isolation-delete", + interval=arg_to_number(demisto.args().get("interval_in_seconds", DEFAULT_INTERVAL)), + timeout=arg_to_number(demisto.args().get("timeout_in_seconds", DEFAULT_TIMEOUT)), + requires_polling_arg=False, +) +def computer_isolation_delete_polling_command( + args: Dict[str, Any], **kwargs +) -> PollResult: + """ + Polling command to display the progress of computer isolation delete command. + After the first run, progress will be shown through the computer isolation get command. + Computer isolation delete command will run till its status is 'not_isolated' or 'pending_stop'. + + Args: + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request and a Client. + + Returns: + PollResult: A result to return to the user which will be set as a CommandResults. + The result itself will depend on the stage of polling. + """ + return computer_isolation_polling_command( + client=kwargs["client"], + args=args, + computer_isolation_command=computer_isolation_delete_command, + result_isolation_status=("not_isolated", "pending_stop"), + ) + + +def computer_isolation_polling_command( + client: Client, + args: Dict[str, Any], + computer_isolation_command: Callable, + result_isolation_status: Tuple[str, str], +) -> PollResult: + """ + _summary_ + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + computer_isolation_command (Callable): can be one of the two functions: + computer_isolation_create_command + computer_isolation_delete_command + result_isolation_status (Tuple[str, str]): Result status to end polling function, can be on of the two options: + ('isolated', 'pending_start') + ('not_isolated', 'pending_stop') + + Returns: + PollResult: A result to return to the user which will be set as a CommandResults. + The result itself will depend on the stage of polling. + """ + if "status" not in args: + command_results = computer_isolation_command(client, args) + + else: + command_results = computer_isolation_get_command(client, args) + + status = dict_safe_get(command_results.raw_response, ["data", "status"]) + + if status in result_isolation_status: + return PollResult( + response=command_results, + continue_to_poll=False, + ) + + args_for_next_run = {"status": status, **args} + + return PollResult( + response=command_results, + continue_to_poll=True, + args_for_next_run=args_for_next_run, + ) + + +def event_list_command(client: Client, args: Dict[str, Any]) -> List[CommandResults]: + """ + Get information about events with the option to filter them. + The command supports pagination. + If needed the response will be concatenated. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Raises: + ValueError: If detection_sha256 isn't a SHA-256 value. + ValueError: If application_sha256 isn't a SHA-256 value. + + Returns: + List[CommandResults]: Information about events. + """ + detection_sha256 = args.get("detection_sha256") + application_sha256 = args.get("application_sha256") + connector_guid = argToList(args.get("connector_guid")) + group_guid = argToList(args.get("group_guid")) + start_date = args.get("start_date") + event_type = argToList(args.get("event_type")) + event_type = [arg_to_number(et) for et in event_type if et is not None] + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + + if detection_sha256 and not sha256Regex.match(detection_sha256): + raise ValueError("detection_sha256 must be: SHA-256") + + if application_sha256 and not sha256Regex.match(application_sha256): + raise ValueError("application_sha256 must be: SHA-256") + + pagination = get_pagination_parameters(page, page_size, limit) + raw_response_list: List[Dict[str, Any]] = [] + + # Run multiple requests according to pagination inputs. + for request_number in pagination_range(pagination): + raw_response_list.append( + client.event_list_request( + detection_sha256=detection_sha256, + application_sha256=application_sha256, + connector_guids=connector_guid, + group_guids=group_guid, + start_date=start_date, + event_types=event_type, # type: ignore # List[Optional[int]] arg_to_number; expected Optional[List[int]] + limit=pagination.limit, + offset=None + if pagination.offset is None + else pagination.offset * request_number, + ) + ) + + raw_response: Dict[str, Any] = combine_response_results( + raw_response_list, pagination.is_automatic + ) + + context_outputs = get_context_output(raw_response, ["links"]) + + readable_output = get_results_readable_output(raw_response) + readable_output += get_readable_output( + response=raw_response, + header_by_keys=EVENT_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=EVENT_TITLE, + ) + + command_results = [] + + for context_output in context_outputs: + file_indicator = None + + if "file" in context_output: + sha256 = dict_safe_get(context_output, ["file", "identity", "sha256"]) + disposition = dict_safe_get(context_output, ["file", "disposition"]) + + dbot_score = get_dbotscore(client.reliability, sha256, disposition) + + file_indicator = Common.File( + md5=dict_safe_get(context_output, ["file", "identity", "md5"]), + sha1=dict_safe_get(context_output, ["file", "identity", "sha1"]), + sha256=sha256, + path=dict_safe_get(context_output, ["file", "file_path"]), + name=dict_safe_get(context_output, ["file", "file_name"]), + hostname=dict_safe_get(context_output, ["computer", "hostname"]), + relationships=dict_safe_get(context_output, ["file", "parent"]), + dbot_score=dbot_score, + ) + + command_results.append( + CommandResults( + outputs_prefix="CiscoAMP.Event", + outputs_key_field="id", + outputs=context_output, + raw_response=raw_response, + indicator=file_indicator, + ) + ) + + command_results.append(CommandResults(readable_output=readable_output)) + + return command_results + + +def event_type_list_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Get information about event types. + The command supports pagination. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about event types. + """ + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + + pagination = get_pagination_parameters(page, page_size, limit) + raw_response = client.event_type_list_request() + + if pagination.is_manual: + start = (pagination.page - 1) * pagination.page_size + stop = pagination.page * pagination.page_size + + raw_response["data"] = raw_response["data"][start:stop] + + else: + raw_response["data"] = raw_response["data"][: pagination.limit] + + context_output = get_context_output(raw_response, ["links"]) + + readable_output = get_results_readable_output(raw_response) + readable_output += get_readable_output( + response=raw_response, + header_by_keys=EVENT_TYPE_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=EVENT_TYPE_TITLE, + ) + + return CommandResults( + outputs_prefix="CiscoAMP.EventType", + outputs_key_field="id", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def file_list_list_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Get information about policies. + The command supports pagination. + If needed the response will be concatenated. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about policies. + """ + file_list_type = args.get("file_list_type", "Application Blocking") + names = argToList(args.get("name")) + file_list_guid = args.get("file_list_guid") + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + + file_list_request_by_type = { + "Application Blocking": client.file_list_application_blocking_list_request, + "Simple Custom Detection": client.file_list_simple_custom_detections_list_request, + } + + if not file_list_guid: + pagination = get_pagination_parameters(page, page_size, limit) + raw_response_list: List[Dict[str, Any]] = [] + + # Run multiple requests according to pagination inputs. + for request_number in pagination_range(pagination): + raw_response_list.append( + file_list_request_by_type[file_list_type]( + names=names, + limit=pagination.limit, + offset=None + if pagination.offset is None + else pagination.offset * request_number, + ) + ) + + if not raw_response_list[-1]["data"]: + break + + raw_response: Dict[str, Any] = combine_response_results( + raw_response_list, pagination.is_automatic + ) + + else: + raw_response = client.file_list_get_request( + file_list_guid=file_list_guid, + ) + + readable_output = get_results_readable_output(raw_response) + readable_output += get_readable_output( + response=raw_response, + header_by_keys=FILE_LIST_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=FILE_LIST_TITLE, + ) + + context_output = get_context_output(raw_response, ["links"]) + + return CommandResults( + outputs_prefix="CiscoAMP.FileList", + outputs_key_field="guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def file_list_item_list_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Get information about file list items. + The command supports pagination. + If needed the response will be concatenated. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about file list items. + """ + file_list_guid = args["file_list_guid"] + sha256 = args.get("sha256") + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + + if not sha256: + pagination = get_pagination_parameters(page, page_size, limit) + raw_response_list: List[Dict[str, Any]] = [] + + # Run multiple requests according to pagination inputs. + for request_number in pagination_range(pagination): + raw_response_list.append( + client.file_list_item_list_request( + file_list_guid=file_list_guid, + limit=pagination.limit, + offset=None + if pagination.offset is None + else pagination.offset * request_number, + ) + ) + + if not raw_response_list[-1]["data"]: + break + + raw_response: Dict[str, Any] = combine_response_results( + raw_response_list, pagination.is_automatic + ) + + else: + raw_response = client.file_list_item_get_request( + file_list_guid=file_list_guid, + sha256=sha256, + ) + + readable_output = get_results_readable_output(raw_response) + readable_output += get_readable_output( + response=raw_response, + header_by_keys=FILE_LIST_ITEM_HEADERS_BY_KEYS, + keys_to_items_option_1=["data", "items"], + keys_to_items_option_2=["data"], + title=FILE_LIST_ITEM_TITLE, + ) + + if dict_safe_get(raw_response, ["data", "policies"]): + readable_output += get_readable_output( + response=raw_response, + header_by_keys=POLICY_HEADERS_BY_KEYS, + keys_to_items_option_1=["data", "policies"], + title=POLICY_TITLE, + ) + + context_output = get_context_output(raw_response, ["links"]) + + return CommandResults( + outputs_prefix="CiscoAMP.FileListItem", + outputs_key_field="sha256", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def file_list_item_create_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: + """ + Create a new item for a file list. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about the new file list item. + """ + file_list_guid = args["file_list_guid"] + sha256 = args["sha256"] + description = args.get("description") + + raw_response = client.file_list_item_create_request( + file_list_guid=file_list_guid, + sha256=sha256, + description=description, + ) + + readable_output = get_readable_output( + response=raw_response, + header_by_keys=FILE_LIST_ITEM_HEADERS_BY_KEYS, + keys_to_items_option_1=["data", "items"], + keys_to_items_option_2=["data"], + title=FILE_LIST_ITEM_TITLE, + ) + + if dict_safe_get(raw_response, ["data", "policies"]): + readable_output += get_readable_output( + response=raw_response, + header_by_keys=POLICY_HEADERS_BY_KEYS, + keys_to_items_option_1=["data", "policies"], + title=POLICY_TITLE, + ) + + context_output = get_context_output(raw_response, ["links"]) + + return CommandResults( + outputs_prefix="CiscoAMP.FileListItem", + outputs_key_field="sha256", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def file_list_item_delete_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: + """ + Delete an item from a file list. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Success message of the deleted item. + """ + file_list_guid = args["file_list_guid"] + sha256 = args["sha256"] + + raw_response = client.file_list_item_delete_request( + file_list_guid=file_list_guid, + sha256=sha256, + ) + + if "errors" in raw_response: + raise DemistoException( + message=f'Failed to delete-\nFile List GUID: "{file_list_guid}"\nSHA-256: "{sha256}" not found.', + res=raw_response, + ) + + readable_output = f'SHA-256: "{sha256}" Successfully deleted from File List GUID: "{file_list_guid}".' + + return CommandResults( + readable_output=readable_output, + raw_response=raw_response, + ) + + +def group_list_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Get information about groups with the option to filter by name. + The command supports pagination. + If needed the response will be concatenated. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about groups. + """ + group_guid = args.get("group_guid") + name = args.get("name") + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + + if not group_guid: + pagination = get_pagination_parameters(page, page_size, limit) + raw_response_list: List[Dict[str, Any]] = [] + + # Run multiple requests according to pagination inputs. + for request_number in pagination_range(pagination): + raw_response_list.append( + client.group_list_request( + name=name, + limit=pagination.limit, + offset=None + if pagination.offset is None + else pagination.offset * request_number, + ) + ) + + if not raw_response_list[-1]["data"]: + break + + raw_response: Dict[str, Any] = combine_response_results( + raw_response_list, pagination.is_automatic + ) + + readable_output = get_results_readable_output(raw_response) + readable_output += get_readable_output( + response=raw_response, + header_by_keys=GROUPS_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=GROUPS_TITLE, + ) + + else: + raw_response = client.group_get_request( + group_guid=group_guid, + ) + + readable_output = get_readable_output( + response=raw_response, + header_by_keys=GROUP_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=GROUP_TITLE, + ) + + context_output = get_context_output(raw_response, ["links"]) + + return CommandResults( + outputs_prefix="CiscoAMP.Group", + outputs_key_field="guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def group_policy_update_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Update a groups Policy and get information about the group. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Raises: + ValueError: Incase the user hasn't entered at least one policy GUID. + + Returns: + CommandResults: Information about the updated group. + """ + group_guid = args["group_guid"] + windows_policy_guid = args.get("windows_policy_guid") + mac_policy_guid = args.get("mac_policy_guid") + android_policy_guid = args.get("android_policy_guid") + linux_policy_guid = args.get("linux_policy_guid") + + has_no_policy_guid = not ( + any( + ( + windows_policy_guid, + mac_policy_guid, + android_policy_guid, + linux_policy_guid, + ) + ) + ) + + if has_no_policy_guid: + raise ValueError("At least one Policy GUID must be entered.") + + raw_response = client.group_policy_update_request( + group_guid=group_guid, + windows_policy_guid=windows_policy_guid, + mac_policy_guid=mac_policy_guid, + android_policy_guid=android_policy_guid, + linux_policy_guid=linux_policy_guid, + ) + + context_output = get_context_output(raw_response, ["links"]) + readable_output = get_readable_output( + response=raw_response, + header_by_keys=GROUP_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=GROUP_TITLE, + ) + + return CommandResults( + outputs_prefix="CiscoAMP.Group", + outputs_key_field="guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def group_parent_update_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Update a groups Policy and get information about the group. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Raises: + ValueError: Incase the user hasn't entered at least one policy GUID. + + Returns: + CommandResults: Information about the updated group. + """ + child_guid = args["child_guid"] + parent_group_guid = args.get("parent_group_guid") + + raw_response = client.group_parent_update_request( + child_guid=child_guid, + parent_group_guid=parent_group_guid, + ) + + context_output = get_context_output(raw_response, ["links"]) + readable_output = get_readable_output( + response=raw_response, + header_by_keys=GROUP_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=GROUP_TITLE, + ) + + return CommandResults( + outputs_prefix="CiscoAMP.Group", + outputs_key_field="guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def group_create_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Create a new group and get information about it. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about the new group. + """ + name = args["name"] + description = args["description"] + + raw_response = client.group_create_request( + name=name, + description=description, + ) + + context_output = get_context_output(raw_response, ["links"]) + readable_output = get_readable_output( + response=raw_response, + header_by_keys=GROUP_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=GROUP_TITLE, + ) + + return CommandResults( + outputs_prefix="CiscoAMP.Group", + outputs_key_field="guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def groups_delete_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Deletes a group and returns a result if the deletion has succeeded. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Raises: + ValueError: Incase the deletion has failed, raise an error. + + Returns: + CommandResults: Success message of the deleted group. + """ + group_guid = args["group_guid"] + + raw_response = client.group_delete_request(group_guid=group_guid) + + is_deleted = dict_safe_get(raw_response, ["data", "deleted"]) + + if not is_deleted: + raise DemistoException( + message=f'Failed to delete Group GUID: "{group_guid}".', + res=raw_response, + ) + + readable_output = f'Group GUID: "{group_guid}"\nSuccessfully deleted.' + + return CommandResults( + readable_output=readable_output, + raw_response=raw_response, + ) + + +def indicator_list_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Get information about indicators. + The command supports pagination. + If needed the response will be concatenated. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about indicators. + """ + indicator_guid = args.get("indicator_guid") + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + + if not indicator_guid: + pagination = get_pagination_parameters(page, page_size, limit) + raw_response_list: List[Dict[str, Any]] = [] + + # Run multiple requests according to pagination inputs. + for request_number in pagination_range(pagination): + raw_response_list.append( + client.indicator_list_request( + limit=pagination.limit, + offset=None + if pagination.offset is None + else pagination.offset * request_number, + ) + ) + + if not raw_response_list[-1]["data"]: + break + + raw_response: Dict[str, Any] = combine_response_results( + raw_response_list, pagination.is_automatic + ) + + else: + raw_response = client.indicator_get_request( + indicator_guid=indicator_guid, + ) + + readable_output = get_results_readable_output(raw_response) + readable_output += get_readable_output( + response=raw_response, + header_by_keys=INDICATOR_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=INDICATOR_TITLE, + ) + + if dict_safe_get(raw_response, ["data", "mitre", "tactics"]): + readable_output += get_readable_output( + response=raw_response, + header_by_keys=MITRE_HEADERS_BY_KEYS, + keys_to_items_option_1=["data", "mitre", "tactics"], + title=MITRE_TACTIC_TITLE, + ) + + if dict_safe_get(raw_response, ["data", "mitre", "techniques"]): + readable_output += get_readable_output( + response=raw_response, + header_by_keys=MITRE_HEADERS_BY_KEYS, + keys_to_items_option_1=["data", "mitre", "techniques"], + title=MITRE_TECHNIQUE_TITLE, + ) + + context_output = get_context_output(raw_response, ["links"]) + + return CommandResults( + outputs_prefix="CiscoAMP.Indicator", + outputs_key_field="guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def policy_list_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Get information about policies. + The command supports pagination. + If needed the response will be concatenated. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about policies. + """ + policy_guid = args.get("policy_guid") + products = argToList(args.get("product")) + names = argToList(args.get("name")) + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + + if not policy_guid: + pagination = get_pagination_parameters(page, page_size, limit) + raw_response_list: List[Dict[str, Any]] = [] + + # Run multiple requests according to pagination inputs. + for request_number in pagination_range(pagination): + raw_response_list.append( + client.policy_list_request( + products=products, + names=names, + limit=pagination.limit, + offset=None + if pagination.offset is None + else pagination.offset * request_number, + ) + ) + + if not raw_response_list[-1]["data"]: + break + + raw_response: Dict[str, Any] = combine_response_results( + raw_response_list, pagination.is_automatic + ) + + else: + raw_response = client.policy_get_request( + policy_guid=policy_guid, + ) + + readable_output = get_results_readable_output(raw_response) + readable_output += get_readable_output( + response=raw_response, + header_by_keys=POLICY_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=POLICY_TITLE, + ) + + context_output = get_context_output(raw_response, ["links"]) + + return CommandResults( + outputs_prefix="CiscoAMP.Policy", + outputs_key_field="guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def app_trajectory_query_list_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: + """ + Get app trajectory query for a given IOS bundle ID.. + The command supports pagination. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Information about an app trajectory. + """ + ios_bid = args["ios_bid"] + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + + pagination = get_pagination_parameters(page, page_size, limit) + + raw_response = client.app_trajectory_query_list_request(ios_bid=ios_bid) + + if pagination.is_manual: + start = (pagination.page - 1) * pagination.page_size + stop = pagination.page * pagination.page_size + + raw_response["data"] = raw_response["data"][start:stop] + + else: + raw_response["data"] = raw_response["data"][: pagination.limit] + + context_output = get_context_output(raw_response, ["links"]) + readable_output = get_readable_output( + response=raw_response, + header_by_keys=APP_TRAJECTORY_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=APP_TRAJECTORY_TITLE, + ) + + return CommandResults( + outputs_prefix="CiscoAMP.AppTrajectoryQuery", + outputs_key_field="connector_guid", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def version_get_command( + client: Client, args: Dict[str, Any] +) -> CommandResults: # pylint: disable=unused-argument + """ + Get the current version of the API. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Current version of the API. + """ + raw_response = client.version_get_request() + + version = raw_response.get("version") + + readable_output = f"Version: {version}" + context_output = {"version": version} + + return CommandResults( + outputs_prefix="CiscoAMP.Version", + outputs_key_field="version", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def vulnerability_list_command(client: Client, args: Dict[str, Any]) -> CommandResults: + """ + Get information about vulnerabilities within computers. + The command supports pagination. + If needed the response will be concatenated. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Returns: + CommandResults: Vulnerabilities of computers. + """ + sha256 = args.get("sha256") + group_guid = argToList(args.get("group_guid")) + start_time = args.get("start_time") + end_time = args.get("end_time") + page = arg_to_number(args.get("page", 0)) + page_size = arg_to_number(args.get("page_size", 0)) + limit = arg_to_number(args.get("limit", 0)) + + pagination = get_pagination_parameters(page, page_size, limit) + raw_response_list: List[Dict[str, Any]] = [] + + # Run multiple requests according to pagination inputs. + for request_number in pagination_range(pagination): + if not sha256: + raw_response_list.append( + client.vulnerability_list_request( + group_guids=group_guid, + start_time=start_time, + end_time=end_time, + limit=pagination.limit, + offset=None + if pagination.offset is None + else pagination.offset * request_number, + ) + ) + + else: + raw_response_list.append( + client.vulnerable_computers_list_request( + sha256=sha256, + group_guids=group_guid, + start_time=start_time, + end_time=end_time, + limit=pagination.limit, + offset=None + if pagination.offset is None + else pagination.offset * request_number, + ) + ) + + if not raw_response_list[-1]["data"]: + break + + raw_response: Dict[str, Any] = combine_response_results( + raw_response_list, pagination.is_automatic + ) + + readable_output = get_results_readable_output(raw_response) + if sha256: + readable_output += get_readable_output( + response=raw_response, + header_by_keys=VULNERABLE_COMPUTER_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=VULNERABLE_COMPUTER_TITLE, + ) + else: + readable_output += get_readable_output( + response=raw_response, + header_by_keys=VULNERABILITY_HEADERS_BY_KEYS, + keys_to_items_option_1=["data"], + title=VULNERABILITY_TITLE, + ) + + context_output = get_context_output(raw_response, ["links"]) + + return CommandResults( + outputs_prefix="CiscoAMP.Vulnerability", + outputs=context_output, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def endpoint_command(client: Client, args: Dict[str, Any]) -> List[CommandResults]: + """ + Generic command that returns information about an endpoint. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Raises: + DemistoException: Incase ID, IP or an hostname wasn't inserted + + Returns: + List[CommandResults]: A list of endpoint indicators. + """ + endpoint_ids = argToList(args.get("id")) + endpoint_ips = argToList(args.get("ip")) + endpoint_hostnames = argToList(args.get("hostname")) + + if not any((endpoint_ids, endpoint_ips, endpoint_hostnames)): + raise DemistoException( + "CiscoAMP - In order to run this command, please provide a valid id, ip or hostname" + ) + + responses = [] + + if endpoint_ids: + for endpoint_id in endpoint_ids: + response = client.computer_get_request(connector_guid=endpoint_id) + + responses.append(response) + + elif endpoint_ips: + for endpoint_ip in endpoint_ips: + response = client.computer_list_request(internal_ip=endpoint_ip) + + responses.append(response) + + else: + responses.append(client.computer_list_request(hostnames=endpoint_hostnames)) + + endpoints: List = [] + + for response in responses: + data_list = response["data"] + + if endpoint_ids: + data_list = [data_list] + + for data in data_list: + endpoint = Common.Endpoint( + id=data["connector_guid"], + ip_address=data["internal_ips"][0], + hostname=data["hostname"], + mac_address=data["network_addresses"][0]["mac"], + os=data["operating_system"], + os_version=data["os_version"], + status="Online" if data["active"] else "Offline", + vendor="CiscoAMP Response", + ) + + endpoint_context = endpoint.to_context().get(Common.Endpoint.CONTEXT_PATH) + readable_output = tableToMarkdown( + f'CiscoAMP - Endpoint {data["hostname"]}', endpoint_context + ) + + endpoints.append( + CommandResults( + readable_output=readable_output, + raw_response=response, + outputs_key_field="_id", + indicator=endpoint, + ) + ) + + return endpoints + + +def file_command(client: Client, args: Dict[str, Any]) -> List[CommandResults]: + """ + Generic command that returns information about files. + + Args: + client (Client): Cisco AMP client to run desired requests + args (Dict[str, Any]): Arguments passed down by the CLI to provide in the HTTP request. + + Raises: + ValueError: In case the file_hash isn't SHA256 + + Returns: + List[CommandResults]: Indicator for every file_hash + """ + files = argToList(args["file"]) + command_results: List[CommandResults] = [] + + for file_hash in files: + hash_type = get_hash_type(file_hash) + + if hash_type != "sha256": + raise ValueError(f'Cisco AMP: Hash "{file_hash}" is not of type SHA-256') + + raw_response = client.event_list_request(detection_sha256=file_hash) + + data_list = raw_response["data"] + + disposition = dict_safe_get(data_list[0], ["file", "disposition"]) + dbot_score = get_dbotscore(client.reliability, file_hash, disposition) + + file_indicator = Common.File( + md5=dict_safe_get(data_list[0], ["file", "identity", "md5"]), + sha1=dict_safe_get(data_list[0], ["file", "identity", "sha1"]), + sha256=file_hash, + path=dict_safe_get(data_list[0], ["file", "file_path"]), + name=dict_safe_get(data_list[0], ["file", "file_name"]), + hostname=dict_safe_get(data_list[0], ["computer", "hostname"]), + dbot_score=dbot_score, + ) + + for data in data_list[1:]: + disposition = dict_safe_get(data, ["file", "disposition"]) + dbot_score = get_dbotscore(client.reliability, file_hash, disposition) + + file_indicator.md5 = file_indicator.md5 or dict_safe_get( + data, ["file", "identity", "md5"] + ) + file_indicator.sha1 = file_indicator.sha1 or dict_safe_get( + data, ["file", "identity", "sha1"] + ) + file_indicator.path = file_indicator.path or dict_safe_get( + data, ["file", "file_path"] + ) + file_indicator.name = file_indicator.name or dict_safe_get( + data, ["file", "file_name"] + ) + file_indicator.hostname = file_indicator.hostname or dict_safe_get( + data, ["computer", "hostname"] + ) + file_indicator.dbot_score = file_indicator.dbot_score or dbot_score + + is_all_filled = ( + file_indicator.md5 + and file_indicator.sha1 + and file_indicator.sha256 + and file_indicator.path + and file_indicator.name + and file_indicator.hostname + and file_indicator.dbot_score + ) + + if is_all_filled: + break + + file_context = file_indicator.to_context().get(Common.File.CONTEXT_PATH) + readable_output = tableToMarkdown( + f"Cisco AMP - Hash Reputation for: {file_hash}", file_context + ) + + command_results.append( + CommandResults( + readable_output=readable_output, + outputs_prefix="", + raw_response=raw_response, + outputs_key_field="SHA256", + indicator=file_indicator, + ) + ) + + return command_results + + +""" HELPER FUNCTIONS """ # pylint: disable=pointless-string-statement + + +def pagination_range(pagination: Pagination) -> range: + """ + Generate a range according to pagination parameters. + + Args: + pagination (Pagination): parameters to be used to calculate the start and stop index. + + Returns: + range: A range according to pagination parameters + """ + return range( + pagination.offset_multiplier, + pagination.number_of_requests + pagination.offset_multiplier, + ) + + +def get_pagination_parameters( + page: Optional[int] = 0, + page_size: Optional[int] = 0, + limit: Optional[int] = 0, +) -> Pagination: + """ + Get the limit and offset required for the http request, + number of requests required and if the pagination is automatic, manual or none of them. + + Args: + page (Optional[int]): Page number to view. Defaults to None. + page_size (Optional[int]): Number of elements in each page. Defaults to None. + limit (Optional[int]): Total number of elements to return. Defaults to None. + + Raises: + ValueError: If both manual and automatic arguments have been filled. + + Returns: + Pagination: + page (int): Page number to view. + page_size (int): Number of elements in each page. + limit (int): Total number of elements to return. + offset (int): Number of 1st element to return. + number_of_requests (int): Number of http requests to make. + offset_multiplier (int): Multiply by 1 when number of requests is 1, otherwise 0. + is_automatic (bool): Whether the pagination type is automatic. + is_manual (bool): Whether the pagination type is manual. + """ + is_automatic: bool = limit != 0 + is_manual: bool = page != 0 or page_size != 0 + + if is_manual and is_automatic: + raise ValueError("page or page_size can not be entered with limit.") + + # Automatic Pagination + if is_automatic: + if limit > MAX_PAGE_SIZE: # type: ignore[operator] + number_of_requests = math.ceil(limit / MAX_PAGE_SIZE) # type: ignore[operator] + limit = MAX_PAGE_SIZE + offset = MAX_PAGE_SIZE + offset_multiplier = 0 + + else: + number_of_requests = 1 + offset = None + offset_multiplier = 1 + + # Manual Pagination + elif is_manual: + page = page or 1 + page_size = page_size or 1 + number_of_requests = 1 + limit = page_size + offset = (page - 1) * page_size + offset_multiplier = 1 + + # No Pagination + else: + number_of_requests = 1 + limit = MAX_PAGE_SIZE + offset = None + offset_multiplier = 1 + + return Pagination( + page, + page_size, + limit, + offset, + number_of_requests, + offset_multiplier, + is_automatic, + is_manual, + ) + + +def extract_pagination_from_response( + pagination: Pagination, raw_response: Dict[str, Any] +) -> Tuple[List, str]: + """ + Extract values from the response according to pagination parameters. + + Args: + pagination (Pagination): Pagination parameters to extract values according to. + raw_response (Dict[str, Any]): Raw response to extract values from. + + Returns: + Tuple[List, str]: Context output and Readable output. + """ + if pagination.is_manual: + start = (pagination.page - 1) * pagination.page_size + stop = pagination.page * pagination.page_size + + raw_response["data"]["events"] = raw_response["data"]["events"][start:stop] + + else: + raw_response["data"]["events"] = raw_response["data"]["events"][ + : pagination.limit + ] + + context_output = get_context_output(raw_response, ["links"]) + context_output = context_output[0]["events"] + add_item_to_all_dictionaries( + context_output, + "connector_guid", + dict_safe_get(raw_response, ["data", "computer", "connector_guid"]), + ) + + readable_output = get_computer_readable_output(raw_response) + readable_output += get_readable_output( + response=raw_response, + header_by_keys=TRAJECTORY_HEADERS_BY_KEYS, + keys_to_items_option_1=["data", "events"], + title=TRAJECTORY_TITLE, + ) + + return context_output, readable_output + + +def delete_keys_from_dict( + dictionary: MutableMapping, keys_to_delete: List[str] | Set[str] +) -> Dict[str, Any]: + """ + Get a modified dictionary without the requested keys + + Args: + dictionary (Dict[str, Any]): Dictionary to modify according to. + keys_to_delete (List[str]): Keys to not include in the modified dictionary. + + Returns: + Dict[str, Any]: Modified dictionary without requested keys. + """ + keys_set = set(keys_to_delete) + modified_dict: Dict[str, Any] = {} + + for key, value in dictionary.items(): + if key not in keys_set: + if isinstance(value, MutableMapping): + modified_dict[key] = delete_keys_from_dict(value, keys_set) + + elif ( + isinstance(value, MutableSequence) + and len(value) > 0 + and isinstance(value[0], MutableMapping) + ): + modified_dict[key] = [ + delete_keys_from_dict(val, keys_set) for val in value + ] + + else: + modified_dict[key] = copy.deepcopy(value) + + return modified_dict + + +def add_item_to_all_dictionaries( + dictionaries: List[Dict[str, Any]], key: str, value: Any +) -> None: + for dictionary in dictionaries: + dictionary[key] = value + + +def validate_query( + accept_ipv4: bool, + accept_url: bool, + accept_sha256: bool, + accept_filename: bool, + query: str = None, +) -> bool: + """ + Check if the query is empty or the format is correct. + + Args: + accept_ipv4 (bool): Validate IPv4. + accept_url (bool): Validate URL. + accept_sha256 (bool): Validate SHA256. + accept_filename (bool): Validate Filename. + query (str, optional): Query string in some format. + Defaults to None. + + Returns: + bool: Whether the query is correct or not. + """ + if not query: + return True + + is_sha256 = accept_sha256 and sha256Regex.match(query) + is_ipv4 = accept_ipv4 and re.match(ipv4Regex, query) + is_url = accept_url and re.match(urlRegex, query) + is_filename = accept_filename and re.match(FILENAME_REGEX, query) + + return any( + ( + is_sha256, + is_ipv4, + is_url, + is_filename, + ) + ) + + +def get_dbotscore( + reliability: str, sha256: str = None, disposition: str = None +) -> Common.DBotScore: + """ + Get XSOAR score for the file's disposition. + + Args: + reliability (str): Reliability of the source providing the intelligence data. + sha256 (str, optional): SHA256 of the file. + Defaults to None. + disposition (str, optional): 3rd party score of the file's disposition. + Defaults to None. + + Returns: + Common.DBotScore: DBot Score according to the disposition. + """ + if disposition == "Malicious": + score = Common.DBotScore.BAD + + elif disposition == "Clean": + score = Common.DBotScore.GOOD + + else: + score = Common.DBotScore.NONE + + return Common.DBotScore( + indicator=sha256, + indicator_type=DBotScoreType.FILE, + integration_name="CiscoAMP", + malicious_description=disposition, + reliability=reliability, + score=score, + ) + + +def combine_response_results( + raw_response_list: List[Dict[str, Any]], is_automatic: bool = False +) -> Dict[str, Any]: + """ + If the pagination is automatic combine the results returned from all the http requests. + + Args: + raw_response_list (List[Dict[str, Any]]): List of responses from the server. + is_automatic (bool, optional): Whether the pagination is automatic. Defaults to False. + + Returns: + Dict[str, Any]: Concatenated response from the server. + """ + concatenated_raw_response: Dict[str, Any] = raw_response_list[0] + + if not is_automatic: + return concatenated_raw_response + + for raw_response in raw_response_list[1:]: + concatenated_raw_response["metadata"]["results"][ + "current_item_count" + ] += dict_safe_get(raw_response, ["metadata", "results", "current_item_count"]) + concatenated_raw_response["data"].extend(raw_response["data"]) + + concatenated_raw_response["metadata"]["results"][ + "items_per_page" + ] = concatenated_raw_response["metadata"]["results"]["current_item_count"] + + return concatenated_raw_response + + +def get_context_output( + response: Dict[str, Any], + contexts_to_delete: List[str], + item_to_add: Tuple[str, Any] = None, +) -> List[Dict[str, Any]]: + """ + Get context output from the response. + Loop through each value and create a modified response without the contexts_to_delete. + + Args: + response (List[Dict[str, Any]] | Dict[str, Any]): Raw response from the API. + contexts_to_delete (List[str]): Context outputs to leave out. + + Returns: + List[Dict[str, Any]]: Context output for the response. + """ + data_list = response.get("data") + + if not isinstance(data_list, List): + data_list = [data_list] + + context_outputs: List[Dict[str, Any]] = [] + + for data in data_list: + modified_data = delete_keys_from_dict(data, contexts_to_delete) + context_outputs.append(modified_data) + + if item_to_add: + for context_output in context_outputs: + context_output |= { + item_to_add[0]: item_to_add[1], + } + + return context_outputs + + +def get_results_readable_output(response: Dict[str, Any]) -> str: + """ + Get relevant information for the readable output. + + Args: + response (Dict[str, Any]): Raw response from the API. + + Returns: + str: Readable output for results in tableToMarkdown value. + """ + results = dict_safe_get(response, ["metadata", "results"]) + + if not results: + return "" + + readable_output = tableToMarkdown( + "Results", + results, + headerTransform=string_to_table_header, + removeNull=True, + ) + + return readable_output + + +def get_readable_output( + response: Dict[str, Any], + header_by_keys: Dict[str, List[str]], + keys_to_items_option_1: List[str], + keys_to_items_option_2: List[str] = [], + title: str = "", +) -> str: + """ + Get a response's readable output by formatting it through its headers. + + Args: + response (Dict[str, Any]): API response. + header_by_keys (Dict[str, List[str]]): headers by a list of keys to the response value. + keys_to_items_option_1 (List[str]): list of keys 1st option to the response value. + keys_to_items_option_2 (List[str], optional): list of keys to the response value, incase 1st failed. + Defaults to None. + title (str, optional): readable output title. + Defaults to ''. + + Returns: + str: readable output of the API response. + """ + if not (items := dict_safe_get(response, keys_to_items_option_1)): + items = dict_safe_get(response, keys_to_items_option_2) + + if not items: + return "" + + item_readable_arguments: List[Dict[str, Any]] = [] + headers = [header for header in header_by_keys] + + if not isinstance(items, List): + items = [items] + + for item in items: + dictionary: Dict[str, Any] = {} + + for key, value in header_by_keys.items(): + dictionary[key] = dict_safe_get(item, value) + + item_readable_arguments.append(dictionary) + + readable_output = tableToMarkdown( + title, + item_readable_arguments, + headers=headers, + removeNull=True, + ) + + return readable_output + + +def get_computer_readable_output(response: Dict[str, Any]) -> str: + """ + Get relevant information for the readable output. + If the raw response is of a single computer, cast it to a list. + + Args: + response (Dict[str, Any]): Raw response from the API. + + Returns: + str: Readable output for computers in tableToMarkdown value. + """ + if not (computers := dict_safe_get(response, ["data", "computer"])): + computers = response.get("data") + + if not isinstance(computers, List): + computers = [computers] + + operating_system_format = "{operating_system} (Build {os_version})" + readable_arguments: List[Dict[str, Any]] = [] + + for computer in computers: + readable_arguments.append( + { + "Host Name": computer.get("hostname"), + "Connector GUID": computer.get("connector_guid"), + "Operating System": operating_system_format.format( + operating_system=computer.get("operating_system"), + os_version=computer.get("os_version"), + ), + "External IP": computer.get("external_ip"), + "Group GUID": computer.get("group_guid"), + "Policy GUID": dict_safe_get(computer, ["policy", "guid"]), + } + ) + + headers = [ + "Host Name", + "Connector GUID", + "Operating System", + "External IP", + "Group GUID", + "Policy GUID", + ] + + readable_output = tableToMarkdown( + "Computer Information", + readable_arguments, + headers=headers, + removeNull=True, + ) + + return readable_output + + +def get_isolation_options_readable_output(response: requests.Response) -> str: + """ + Get relevant information for the readable output. + + Args: + response (requests.Response): Raw response from the API. + + Returns: + str: Readable output for isolation options. + """ + readable_output: str = "" + options_string = response.headers.get("Allow") + + if not options_string: + return readable_output + + options = options_string.split(", ") + + message_by_option = { + "GET": "Can get information about an isolation with computer-isolation-get", + "PUT": "Can request to create a new isolation with computer-isolation-create", + "DELETE": "Can request to stop the isolation with computer-isolation-delete", + } + + for option in options: + if message := message_by_option.get(option): + readable_output += f"{message}\n" + + return readable_output + + +""" MAIN FUNCTION """ # pylint: disable=pointless-string-statement + + +def main() -> None: + """ + Get the needed user's input params and initialize a Client with them. + Check the user's input command with if statements and a dictionary. + + Raises: + NotImplementedError: An error if the input command hasn't been implemented + """ + params: Dict[str, Any] = demisto.params() + args: Dict[str, Any] = demisto.args() + command = demisto.command() + + server_url = params["server_url"] + client_id = params["credentials"]["identifier"] + api_key = params["credentials"]["password"] + verify_certificate = not params.get("insecure", False) + reliability = params.get("integrationReliability", DBotScoreReliability.C) + proxy = params.get("proxy", False) + + if DBotScoreReliability.is_valid_type(reliability): + reliability = DBotScoreReliability.get_dbot_score_reliability_from_str( + reliability + ) + else: + raise Exception( + "Please provide a valid value for the Source Reliability parameter." + ) + + commands = { + "cisco-amp-computer-list": computer_list_command, + "cisco-amp-computer-trajectory-list": computer_trajectory_list_command, + "cisco-amp-computer-user-activity-list": computer_user_activity_list_command, + "cisco-amp-computer-user-trajectory-list": computer_user_trajectory_list_command, + "cisco-amp-computer-vulnerabilities-list": computer_vulnerabilities_list_command, + "cisco-amp-computer-move": computer_move_command, + "cisco-amp-computer-delete": computer_delete_command, + "cisco-amp-computer-activity-list": computer_activity_list_command, + "cisco-amp-computer-isolation-feature-availability-get": computers_isolation_feature_availability_get_command, + "cisco-amp-computer-isolation-get": computer_isolation_get_command, + "cisco-amp-computer-isolation-create": computer_isolation_create_polling_command, + "cisco-amp-computer-isolation-delete": computer_isolation_delete_polling_command, + "cisco-amp-event-list": event_list_command, + "cisco-amp-event-type-list": event_type_list_command, + "cisco-amp-file-list-list": file_list_list_command, + "cisco-amp-file-list-item-list": file_list_item_list_command, + "cisco-amp-file-list-item-create": file_list_item_create_command, + "cisco-amp-file-list-item-delete": file_list_item_delete_command, + "cisco-amp-group-list": group_list_command, + "cisco-amp-group-policy-update": group_policy_update_command, + "cisco-amp-group-parent-update": group_parent_update_command, + "cisco-amp-group-create": group_create_command, + "cisco-amp-group-delete": groups_delete_command, + "cisco-amp-indicator-list": indicator_list_command, + "cisco-amp-policy-list": policy_list_command, + "cisco-amp-app-trajectory-query-list": app_trajectory_query_list_command, + "cisco-amp-version-get": version_get_command, + "cisco-amp-vulnerability-list": vulnerability_list_command, + "endpoint": endpoint_command, + "file": file_command, + } + + demisto.debug(f"Command being called is {command}") + + try: + client = Client( + server_url=server_url, + api_key=api_key, + client_id=client_id, + verify=verify_certificate, + reliability=reliability, + proxy=proxy, + ) + + if command == "test-module": + return_results(test_module(client)) + + elif command == "fetch-incidents": + incident_severities = argToList(params.get("incident_severities")) + max_incidents_to_fetch = arg_to_number(params.get("max_fetch", FETCH_LIMIT)) + event_types = argToList(params.get("event_types")) + first_fetch_datetime = arg_to_datetime( + arg=params["first_fetch"], arg_name="First fetch time", required=True + ) + + if not isinstance(max_incidents_to_fetch, int): + raise ValueError("Failed to get max fetch.") + + if not isinstance(first_fetch_datetime, datetime): + raise ValueError("Failed to get first fetch time.") + + first_fetch_time = first_fetch_datetime.strftime(ISO_8601_FORMAT) + + next_run, incidents = fetch_incidents( + client=client, + last_run=demisto.getLastRun(), + first_fetch_time=first_fetch_time, + incident_severities=incident_severities, + max_incidents_to_fetch=max_incidents_to_fetch, + event_types=event_types, + ) + + demisto.setLastRun(next_run) + demisto.incidents(incidents) + + elif command in commands: + return_results(commands[command](args=args, client=client)) + + else: + raise NotImplementedError(f"Command doesn't exist - {command}") + + except Exception as exc: # pylint: disable=broad-except + demisto.error(traceback.format_exc()) + return_error(f"Failed to execute {command} command.\nError:\n{str(exc)}") + + +if __name__ in ("__main__", "__builtin__", "builtins"): + main() diff --git a/Packs/AMP/Integrations/AMPv2/AMPv2.yml b/Packs/AMP/Integrations/AMPv2/AMPv2.yml new file mode 100644 index 000000000000..f2e552528e6c --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/AMPv2.yml @@ -0,0 +1,2017 @@ +category: Endpoint +commonfields: + id: AMPv2 + version: -1 +configuration: +- defaultvalue: https://api.amp.cisco.com + display: Server URL + name: server_url + required: true + type: 0 +- display: Third Party API Client ID + name: credentials + required: true + displaypassword: API Key + type: 9 +- defaultvalue: 'false' + display: Trust any certificate (not secure) + name: insecure + required: false + type: 8 +- additionalinfo: Reliability of the source providing the intelligence data. + defaultvalue: C - Fairly reliable + display: Source Reliability + name: integrationReliability + options: + - A+ - 3rd party enrichment + - A - Completely reliable + - B - Usually reliable + - C - Fairly reliable + - D - Not usually reliable + - E - Unreliable + - F - Reliability cannot be judged + required: true + type: 15 +- defaultvalue: 'false' + display: Use system proxy settings + name: proxy + required: false + type: 8 +- additionalinfo: Maximum number of incidents per fetch. The maximum is 200. + defaultvalue: 50 + display: Maximum incidents to fetch. + hidden: false + name: max_fetch + required: false + type: 0 +- display: Incident severity to fetch. + name: incident_severities + options: + - Low + - Medium + - High + - Critical + required: false + type: 16 +- defaultvalue: 3 days + display: First fetch time + additionalinfo: First alert created date to fetch. e.g., "1 min ago","2 weeks ago","3 months ago" + name: first_fetch + required: false + type: 0 +- display: Event types + name: event_types + additionalinfo: Comma-separated list of event type IDs. The IDs can be retrieved from the cisco-amp-event-type-list command. + required: false + type: 0 +- display: Incident type + name: incidentType + required: false + type: 13 +- display: Fetch incidents + name: isFetch + required: false + type: 8 +description: Cisco Advanced Malware Protection software is designed to prevent, detect, and help remove threats in an efficient manner from computer systems. Threats can take the form of software viruses and other malware such as ransomware, worms, Trojans, spyware, adware, and fileless malware. +display: Cisco AMP v2 +name: AMPv2 +script: + commands: + - arguments: + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + - description: The connector GUID for a specific computer. + isArray: false + name: connector_guid + required: false + - description: Comma-separated list of host names to filter by (has auto complete capabilities). + isArray: true + name: hostname + required: false + - description: Internal IP to filter by. + isArray: false + name: internal_ip + required: false + - description: External IP to filter by. + isArray: false + name: external_ip + required: false + - description: Comma-separated list of group GUIDs to filter by. + isArray: true + name: group_guid + required: false + - description: Time range to filter by. + isArray: false + name: last_seen_within + required: false + - description: Time range to filter over by. + isArray: false + name: last_seen_over + required: false + deprecated: false + description: Fetch computers to show information about them. Can be filtered by a variety of criteria. + execution: false + name: cisco-amp-computer-list + outputs: + - type: String + contextPath: CiscoAMP.Computer.connector_guid + description: GUID of the connector. + - type: String + contextPath: CiscoAMP.Computer.hostname + description: Host's name. + - type: String + contextPath: CiscoAMP.Computer.windows_processor_id + description: Windows processor ID. + - type: Boolean + contextPath: CiscoAMP.Computer.active + description: Whether the computer is active. + - type: String + contextPath: CiscoAMP.Computer.connector_version + description: Version of the connector. + - type: String + contextPath: CiscoAMP.Computer.operating_system + description: Operating system of the computer. + - type: String + contextPath: CiscoAMP.Computer.os_version + description: Operating system version. + - type: String + contextPath: CiscoAMP.Computer.internal_ips + description: List of internal IPs. + - type: String + contextPath: CiscoAMP.Computer.external_ip + description: External IP. + - type: String + contextPath: CiscoAMP.Computer.group_guid + description: GUID of the group. + - type: Date + contextPath: CiscoAMP.Computer.install_date + description: Installation date. + - type: Boolean + contextPath: CiscoAMP.Computer.is_compromised + description: Whether the computer is compromised. + - type: Boolean + contextPath: CiscoAMP.Computer.demo + description: Whether the computer is a demo. + - type: String + contextPath: CiscoAMP.Computer.network_addresses.mac + description: List of MAC addresses. + - type: String + contextPath: CiscoAMP.Computer.network_addresses.ip + description: List of IP addresses. + - type: String + contextPath: CiscoAMP.Computer.policy.guid + description: GUID of the policy. + - type: String + contextPath: CiscoAMP.Computer.policy.name + description: Name of the policy. + - type: String + contextPath: CiscoAMP.Computer.groups.guid + description: GUID of the group. + - type: String + contextPath: CiscoAMP.Computer.groups.name + description: Name of the group. + - type: Date + contextPath: CiscoAMP.Computer.last_seen + description: Last date seen. + - type: String + contextPath: CiscoAMP.Computer.faults + description: Faults. + - type: Boolean + contextPath: CiscoAMP.Computer.isolation.available + description: Whether the isolation is available. + - type: String + contextPath: CiscoAMP.Computer.isolation.status + description: Status of the isolation. + - type: String + contextPath: CiscoAMP.Computer.orbital.status + description: Status of the orbital. + - contextPath: Endpoint.Hostname + description: The hostname of the endpoint. + type: String + - contextPath: Endpoint.ID + description: The endpoint's identifier. + type: String + - contextPath: Endpoint.IPAddress + description: The endpoint's IP address. + type: String + - contextPath: Endpoint.OS + description: The endpoint's operating system. + type: String + - contextPath: Endpoint.OSVersion + description: The endpoint's operating system's version. + type: String + - contextPath: Endpoint.Status + description: The status of the endpoint (online/offline). + type: String + - contextPath: Endpoint.MACAddress + description: The endpoint's MAC address. + type: String + - contextPath: Endpoint.Vendor + description: The integration name of the endpoint vendor. + type: String + - arguments: + - description: The connector GUID for a specific computer. + isArray: false + name: connector_guid + required: true + - description: 'Freeform query string that currently accepts an: IP address, SHA-256, or URL.' + isArray: false + name: query_string + required: false + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 5000. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + deprecated: false + description: Provides a list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP console. + execution: false + name: cisco-amp-computer-trajectory-list + outputs: + - type: String + contextPath: CiscoAMP.ComputerTrajectory.connector_guid + description: GUID of the connector. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.id + description: Event's ID. + - type: Number + contextPath: CiscoAMP.ComputerTrajectory.timestamp + description: Event's timestamp. + - type: Number + contextPath: CiscoAMP.ComputerTrajectory.timestamp_nanoseconds + description: Event's timestamp in nano seconds. + - type: Date + contextPath: CiscoAMP.ComputerTrajectory.date + description: Event's date. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.event_type + description: Event's type. + - type: Number + contextPath: CiscoAMP.ComputerTrajectory.event_type_id + description: Event's type ID. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.group_guids + description: Group GUID. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.severity + description: Event's severity. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.detection + description: Event's detection. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.detection_id + description: Event's detection ID. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.file.disposition + description: Disposition of the file. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.file.file_name + description: Name of the file. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.file.file_path + description: Path to the file. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.file.file_type + description: Type of the file. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.file.identity.sha256 + description: File's SHA-256. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.file.identity.sha1 + description: File's SHA-1. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.file.identity.md5 + description: File's MD5. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.file.parent.disposition + description: Disposition of parent. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.file.parent.identity.sha256 + description: SHA-256 of parent. + - type: String + contextPath: CiscoAMP.ComputerTrajectory.scan.description + description: Description of the scan. + - type: Boolean + contextPath: CiscoAMP.ComputerTrajectory.scan.clean + description: Whether the scan is clean. + - type: Number + contextPath: CiscoAMP.ComputerTrajectory.scan.scanned_files + description: Number of scanned files. + - type: Number + contextPath: CiscoAMP.ComputerTrajectory.scan.scanned_processes + description: Number of scanned processes. + - type: Number + contextPath: CiscoAMP.ComputerTrajectory.scan.scanned_paths + description: Number of scanned paths. + - type: Number + contextPath: CiscoAMP.ComputerTrajectory.scan.malicious_detections + description: Number of malicious detections. + - arguments: + - description: Username to filter by. + isArray: false + name: username + required: true + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + deprecated: false + description: Fetch a list of computers that have observed activity by the given username. + execution: false + name: cisco-amp-computer-user-activity-list + outputs: + - contextPath: CiscoAMP.ComputerUserActivity.connector_guid + description: GUID of the connector. + type: String + - contextPath: CiscoAMP.ComputerUserActivity.hostname + description: Host's name. + type: String + - contextPath: CiscoAMP.ComputerUserActivity.active + description: Whether the computer is active. + type: Boolean + - arguments: + - description: The connector GUID for a specific computer. + isArray: false + name: connector_guid + required: true + - description: Username to filter by. + isArray: false + name: username + required: false + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 5000. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + deprecated: false + description: Fetch a specific computer's trajectory with a given connector GUID and filter for events with user name activity. + execution: false + name: cisco-amp-computer-user-trajectory-list + outputs: + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.connector_guid + description: GUID of the connector. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.id + description: Event's ID. + - type: Number + contextPath: CiscoAMP.ComputerUserTrajectory.timestamp + description: Event's timestamp. + - type: Number + contextPath: CiscoAMP.ComputerUserTrajectory.timestamp_nanoseconds + description: Event's timestamp in nano seconds. + - type: Date + contextPath: CiscoAMP.ComputerUserTrajectory.date + description: Event's date. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.event_type + description: Event's type. + - type: Number + contextPath: CiscoAMP.ComputerUserTrajectory.event_type_id + description: Event's type ID. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.group_guids + description: Group GUID. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.severity + description: Event's severity. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.detection + description: Event's detection. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.detection_id + description: Event's detection ID. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.file.disposition + description: Disposition of the file. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.file.file_name + description: Name of the file. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.file.file_path + description: Path to the file. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.file.file_type + description: Type of the file. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.file.identity.sha256 + description: File's SHA-256. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.file.identity.sha1 + description: File's SHA-1. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.file.identity.md5 + description: File's MD5. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.file.parent.disposition + description: Disposition of parent. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.file.parent.identity.sha256 + description: SHA-256 of parent. + - type: String + contextPath: CiscoAMP.ComputerUserTrajectory.scan.description + description: Description of the scan. + - type: Boolean + contextPath: CiscoAMP.ComputerUserTrajectory.scan.clean + description: Whether the scan is clean. + - type: Number + contextPath: CiscoAMP.ComputerUserTrajectory.scan.scanned_files + description: Number of scanned files. + - type: Number + contextPath: CiscoAMP.ComputerUserTrajectory.scan.scanned_processes + description: Number of scanned processes. + - type: Number + contextPath: CiscoAMP.ComputerUserTrajectory.scan.scanned_paths + description: Number of scanned paths. + - type: Number + contextPath: CiscoAMP.ComputerUserTrajectory.scan.malicious_detections + description: Number of malicious detections. + - arguments: + - description: The connector GUID for a specific computer. + isArray: false + name: connector_guid + required: true + - description: The start date and time expressed according to ISO 8601. The retrieved list will include vulnerable programs detected at start_time. + isArray: false + name: start_time + required: false + - description: The end date and/or time expressed according to ISO 8601. Exclusive - if end_time is a time, the list will only include vulnerable programs detected before end_time). Inclusive - if end_time is a date, the list will include vulnerable programs detected on the date. + isArray: false + name: end_time + required: false + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + deprecated: false + description: Provides a list of vulnerabilities observed on a specific computer. The vulnerabilities can be filtered to show only vulnerable applications observed for a specific time range. + execution: false + name: cisco-amp-computer-vulnerabilities-list + outputs: + - type: String + contextPath: CiscoAMP.ComputerVulnerability.connector_guid + description: GUID of the connector. + - type: String + contextPath: CiscoAMP.ComputerVulnerability.application + description: Name of the application. + - type: String + contextPath: CiscoAMP.ComputerVulnerability.version + description: Version of the application. + - type: String + contextPath: CiscoAMP.ComputerVulnerability.file.filename + description: Name of the file. + - type: String + contextPath: CiscoAMP.ComputerVulnerability.file.identity.sha256 + description: File's SHA-256. + - type: String + contextPath: CiscoAMP.ComputerVulnerability.file.identity.sha1 + description: File's SHA-1. + - type: String + contextPath: CiscoAMP.ComputerVulnerability.file.identity.md5 + description: File's MD5. + - type: String + contextPath: CiscoAMP.ComputerVulnerability.cves.id + description: Common vulnerability exposure ID. + - type: String + contextPath: CiscoAMP.ComputerVulnerability.cves.link + description: Common vulnerability exposure link. + - type: Number + contextPath: CiscoAMP.ComputerVulnerability.cves.cvss + description: Common vulnerability scoring system. + - type: Number + contextPath: CiscoAMP.ComputerVulnerability.latest_timestamp + description: Vulnerability latest timestamp. + - type: Date + contextPath: CiscoAMP.ComputerVulnerability.latest_date + description: Vulnerability latest date. + - arguments: + - description: The connector GUID for a specific computer. + isArray: false + name: connector_guid + required: true + - description: Group GUID to move the computer to. + isArray: false + name: group_guid + required: true + deprecated: false + description: Moves a computer to a group with the given connector_guid and group_guid. + execution: false + name: cisco-amp-computer-move + outputs: + - type: String + contextPath: CiscoAMP.Computer.connector_guid + description: GUID of the connector. + - type: String + contextPath: CiscoAMP.Computer.hostname + description: Host's name. + - type: String + contextPath: CiscoAMP.Computer.windows_processor_id + description: Windows processor ID. + - type: Boolean + contextPath: CiscoAMP.Computer.active + description: Whether the computer is active. + - type: String + contextPath: CiscoAMP.Computer.connector_version + description: Version of the connector. + - type: String + contextPath: CiscoAMP.Computer.operating_system + description: Operating system of the computer. + - type: String + contextPath: CiscoAMP.Computer.os_version + description: Operating system version. + - type: String + contextPath: CiscoAMP.Computer.internal_ips + description: List of internal IPs. + - type: String + contextPath: CiscoAMP.Computer.external_ip + description: External IP. + - type: String + contextPath: CiscoAMP.Computer.group_guid + description: GUID of the group. + - type: Date + contextPath: CiscoAMP.Computer.install_date + description: Installation date. + - type: Boolean + contextPath: CiscoAMP.Computer.is_compromised + description: Whether the computer is compromised. + - type: Boolean + contextPath: CiscoAMP.Computer.demo + description: Whether the computer is a demo. + - type: String + contextPath: CiscoAMP.Computer.network_addresses.mac + description: List of MAC addresses. + - type: String + contextPath: CiscoAMP.Computer.network_addresses.ip + description: List of IP addresses. + - type: String + contextPath: CiscoAMP.Computer.policy.guid + description: GUID of the policy. + - type: String + contextPath: CiscoAMP.Computer.policy.name + description: Name of the policy. + - type: String + contextPath: CiscoAMP.Computer.groups.guid + description: GUID of the group. + - type: String + contextPath: CiscoAMP.Computer.groups.name + description: Name of the group. + - type: Date + contextPath: CiscoAMP.Computer.last_seen + description: Last date seen. + - type: String + contextPath: CiscoAMP.Computer.faults + description: Faults. + - type: Boolean + contextPath: CiscoAMP.Computer.isolation.available + description: Whether the isolation is available. + - type: String + contextPath: CiscoAMP.Computer.isolation.status + description: Status of the isolation. + - type: String + contextPath: CiscoAMP.Computer.orbital.status + description: Status of the orbital. + - arguments: + - description: The connector GUID for a specific computer. + isArray: false + name: connector_guid + required: true + deprecated: false + description: Deletes a specific computer with given connector_guid. + execution: false + name: cisco-amp-computer-delete + - arguments: + - description: 'Freeform query string which currently accepts: IPv4 address (CIDR not supported), SHA-256, file name, and a URL fragment.' + isArray: false + name: query_string + required: true + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + deprecated: false + description: Fetch a list of computers that have observed files with a given file name. Provides the ability to search all computers across an organization for any events or activities associated with a file or network operation, and returns computers matching those criteria. There is a hard limit of 5000 historical entries searched. + execution: false + name: cisco-amp-computer-activity-list + outputs: + - contextPath: CiscoAMP.ComputerActivity.connector_guid + description: GUID of the connector. + type: String + - contextPath: CiscoAMP.ComputerActivity.hostname + description: Host's name. + type: String + - contextPath: CiscoAMP.ComputerActivity.windows_processor_id + description: Windows processor ID. + type: String + - contextPath: CiscoAMP.ComputerActivity.active + description: Whether the computer is active. + type: Boolean + - arguments: + - description: The connector GUID for a specific computer. + isArray: false + name: connector_guid + required: true + deprecated: false + description: Performs a feature availability request on a computer. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation. + execution: false + name: cisco-amp-computer-isolation-feature-availability-get + - arguments: + - description: The connector GUID for a specific computer. + isArray: false + name: connector_guid + required: true + deprecated: false + description: Returns a fine-grained isolation status for a computer. The available flag is set to true if isolation can be performed on the computer. Status will be set to one of - not_isolated, pending_start, isolated and pending_stop. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation. + execution: false + name: cisco-amp-computer-isolation-get + outputs: + - contextPath: CiscoAMP.ComputerIsolation.connector_guid + description: ID of the connector. + type: String + - contextPath: CiscoAMP.ComputerIsolation.available + description: Set to true if isolation can be performed on the computer. + type: Boolean + - contextPath: CiscoAMP.ComputerIsolation.status + description: "Status of the computer isolation. Will be set to one of: not_isolated, pending_start, isolated and pending_stop." + type: String + - contextPath: CiscoAMP.ComputerIsolation.unlock_code + description: Isolation unlock code. + type: String + - contextPath: CiscoAMP.ComputerIsolation.comment + description: Isolation comment. + type: String + - contextPath: CiscoAMP.ComputerIsolation.ccms_message_guid + description: Cisco Cluster Management Suite message GUID. + type: String + - contextPath: CiscoAMP.ComputerIsolation.ccms_job_guid + description: Cisco Cluster Management Suite job GUID. + type: String + - arguments: + - description: The interval in seconds between each poll. + isArray: false + name: interval_in_seconds + required: false + defaultValue: '30' + - description: The timeout in seconds until polling ends. + isArray: false + name: timeout_in_seconds + required: false + defaultValue: '600' + - description: The connector GUID for a specific computer. + isArray: false + name: connector_guid + required: true + - description: Comment for isolation. + isArray: false + name: comment + required: true + - description: Isolation unlock code. + isArray: false + name: unlock_code + required: true + - description: Status of the current run. + isArray: false + name: status + required: false + deprecated: false + description: Request isolation for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation. + execution: false + name: cisco-amp-computer-isolation-create + polling: true + outputs: + - contextPath: CiscoAMP.ComputerIsolation.connector_guid + description: ID of the connector. + type: String + - contextPath: CiscoAMP.ComputerIsolation.available + description: Set to true if isolation can be performed on the computer. + type: Boolean + - contextPath: CiscoAMP.ComputerIsolation.status + description: "Status of the computer isolation. Will be set to one of: not_isolated, pending_start, isolated and pending_stop." + type: String + - contextPath: CiscoAMP.ComputerIsolation.unlock_code + description: Isolation unlock code. + type: String + - contextPath: CiscoAMP.ComputerIsolation.comment + description: Isolation comment. + type: String + - contextPath: CiscoAMP.ComputerIsolation.isolated_by + description: Isolation initiator. + type: String + - arguments: + - description: The interval in seconds between each poll. + isArray: false + name: interval_in_seconds + required: false + defaultValue: '30' + - description: The timeout in seconds until polling ends. + isArray: false + name: timeout_in_seconds + required: false + defaultValue: '600' + - description: The connector GUID for a specific computer. + isArray: false + name: connector_guid + required: true + - description: Comment for isolation deletion. + isArray: false + name: comment + required: false + - description: Status of the current run. + isArray: false + name: status + required: false + deprecated: false + description: Request isolation stop for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation. + execution: false + name: cisco-amp-computer-isolation-delete + polling: true + outputs: + - contextPath: CiscoAMP.ComputerIsolation.available + description: Set to true if isolation can be performed on the computer. + type: Boolean + - contextPath: CiscoAMP.ComputerIsolation.status + description: "Status of the computer isolation. Will be set to one of: not_isolated, pending_start, isolated and pending_stop." + type: String + - contextPath: CiscoAMP.ComputerIsolation.unlock_code + description: Isolation unlock code. + type: String + - contextPath: CiscoAMP.ComputerIsolation.comment + description: Isolation comment. + type: String + - contextPath: CiscoAMP.ComputerIsolation.isolated_by + description: Isolation initiator. + type: String + - arguments: + - description: Detection SHA-256 to filter by. + isArray: false + name: detection_sha256 + required: false + - description: Application SHA-256 to filter by. + isArray: false + name: application_sha256 + required: false + - description: Comma-separated list for connector GUIDs to filter by. + isArray: true + name: connector_guid + required: false + - description: Comma-separated list for group GUIDs to filter by. + isArray: true + name: group_guid + required: false + - description: Fetch events that are newer than the given time. + isArray: false + name: start_date + required: false + - description: Comma-separated list for event types to filter by. + isArray: true + name: event_type + required: false + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + deprecated: false + description: Fetch a list of events that can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria, and each selection of a criteria is logically ORed. This is analogous to the Events view on the FireAMP Console. + execution: false + name: cisco-amp-event-list + outputs: + - type: Number + contextPath: CiscoAMP.Event.id + description: Event's ID. + - type: Number + contextPath: CiscoAMP.Event.timestamp + description: Event's timestamp. + - type: Number + contextPath: CiscoAMP.Event.timestamp_nanoseconds + description: Event's timestamp in nano seconds. + - type: Date + contextPath: CiscoAMP.Event.date + description: Event's date. + - type: String + contextPath: CiscoAMP.Event.event_type + description: Event's type. + - type: Number + contextPath: CiscoAMP.Event.event_type_id + description: Event's type ID. + - type: String + contextPath: CiscoAMP.Event.detection + description: Event's detection. + - type: String + contextPath: CiscoAMP.Event.detection_id + description: Event's detection ID. + - type: String + contextPath: CiscoAMP.Event.connector_guid + description: GUID of the connector. + - type: String + contextPath: CiscoAMP.Event.group_guids + description: Event's group GUID. + - type: String + contextPath: CiscoAMP.Event.severity + description: Event's severity. + - type: String + contextPath: CiscoAMP.Event.computer.connector_guid + description: GUID of the connector. + - type: String + contextPath: CiscoAMP.Event.computer.hostname + description: Host's name. + - type: String + contextPath: CiscoAMP.Event.computer.external_ip + description: External IP. + - type: Boolean + contextPath: CiscoAMP.Event.computer.active + description: Whether the computer is active. + - type: String + contextPath: CiscoAMP.Event.computer.user + description: Computer user. + - type: String + contextPath: CiscoAMP.Event.computer.network_addresses.ip + description: List of IP addresses. + - type: String + contextPath: CiscoAMP.Event.computer.network_addresses.mac + description: List of MAC addresses. + - type: String + contextPath: CiscoAMP.Event.file.disposition + description: Disposition of the file. + - type: String + contextPath: CiscoAMP.Event.file.file_name + description: Name of the file. + - type: String + contextPath: CiscoAMP.Event.file.file_path + description: Path to the file. + - type: String + contextPath: CiscoAMP.Event.file.identity.sha256 + description: File's SHA-256. + - type: String + contextPath: CiscoAMP.Event.file.identity.sha1 + description: File's SHA-1. + - type: String + contextPath: CiscoAMP.Event.file.identity.md5 + description: File's MD5 + - type: Number + contextPath: CiscoAMP.Event.file.parent.process_id + description: Parent's process ID. + - type: String + contextPath: CiscoAMP.Event.file.parent.file_name + description: Parent's file name. + - type: String + contextPath: CiscoAMP.Event.file.parent.disposition + description: Parent's disposition. + - type: String + contextPath: CiscoAMP.Event.file.parent.identity.sha256 + description: Parent's SHA-256. + - type: String + contextPath: CiscoAMP.Event.file.parent.identity.sha1 + description: Parent's SHA-1. + - type: String + contextPath: CiscoAMP.Event.file.parent.identity.md5 + description: Parent's MD5. + - type: String + contextPath: CiscoAMP.Event.scan.description + description: Description of the scan. + - type: Boolean + contextPath: CiscoAMP.Event.scan.clean + description: Whether the scan is clean. + - type: Number + contextPath: CiscoAMP.Event.scan.scanned_files + description: Number of scanned files. + - type: Number + contextPath: CiscoAMP.Event.scan.scanned_processes + description: Number of scanned processes. + - type: Number + contextPath: CiscoAMP.Event.scan.scanned_paths + description: Number of scanned paths. + - type: Number + contextPath: CiscoAMP.Event.scan.malicious_detections + description: Number of malicious detections. + - contextPath: File.MD5 + description: The MD5 hash of the file. + type: String + - contextPath: File.SHA1 + description: The SHA1 hash of the file. + type: String + - contextPath: File.SHA256 + description: The SHA256 hash of the file. + type: String + - contextPath: File.Name + description: The full file name (including file extension). + type: String + - contextPath: File.Path + description: The path where the file is located. + type: String + - contextPath: File.Hostname + description: The name of the host where the file was found. + type: String + - contextPath: File.Malicious.Vendor + description: The vendor that reported the file as malicious. + type: String + - contextPath: File.Malicious.Description + description: A description explaining why the file was determined to be malicious. + type: String + - contextPath: DBotScore.Indicator + description: The indicator that was tested. + type: String + - contextPath: DBotScore.Type + description: The indicator type. + type: String + - contextPath: DBotScore.Vendor + description: The vendor used to calculate the score. + type: String + - contextPath: DBotScore.Reliability + description: Reliability of the source providing the intelligence data. + type: String + - contextPath: DBotScore.Score + description: The actual score. + type: Number + - arguments: + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + deprecated: false + description: Fetches a list of event types. Events are identified and filtered by a unique ID. + execution: false + name: cisco-amp-event-type-list + outputs: + - contextPath: CiscoAMP.EventType.id + description: Event type ID. + type: Number + - contextPath: CiscoAMP.EventType.name + description: Event type name. + type: String + - contextPath: CiscoAMP.EventType.description + description: Event type description. + type: String + - arguments: + - description: Fetch a list type to return. + isArray: false + name: file_list_type + required: false + defaultValue: Application Blocking + auto: PREDEFINED + predefined: + - Application Blocking + - Simple Custom Detection + - description: Comma-separated list of name to filter by (has auto complete capabilities). + isArray: true + name: name + required: false + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + - description: GUID of the file list to return. + isArray: false + name: file_list_guid + required: false + deprecated: false + description: Returns a particular file list for application blocking or simple custom detection. file_list_guid must be provided to retrieve information about a particular file_list. Can fetch an application_blocking or simple_custom_detection file list. Defaults to application_blocking. + execution: false + name: cisco-amp-file-list-list + outputs: + - contextPath: CiscoAMP.FileList.name + description: Name of blocking. + type: String + - contextPath: CiscoAMP.FileList.guid + description: File list GUID. + type: String + - contextPath: CiscoAMP.FileList.type + description: Type of blocking. + type: String + - arguments: + - description: File list to return. + isArray: false + name: file_list_guid + required: true + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + - description: File list item SHA-256 to search. + isArray: false + name: sha256 + required: false + deprecated: false + description: Returns a list of items for a particular file_list. file_list_guid must be provided to retrieve these items. A particular item can be returned by providing a SHA-256. + execution: false + name: cisco-amp-file-list-item-list + outputs: + - contextPath: CiscoAMP.FileListItem.name + description: Name of file list. + type: String + - contextPath: CiscoAMP.FileListItem.guid + description: File list GUID. + type: String + - contextPath: CiscoAMP.FileListItem.policies.name + description: Name of the policy. + type: String + - contextPath: CiscoAMP.FileListItem.policies.guid + description: Policy GUID. + type: String + - contextPath: CiscoAMP.FileListItem.items.sha256 + description: Item SHA-256. + type: String + - contextPath: CiscoAMP.FileListItem.items.source + description: Item source. + type: String + - arguments: + - description: File list to add to. + isArray: false + name: file_list_guid + required: true + - description: File list item's SHA-256 to add. + isArray: false + name: sha256 + required: true + - description: Description for the created item. + isArray: false + name: description + required: false + deprecated: false + description: Creates a file list item with a given SHA-256 for a specific file list with a given file_list_guid. + execution: false + name: cisco-amp-file-list-item-create + outputs: + - contextPath: CiscoAMP.FileListItem.sha256 + description: Item SHA-256. + type: String + - contextPath: CiscoAMP.FileListItem.description + description: File's description. + type: String + - contextPath: CiscoAMP.FileListItem.source + description: Item source. + type: String + - arguments: + - description: File list to delete from. + isArray: false + name: file_list_guid + required: true + - description: File list item SHA-256 to delete. + isArray: false + name: sha256 + required: true + deprecated: false + description: Deletes a file list item with a given SHA-256 and associated to a file list with a given file_list_guid. + execution: false + name: cisco-amp-file-list-item-delete + - arguments: + - description: Name to filter by (has auto complete capabilities). + isArray: false + name: name + required: false + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + - description: Group's GUID. + isArray: false + name: group_guid + required: false + deprecated: false + description: Provides information about groups in an organization. + execution: false + name: cisco-amp-group-list + outputs: + - type: String + contextPath: CiscoAMP.Group.name + description: Name of the group. + - type: String + contextPath: CiscoAMP.Group.description + description: Group's description. + - type: String + contextPath: CiscoAMP.Group.guid + description: Group GUID. + - type: String + contextPath: CiscoAMP.Group.source + description: Creation source. + - type: String + contextPath: CiscoAMP.Group.creator + description: Creator of the group. + - type: Date + contextPath: CiscoAMP.Group.created_at + description: Date of creation. + - type: Number + contextPath: CiscoAMP.Group.computers_count + description: Number of computers in the group. + - type: Number + contextPath: CiscoAMP.Group.descendant_computers_count + description: Number of computers from descendant groups. + - type: String + contextPath: CiscoAMP.Group.ancestry.name + description: Parent group name. + - type: String + contextPath: CiscoAMP.Group.ancestry.guid + description: Parent group GUID. + - type: String + contextPath: CiscoAMP.Group.child_groups.name + description: Child group name. + - type: String + contextPath: CiscoAMP.Group.child_groups.guid + description: Child group GUID. + - type: String + contextPath: CiscoAMP.Group.policies.name + description: Policy name. + - type: String + contextPath: CiscoAMP.Group.policies.description + description: Policy description. + - type: String + contextPath: CiscoAMP.Group.policies.guid + description: Policy GUID. + - type: String + contextPath: CiscoAMP.Group.policies.product + description: Policy operating system product. + - type: Boolean + contextPath: CiscoAMP.Group.policies.default + description: Whether the policy is the default policy. + - type: Number + contextPath: CiscoAMP.Group.policies.serial_number + description: Policy serial number. + - type: Boolean + contextPath: CiscoAMP.Group.policies.inherited + description: Whether the policy is inherited. + - type: String + contextPath: CiscoAMP.Group.policies.file_lists.name + description: File list name. + - type: String + contextPath: CiscoAMP.Group.policies.file_lists.guid + description: File list GUID. + - type: String + contextPath: CiscoAMP.Group.policies.file_lists.type + description: File list type. + - type: String + contextPath: CiscoAMP.Group.policies.ip_lists.name + description: IP list name. + - type: String + contextPath: CiscoAMP.Group.policies.ip_lists.guid + description: IP list GUID. + - type: String + contextPath: CiscoAMP.Group.policies.ip_lists.type + description: IP list type. + - type: String + contextPath: CiscoAMP.Group.policies.exclusion_sets.name + description: Exclusion set name. + - type: String + contextPath: CiscoAMP.Group.policies.exclusion_sets.guid + description: Exclusion set GUID. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.name + description: Name of the group the policy is used in. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.description + description: Description of the group the policy is used in. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.guid + description: GUID of the group the policy is used in. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.source + description: Creation source of the group the policy is used in. + - arguments: + - description: Group's GUID. + isArray: false + name: group_guid + required: true + - description: Policy GUID for Windows. + isArray: false + name: windows_policy_guid + required: false + - description: Policy GUID for MAC. + isArray: false + name: mac_policy_guid + required: false + - description: Policy GUID for Android. + isArray: false + name: android_policy_guid + required: false + - description: Policy GUID for Linux. + isArray: false + name: linux_policy_guid + required: false + deprecated: false + description: Updates a group to a given policy and returns all the policies in that group. + execution: false + name: cisco-amp-group-policy-update + outputs: + - type: String + contextPath: CiscoAMP.Group.name + description: Name of the group. + - type: String + contextPath: CiscoAMP.Group.description + description: Group's description. + - type: String + contextPath: CiscoAMP.Group.guid + description: Group GUID. + - type: String + contextPath: CiscoAMP.Group.source + description: Creation source. + - type: String + contextPath: CiscoAMP.Group.creator + description: Creator of the group. + - type: Date + contextPath: CiscoAMP.Group.created_at + description: Date of creation. + - type: Number + contextPath: CiscoAMP.Group.computers_count + description: Number of computers in the group. + - type: Number + contextPath: CiscoAMP.Group.descendant_computers_count + description: Number of computers from descendant groups. + - type: String + contextPath: CiscoAMP.Group.ancestry.name + description: Parent group name. + - type: String + contextPath: CiscoAMP.Group.ancestry.guid + description: Parent group GUID. + - type: String + contextPath: CiscoAMP.Group.child_groups.name + description: Child group name. + - type: String + contextPath: CiscoAMP.Group.child_groups.guid + description: Child group GUID. + - type: String + contextPath: CiscoAMP.Group.policies.name + description: Policy name. + - type: String + contextPath: CiscoAMP.Group.policies.description + description: Policy description. + - type: String + contextPath: CiscoAMP.Group.policies.guid + description: Policy GUID. + - type: String + contextPath: CiscoAMP.Group.policies.product + description: Policy operating system product. + - type: Boolean + contextPath: CiscoAMP.Group.policies.default + description: Whether the policy is the default policy. + - type: Number + contextPath: CiscoAMP.Group.policies.serial_number + description: Policy serial number. + - type: Boolean + contextPath: CiscoAMP.Group.policies.inherited + description: Whether the policy is inherited. + - type: String + contextPath: CiscoAMP.Group.policies.file_lists.name + description: File list name. + - type: String + contextPath: CiscoAMP.Group.policies.file_lists.guid + description: File list GUID. + - type: String + contextPath: CiscoAMP.Group.policies.file_lists.type + description: File list type. + - type: String + contextPath: CiscoAMP.Group.policies.ip_lists.name + description: IP list name. + - type: String + contextPath: CiscoAMP.Group.policies.ip_lists.guid + description: IP list GUID. + - type: String + contextPath: CiscoAMP.Group.policies.ip_lists.type + description: IP list type. + - type: String + contextPath: CiscoAMP.Group.policies.exclusion_sets.name + description: Exclusion set name. + - type: String + contextPath: CiscoAMP.Group.policies.exclusion_sets.guid + description: Exclusion set GUID. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.name + description: Name of the group the policy is used in. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.description + description: Description of the group the policy is used in. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.guid + description: GUID of the group the policy is used in. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.source + description: Creation source of the group the policy is used in. + - arguments: + - description: Group's GUID. + isArray: false + name: child_guid + required: true + - description: Group parent to set to child group. + isArray: false + name: parent_group_guid + required: false + deprecated: false + description: Converts an existing group to a child of another group or an existing child group to a root group (that is, one with no parent groups). + execution: false + name: cisco-amp-group-parent-update + outputs: + - type: String + contextPath: CiscoAMP.Group.name + description: Name of the group. + - type: String + contextPath: CiscoAMP.Group.description + description: Group's description. + - type: String + contextPath: CiscoAMP.Group.guid + description: Group GUID. + - type: String + contextPath: CiscoAMP.Group.source + description: Creation source. + - type: String + contextPath: CiscoAMP.Group.creator + description: Creator of the group. + - type: Date + contextPath: CiscoAMP.Group.created_at + description: Date of creation. + - type: Number + contextPath: CiscoAMP.Group.computers_count + description: Number of computers in the group. + - type: Number + contextPath: CiscoAMP.Group.descendant_computers_count + description: Number of computers from descendant groups. + - type: String + contextPath: CiscoAMP.Group.ancestry.name + description: Parent group name. + - type: String + contextPath: CiscoAMP.Group.ancestry.guid + description: Parent group GUID. + - type: String + contextPath: CiscoAMP.Group.child_groups.name + description: Child group name. + - type: String + contextPath: CiscoAMP.Group.child_groups.guid + description: Child group GUID. + - type: String + contextPath: CiscoAMP.Group.policies.name + description: Policy name. + - type: String + contextPath: CiscoAMP.Group.policies.description + description: Policy description. + - type: String + contextPath: CiscoAMP.Group.policies.guid + description: Policy GUID. + - type: String + contextPath: CiscoAMP.Group.policies.product + description: Policy operating system product. + - type: Boolean + contextPath: CiscoAMP.Group.policies.default + description: Whether the policy is the default policy. + - type: Number + contextPath: CiscoAMP.Group.policies.serial_number + description: Policy serial number. + - type: Boolean + contextPath: CiscoAMP.Group.policies.inherited + description: Whether the policy is inherited. + - type: String + contextPath: CiscoAMP.Group.policies.file_lists.name + description: File list name. + - type: String + contextPath: CiscoAMP.Group.policies.file_lists.guid + description: File list GUID. + - type: String + contextPath: CiscoAMP.Group.policies.file_lists.type + description: File list type. + - type: String + contextPath: CiscoAMP.Group.policies.ip_lists.name + description: IP list name. + - type: String + contextPath: CiscoAMP.Group.policies.ip_lists.guid + description: IP list GUID. + - type: String + contextPath: CiscoAMP.Group.policies.ip_lists.type + description: IP list type. + - type: String + contextPath: CiscoAMP.Group.policies.exclusion_sets.name + description: Exclusion set name. + - type: String + contextPath: CiscoAMP.Group.policies.exclusion_sets.guid + description: Exclusion set GUID. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.name + description: Name of the group the policy is used in. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.description + description: Description of the group the policy is used in. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.guid + description: GUID of the group the policy is used in. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.source + description: Creation source of the group the policy is used in. + - arguments: + - description: Group name. + isArray: false + name: name + required: true + - description: Group description. + isArray: false + name: description + required: true + deprecated: false + description: Creates a new group along with a group name or description. + execution: false + name: cisco-amp-group-create + outputs: + - type: String + contextPath: CiscoAMP.Group.name + description: Name of the group. + - type: String + contextPath: CiscoAMP.Group.description + description: Group's description. + - type: String + contextPath: CiscoAMP.Group.guid + description: Group GUID. + - type: String + contextPath: CiscoAMP.Group.source + description: Creation source. + - type: String + contextPath: CiscoAMP.Group.creator + description: Creator of the group. + - type: Date + contextPath: CiscoAMP.Group.created_at + description: Date of creation. + - type: Number + contextPath: CiscoAMP.Group.computers_count + description: Number of computers in the group. + - type: Number + contextPath: CiscoAMP.Group.descendant_computers_count + description: Number of computers from descendant groups. + - type: String + contextPath: CiscoAMP.Group.policies.name + description: Policy name. + - type: String + contextPath: CiscoAMP.Group.policies.description + description: Policy description. + - type: String + contextPath: CiscoAMP.Group.policies.guid + description: Policy GUID. + - type: String + contextPath: CiscoAMP.Group.policies.product + description: Policy operating system product. + - type: Boolean + contextPath: CiscoAMP.Group.policies.default + description: Whether the policy is the default policy. + - type: Number + contextPath: CiscoAMP.Group.policies.serial_number + description: Policy serial number. + - type: Boolean + contextPath: CiscoAMP.Group.policies.inherited + description: Whether the policy is inherited. + - type: String + contextPath: CiscoAMP.Group.policies.file_lists.name + description: File list name. + - type: String + contextPath: CiscoAMP.Group.policies.file_lists.guid + description: File list GUID. + - type: String + contextPath: CiscoAMP.Group.policies.file_lists.type + description: File list type. + - type: String + contextPath: CiscoAMP.Group.policies.ip_lists.name + description: IP list name. + - type: String + contextPath: CiscoAMP.Group.policies.ip_lists.guid + description: IP list GUID. + - type: String + contextPath: CiscoAMP.Group.policies.ip_lists.type + description: IP list type. + - type: String + contextPath: CiscoAMP.Group.policies.exclusion_sets.name + description: Exclusion set name. + - type: String + contextPath: CiscoAMP.Group.policies.exclusion_sets.guid + description: Exclusion set GUID. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.name + description: Name of the group the policy is used in. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.description + description: Description of the group the policy is used in. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.guid + description: GUID of the group the policy is used in. + - type: String + contextPath: CiscoAMP.Group.policies.used_in_groups.source + description: Creation source of the group the policy is used in. + - arguments: + - description: Group's GUID. + isArray: false + name: group_guid + required: true + deprecated: false + description: Destroys a group with a given GUID. + execution: false + name: cisco-amp-group-delete + - arguments: + - description: Indicator GUID. + isArray: false + name: indicator_guid + required: false + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + deprecated: false + description: Show information about indicators. + execution: false + name: cisco-amp-indicator-list + outputs: + - type: String + contextPath: CiscoAMP.Indicator.name + description: Indicator name. + - type: String + contextPath: CiscoAMP.Indicator.description + description: Indicator description. + - type: String + contextPath: CiscoAMP.Indicator.guid + description: Indicator GUID. + - type: String + contextPath: CiscoAMP.Indicator.severity + description: Indicator severity. + - type: String + contextPath: CiscoAMP.Indicator.mitre.tactics.external_id + description: Mitre tactic ID. + - type: String + contextPath: CiscoAMP.Indicator.mitre.tactics.name + description: Mitre tactic name. + - type: String + contextPath: CiscoAMP.Indicator.mitre.tactics.mitre_url + description: Mitre tactic URL. + - type: String + contextPath: CiscoAMP.Indicator.mitre.techniques.external_id + description: Mitre technique ID. + - type: String + contextPath: CiscoAMP.Indicator.mitre.techniques.name + description: Mitre technique name. + - type: String + contextPath: CiscoAMP.Indicator.mitre.techniques.mitre_url + description: Mitre technique URL. + - type: Number + contextPath: CiscoAMP.Indicator.observed_compromises + description: Total number of observed compromises. + - type: Number + contextPath: CiscoAMP.Indicator.observed_compromises.unresolved + description: Number of unresolved compromises. + - type: Number + contextPath: CiscoAMP.Indicator.observed_compromises.in_progress + description: Number of compromises in progress. + - type: Number + contextPath: CiscoAMP.Indicator.observed_compromises.resolved + description: Number of resolved compromises. + - arguments: + - description: Policy GUID. + isArray: false + name: policy_guid + required: false + - description: Comma-separated list for products to filter by. + isArray: true + name: product + required: false + - description: Comma-separated list for names to filter by (has auto complete capabilities). + isArray: true + name: name + required: false + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + deprecated: false + description: Gets information about policies by filtering with a product and name of a specific policy with a policy_guid. + execution: false + name: cisco-amp-policy-list + outputs: + - type: String + contextPath: CiscoAMP.Policy.name + description: Policy name. + - type: String + contextPath: CiscoAMP.Policy.description + description: Policy description. + - type: String + contextPath: CiscoAMP.Policy.guid + description: Policy GUID. + - type: String + contextPath: CiscoAMP.Policy.product + description: Product used. + - type: Boolean + contextPath: CiscoAMP.Policy.default + description: Whether the policy is the default policy. + - type: Number + contextPath: CiscoAMP.Policy.serial_number + description: Policy serial number. + - type: String + contextPath: CiscoAMP.Policy.file_lists.name + description: File list name. + - type: String + contextPath: CiscoAMP.Policy.file_lists.guid + description: File list GUID. + - type: String + contextPath: CiscoAMP.Policy.file_lists.type + description: File list type. + - type: String + contextPath: CiscoAMP.Policy.ip_lists.name + description: IP list name. + - type: String + contextPath: CiscoAMP.Policy.ip_lists.guid + description: IP list GUID. + - type: String + contextPath: CiscoAMP.Policy.ip_lists.type + description: IP list type. + - type: String + contextPath: CiscoAMP.Policy.exclusion_sets.name + description: Exclusion set name. + - type: String + contextPath: CiscoAMP.Policy.exclusion_sets.guid + description: Exclusion set GUID. + - type: String + contextPath: CiscoAMP.Policy.used_in_groups.name + description: Group name. + - type: String + contextPath: CiscoAMP.Policy.used_in_groups.description + description: Group description. + - type: String + contextPath: CiscoAMP.Policy.used_in_groups.guid + description: Group GUID. + - arguments: + - description: IOS bundle ID for app trajectory. + isArray: false + name: ios_bid + required: true + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + deprecated: false + description: Retrieve app_trajectory queries for a given IOS bundle ID. + execution: false + name: cisco-amp-app-trajectory-query-list + outputs: + - type: String + contextPath: CiscoAMP.AppTrajectoryQuery.connector_guid + description: GUID of the connector. + - type: String + contextPath: CiscoAMP.AppTrajectoryQuery.bundle_id + description: Bundle ID. + - type: String + contextPath: CiscoAMP.AppTrajectoryQuery.group_guids + description: List of group's GUIDs. + - type: String + contextPath: CiscoAMP.AppTrajectoryQuery.cdhash + description: CD hHash. + - type: Number + contextPath: CiscoAMP.AppTrajectoryQuery.timestamp + description: Observed timestamp. + - type: Number + contextPath: CiscoAMP.AppTrajectoryQuery.timestamp_nanoseconds + description: Observed timestamp in nano seconds. + - type: Date + contextPath: CiscoAMP.AppTrajectoryQuery.date + description: Observed date. + - type: String + contextPath: CiscoAMP.AppTrajectoryQuery.query_type + description: The type of the query. + - type: String + contextPath: CiscoAMP.AppTrajectoryQuery.network_info.dirty_url + description: Link to the observed URL. + - type: String + contextPath: CiscoAMP.AppTrajectoryQuery.network_info.remote_ip + description: Remote IP. + - type: Number + contextPath: CiscoAMP.AppTrajectoryQuery.network_info.remote_port + description: Remote port. + - type: String + contextPath: CiscoAMP.AppTrajectoryQuery.network_info.local_ip + description: Local IP. + - type: Number + contextPath: CiscoAMP.AppTrajectoryQuery.network_info.local_port + description: Local Port. + - type: String + contextPath: CiscoAMP.AppTrajectoryQuery.network_info.direction + description: Outgoing or incoming connection. + - type: String + contextPath: CiscoAMP.AppTrajectoryQuery.network_info.protocol + description: Communication protocol used. + - type: String + contextPath: CiscoAMP.AppTrajectoryQuery.ver + description: Version. + - deprecated: false + description: Get API version. + execution: false + name: cisco-amp-version-get + outputs: + - type: String + contextPath: CiscoAMP.Version.version + description: API version. + - arguments: + - description: SHA-256 that has been observed as a vulnerability. + isArray: false + name: sha256 + required: false + - description: Comma-separated list for group GUIDs to filter by. + isArray: true + name: group_guid + required: false + - description: The start date and time expressed according to ISO 8601. The retrieved list will include vulnerable programs detected at start_time. + isArray: false + name: start_time + required: false + - description: The end date and/or time expressed according to ISO 8601. Exclusive - if end_time is a time, the list will only include vulnerable programs detected before end_time). Inclusive - if end_time is a date, the list will include vulnerable programs detected on the date. + isArray: false + name: end_time + required: false + - description: Page number to return. + isArray: false + name: page + required: false + - description: Number of results in a page. Maximum is 500. + isArray: false + name: page_size + required: false + - description: Number of total results to return. + isArray: false + name: limit + required: false + deprecated: false + description: 'Fetch a list of vulnerabilities. This is analogous to the Vulnerable Software view on the AMP for Endpoints Console. The list can be filtered to show only the vulnerable programs detected for a specific time range. Provide a list of computers on which the vulnerability has been observed with given SHA-256. The list item contains a summary of information on the vulnerability, including: application name and version, SHA-256 value for the executable file, connectors on which the vulnerable application was observed and the most recent CVSS score. IMPORTANT: computers key returns information about the last 1000 Connectors on which the vulnerable application was observed.' + execution: false + name: cisco-amp-vulnerability-list + outputs: + - type: String + contextPath: CiscoAMP.Vulnerability.application + description: Name of the application. + - type: String + contextPath: CiscoAMP.Vulnerability.version + description: Version of the application. + - type: String + contextPath: CiscoAMP.Vulnerability.file.filename + description: Name of the file. + - type: String + contextPath: CiscoAMP.Vulnerability.file.identity.sha256 + description: File's SHA-256. + - type: Number + contextPath: CiscoAMP.Vulnerability.latest_timestamp + description: Vulnerability latest timestamp. + - type: Date + contextPath: CiscoAMP.Vulnerability.latest_date + description: Vulnerability latest date. + - type: Number + contextPath: CiscoAMP.Vulnerability.computers_total_count + description: Number of computers. + - type: String + contextPath: CiscoAMP.Vulnerability.connector_guid + description: GUID of the connector. + - type: String + contextPath: CiscoAMP.Vulnerability.hostname + description: Host's name. + - type: String + contextPath: CiscoAMP.Vulnerability.windows_processor_id + description: Windows processor ID. + - type: Boolean + contextPath: CiscoAMP.Vulnerability.active + description: Whether the computer is active. + - type: String + contextPath: CiscoAMP.Vulnerability.group_guid + description: Group's GUID. + - type: String + contextPath: CiscoAMP.Vulnerability.cves.id + description: Common vulnerability exposure ID. + - type: String + contextPath: CiscoAMP.Vulnerability.cves.link + description: Common vulnerability exposure link. + - type: Number + contextPath: CiscoAMP.Vulnerability.cves.cvss + description: Common vulnerability scoring system. + - type: String + contextPath: CiscoAMP.Vulnerability.groups.name + description: Group's name. + - type: String + contextPath: CiscoAMP.Vulnerability.groups.description + description: Group's description. + - type: String + contextPath: CiscoAMP.Vulnerability.groups.guid + description: Group's GUID. + - type: String + contextPath: CiscoAMP.Vulnerability.groups.source + description: Group's source of creation. + - type: String + contextPath: CiscoAMP.Vulnerability.computers.connector_guid + description: GUID of the connector. + - type: String + contextPath: CiscoAMP.Vulnerability.computers.hostname + description: Host's name. + - type: String + contextPath: CiscoAMP.Vulnerability.computers.windows_processor_id + description: Windows processor ID. + - type: Boolean + contextPath: CiscoAMP.Vulnerability.computers.active + description: Whether the computer is active. + - arguments: + - default: false + description: The endpoint ID. Takes priority over the IP and hostname arguments. + isArray: true + name: id + required: false + secret: false + - default: true + description: The endpoint IP address. The IP argument has priority over the hostname argument. + isArray: true + name: ip + required: false + secret: false + - default: false + description: The endpoint hostname. + isArray: true + name: hostname + required: false + secret: false + deprecated: false + description: Returns information about an endpoint. + execution: false + name: endpoint + outputs: + - contextPath: Endpoint.Hostname + description: The hostname of the endpoint. + type: String + - contextPath: Endpoint.ID + description: The endpoint's identifier. + type: String + - contextPath: Endpoint.IPAddress + description: The endpoint's IP address. + type: String + - contextPath: Endpoint.OS + description: The endpoint's operating system. + type: String + - contextPath: Endpoint.OSVersion + description: The endpoint's operating system's version. + type: String + - contextPath: Endpoint.Status + description: The status of the endpoint (online/offline). + type: String + - contextPath: Endpoint.MACAddress + description: The endpoint's MAC address. + type: String + - contextPath: Endpoint.Vendor + description: The integration name of the endpoint vendor. + type: String + - name: file + description: Runs reputation on files. + arguments: + - name: file + required: true + default: true + description: Hash of the file to query. Supports MD5, SHA1, and SHA256. + isArray: true + outputs: + - contextPath: File.MD5 + description: The MD5 hash of the file. + type: String + - contextPath: File.SHA1 + description: The SHA1 hash of the file. + type: String + - contextPath: File.SHA256 + description: The SHA256 hash of the file. + type: String + - contextPath: File.Name + description: The full file name (including file extension). + type: String + - contextPath: File.Path + description: The path where the file is located. + type: String + - contextPath: File.Hostname + description: The name of the host where the file was found. + type: String + - contextPath: File.Malicious.Vendor + description: The vendor that reported the file as malicious. + type: String + - contextPath: File.Malicious.Description + description: A description of why the file was determined to be malicious. + type: String + - contextPath: DBotScore.Indicator + description: The indicator that was tested. + type: String + - contextPath: DBotScore.Type + description: The indicator type. + type: String + - contextPath: DBotScore.Vendor + description: The vendor used to calculate the score. + type: String + - contextPath: DBotScore.Reliability + description: Reliability of the source providing the intelligence data. + type: String + - contextPath: DBotScore.Score + description: The actual score. + type: Number + dockerimage: demisto/python3:3.10.10.48392 + feed: false + isfetch: true + longRunning: false + longRunningPort: false + runonce: false + script: '-' + subtype: python3 + type: python +fromversion: 6.5.0 +tests: +- No tests (auto formatted) diff --git a/Packs/AMP/Integrations/AMPv2/AMPv2_description.md b/Packs/AMP/Integrations/AMPv2/AMPv2_description.md new file mode 100644 index 000000000000..beefd3a3c35e --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/AMPv2_description.md @@ -0,0 +1,18 @@ +# Cisco AMP Secure Endpoint +Cisco Advanced Malware Protection software is designed to prevent, detect, and help remove threats in an efficient manner from computer systems. +Threats can take the form of software viruses and other malware such as ransomware, worms, Trojans, spyware, adware, and fileless malware. + +# See the API Documentation +The API documentation can be found in: [Cisco AMP API](https://api-docs.amp.cisco.com/). +Choose the relevant API and then select version: `v1`. + +# Fetch Incidents +Incidents are fetched through the command: `cisco-amp-event-list`. +The fetched event types can be controlled through `event_id` that can be received from the command: `cisco-amp-event-type-list`. + +# Polling Command +The following commands support polling: +- `cisco-amp-computer-isolation-create` +- `cisco-amp-computer-isolation-delete` + +The polling is done when the status of an endpoint has changed. diff --git a/Packs/AMP/Integrations/AMPv2/AMPv2_image.png b/Packs/AMP/Integrations/AMPv2/AMPv2_image.png new file mode 100644 index 000000000000..bfc6471ecd5f Binary files /dev/null and b/Packs/AMP/Integrations/AMPv2/AMPv2_image.png differ diff --git a/Packs/AMP/Integrations/AMPv2/AMPv2_test.py b/Packs/AMP/Integrations/AMPv2/AMPv2_test.py new file mode 100644 index 000000000000..9a3cadaf4413 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/AMPv2_test.py @@ -0,0 +1,1544 @@ +""" +Unit testing for CiscoAMP (Advanced Malware Protection) +""" +import json +import io +import os +from typing import Dict, List, Any +import pytest +from AMPv2 import Client +from CommonServerPython import DemistoException + +API_KEY = "API_Key" +CLIENT_ID = "Client_ID" +SERVER_URL = "https://api.eu.amp.cisco.com" +BASE_URL = f"{SERVER_URL}/{Client.API_VERSION}" + + +def assert_output_has_no_links(outputs: List[Dict]): + """ + Check that there are no 'links' keys in the outputs. + + Args: + outputs (List[Dict, str]): output to loop through. + """ + for output in outputs: + assert "links" not in output + + +def load_mock_response(file_name: str) -> str | io.TextIOWrapper: + """ + Load mock file that simulates an API response. + Args: + file_name (str): Name of the mock response JSON file to return. + Returns: + str: Mock file content. + """ + path = os.path.join("test_data", file_name) + + with io.open(path, mode="r", encoding="utf-8") as mock_file: + if os.path.splitext(file_name)[1] == ".json": + return json.loads(mock_file.read()) + + return mock_file + + +@pytest.fixture(autouse=True) +def mock_client() -> Client: + """ + Establish a connection to the client with a URL and API key. + + Returns: + Client: Connection to client. + """ + from CommonServerPython import DBotScoreReliability + + return Client( + server_url=SERVER_URL, + api_key=API_KEY, + client_id=CLIENT_ID, + reliability=DBotScoreReliability.C, + ) + + +@pytest.mark.parametrize( + "args, suffix, file, expected_readable_output, expected_output", + [ + ( + {"limit": "34"}, + "", + "computer_list_response.json", + "### Results\n" + "|Current Item Count|Index|Items Per Page|Total|\n" + "|---|---|---|---|\n" + "| metadata_results_current_item_count | metadata_results_index | metadata_results_current_item_count " + "| metadata_results_total |\n" + "### Computer Information\n" + "|Host Name|Connector GUID|Operating System|External IP|Group GUID|Policy GUID|\n" + "|---|---|---|---|---|---|\n" + "| data[0]_hostname | data[0]_connector_guid | data[0]_operating_system (Build data[0]_os_version) " + "| data[0]_external_ip | data[0]_group_guid | data[0]_policy_guid |\n" + "| data[1]_hostname | data[1]_connector_guid | data[1]_operating_system (Build data[1]_os_version) " + "| data[1]_external_ip | data[1]_group_guid | data[1]_policy_guid |\n" + "| data[2]_hostname | data[2]_connector_guid | data[2]_operating_system (Build data[2]_os_version) " + "| data[2]_external_ip | data[2]_group_guid | data[2]_policy_guid |\n" + "| data[3]_hostname | data[3]_connector_guid | data[3]_operating_system (Build data[3]_os_version) " + "| data[3]_external_ip | data[3]_group_guid | data[3]_policy_guid |\n" + "| data[4]_hostname | data[4]_connector_guid | data[4]_operating_system (Build data[4]_os_version) " + "| data[4]_external_ip | data[4]_group_guid | data[4]_policy_guid |\n" + "| data[5]_hostname | data[5]_connector_guid | data[5]_operating_system (Build data[5]_os_version) " + "| data[5]_external_ip | data[5]_group_guid | data[5]_policy_guid |\n" + "| data[6]_hostname | data[6]_connector_guid | data[6]_operating_system (Build data[6]_os_version) " + "| data[6]_external_ip | data[6]_group_guid | data[6]_policy_guid |\n" + "| data[7]_hostname | data[7]_connector_guid | data[7]_operating_system (Build data[7]_os_version) " + "| data[7]_external_ip | data[7]_group_guid | data[7]_policy_guid |\n" + "| data[8]_hostname | data[8]_connector_guid | data[8]_operating_system (Build data[8]_os_version) " + "| data[8]_external_ip | data[8]_group_guid | data[8]_policy_guid |\n" + "| data[9]_hostname | data[9]_connector_guid | data[9]_operating_system (Build data[9]_os_version) " + "| data[9]_external_ip | data[9]_group_guid | data[9]_policy_guid |\n" + "| data[10]_hostname | data[10]_connector_guid | data[10]_operating_system (Build data[10]_os_version) " + "| data[10]_external_ip | data[10]_group_guid | data[10]_policy_guid |\n" + "| data[11]_hostname | data[11]_connector_guid | data[11]_operating_system (Build data[11]_os_version) " + "| data[11]_external_ip | data[11]_group_guid | data[11]_policy_guid |\n" + "| data[12]_hostname | data[12]_connector_guid | data[12]_operating_system (Build data[12]_os_version) " + "| data[12]_external_ip | data[12]_group_guid | data[12]_policy_guid |\n" + "| data[13]_hostname | data[13]_connector_guid | data[13]_operating_system (Build data[13]_os_version) " + "| data[13]_external_ip | data[13]_group_guid | data[13]_policy_guid |\n" + "| data[14]_hostname | data[14]_connector_guid | data[14]_operating_system (Build data[14]_os_version) " + "| data[14]_external_ip | data[14]_group_guid | data[14]_policy_guid |\n" + "| data[15]_hostname | data[15]_connector_guid | data[15]_operating_system (Build data[15]_os_version) " + "| data[15]_external_ip | data[15]_group_guid | data[15]_policy_guid |\n" + "| data[16]_hostname | data[16]_connector_guid | data[16]_operating_system (Build data[16]_os_version) " + "| data[16]_external_ip | data[16]_group_guid | data[16]_policy_guid |\n" + "| data[17]_hostname | data[17]_connector_guid | data[17]_operating_system (Build data[17]_os_version) " + "| data[17]_external_ip | data[17]_group_guid | data[17]_policy_guid |\n" + "| data[18]_hostname | data[18]_connector_guid | data[18]_operating_system (Build data[18]_os_version) " + "| data[18]_external_ip | data[18]_group_guid | data[18]_policy_guid |\n" + "| data[19]_hostname | data[19]_connector_guid | data[19]_operating_system (Build data[19]_os_version) " + "| data[19]_external_ip | data[19]_group_guid | data[19]_policy_guid |\n" + "| data[20]_hostname | data[20]_connector_guid | data[20]_operating_system (Build data[20]_os_version) " + "| data[20]_external_ip | data[20]_group_guid | data[20]_policy_guid |\n" + "| data[21]_hostname | data[21]_connector_guid | data[21]_operating_system (Build data[21]_os_version) " + "| data[21]_external_ip | data[21]_group_guid | data[21]_policy_guid |\n" + "| data[22]_hostname | data[22]_connector_guid | data[22]_operating_system (Build data[22]_os_version) " + "| data[22]_external_ip | data[22]_group_guid | data[22]_policy_guid |\n" + "| data[23]_hostname | data[23]_connector_guid | data[23]_operating_system (Build data[23]_os_version) " + "| data[23]_external_ip | data[23]_group_guid | data[23]_policy_guid |\n" + "| data[24]_hostname | data[24]_connector_guid | data[24]_operating_system (Build data[24]_os_version) " + "| data[24]_external_ip | data[24]_group_guid | data[24]_policy_guid |\n" + "| data[25]_hostname | data[25]_connector_guid | data[25]_operating_system (Build data[25]_os_version) " + "| data[25]_external_ip | data[25]_group_guid | data[25]_policy_guid |\n" + "| data[26]_hostname | data[26]_connector_guid | data[26]_operating_system (Build data[26]_os_version) " + "| data[26]_external_ip | data[26]_group_guid | data[26]_policy_guid |\n" + "| data[27]_hostname | data[27]_connector_guid | data[27]_operating_system (Build data[27]_os_version) " + "| data[27]_external_ip | data[27]_group_guid | data[27]_policy_guid |\n" + "| data[28]_hostname | data[28]_connector_guid | data[28]_operating_system (Build data[28]_os_version) " + "| data[28]_external_ip | data[28]_group_guid | data[28]_policy_guid |\n" + "| data[29]_hostname | data[29]_connector_guid | data[29]_operating_system (Build data[29]_os_version) " + "| data[29]_external_ip | data[29]_group_guid | data[29]_policy_guid |\n" + "| data[30]_hostname | data[30]_connector_guid | data[30]_operating_system (Build data[30]_os_version) " + "| data[30]_external_ip | data[30]_group_guid | data[30]_policy_guid |\n" + "| data[31]_hostname | data[31]_connector_guid | data[31]_operating_system (Build data[31]_os_version) " + "| data[31]_external_ip | data[31]_group_guid | data[31]_policy_guid |\n" + "| data[32]_hostname | data[32]_connector_guid | data[32]_operating_system (Build data[32]_os_version) " + "| data[32]_external_ip | data[32]_group_guid | data[32]_policy_guid |\n" + "| data[33]_hostname | data[33]_connector_guid | data[33]_operating_system (Build data[33]_os_version) " + "| data[33]_external_ip | data[33]_group_guid | data[33]_policy_guid |\n", + { + "connector_guid": "data[33]_connector_guid", + "hostname": "data[33]_hostname", + "windows_processor_id": "data[33]_windows_processor_id", + "active": "data[33]_active", + "connector_version": "data[33]_connector_version", + "operating_system": "data[33]_operating_system", + "os_version": "data[33]_os_version", + "internal_ips": ["data[33]_internal_ips_0"], + "external_ip": "data[33]_external_ip", + "group_guid": "data[33]_group_guid", + "install_date": "data[33]_install_date", + "is_compromised": "data[33]_is_compromised", + "demo": "data[33]_demo", + "windows_machine_guid": "data[33]_windows_machine_guid", + "network_addresses": [ + { + "mac": "data[33]_network_addresses[0]_mac", + "ip": "data[33]_network_addresses[0]_ip", + } + ], + "policy": { + "guid": "data[33]_policy_guid", + "name": "data[33]_policy_name", + }, + "groups": [ + { + "guid": "data[33]_groups[0]_guid", + "name": "data[33]_groups[0]_name", + } + ], + "last_seen": "data[33]_last_seen", + "av_update_definitions": { + "status": "data[33]_av_update_definitions_status", + "detection_engine": "data[33]_av_update_definitions_detection_engine", + "version": "data[33]_av_update_definitions_version", + "updated_at": "data[33]_av_update_definitions_updated_at", + }, + "faults": [], + "isolation": { + "available": "data[33]_isolation_available", + "status": "data[33]_isolation_status", + }, + "orbital": {"status": "data[33]_orbital_status"}, + }, + ), + ( + {"connector_guid": "1"}, + "/1", + "computer_get_response.json", + "### Computer Information\n" + "|Host Name|Connector GUID|Operating System|External IP|Group GUID|Policy GUID|\n" + "|---|---|---|---|---|---|\n" + "| data_hostname | data_connector_guid | data_operating_system (Build data_os_version) |" + " data_external_ip | data_group_guid | data_policy_guid |\n", + { + "connector_guid": "data_connector_guid", + "hostname": "data_hostname", + "windows_processor_id": "data_windows_processor_id", + "active": "data_active", + "connector_version": "data_connector_version", + "operating_system": "data_operating_system", + "os_version": "data_os_version", + "internal_ips": ["data_internal_ips_0"], + "external_ip": "data_external_ip", + "group_guid": "data_group_guid", + "install_date": "data_install_date", + "is_compromised": "data_is_compromised", + "demo": "data_demo", + "network_addresses": [ + { + "mac": "data_network_addresses[0]_mac", + "ip": "data_network_addresses[0]_ip", + } + ], + "policy": {"guid": "data_policy_guid", "name": "data_policy_name"}, + "groups": [ + {"guid": "data_groups[0]_guid", "name": "data_groups[0]_name"} + ], + "last_seen": "data_last_seen", + "faults": [], + "isolation": { + "available": "data_isolation_available", + "status": "data_isolation_status", + }, + "orbital": {"status": "data_orbital_status"}, + }, + ), + ], +) +def test_computer_list_command( + requests_mock, + mock_client, + args, + suffix, + file, + expected_readable_output, + expected_output, +): + """ + Scenario: + - Get a list of 34 computers. + - Get a single computer. + Given: + - The user has entered a limit. + - The user has entered a connector_guid. + When: + - cisco-amp-computer-list is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure links don't exist. + """ + mock_response = load_mock_response(file) + requests_mock.get(f"{BASE_URL}/computers{suffix}", json=mock_response) + + from AMPv2 import computer_list_command + + responses = computer_list_command(mock_client, args) + + for response in responses[:-1]: + assert response.outputs_prefix == "CiscoAMP.Computer" + assert "links" not in response.outputs + assert response.indicator.id == response.outputs["connector_guid"] + assert ( + response.indicator.mac_address + == response.outputs["network_addresses"][0]["mac"] + ) + assert ( + response.indicator.status == "Online" + if response.outputs["active"] + else "Offline" + ) + assert response.indicator.vendor == "CiscoAMP Response" + + assert response.outputs == expected_output + assert responses[-1].readable_output == expected_readable_output + + +def test_computer_list_error_command(requests_mock, mock_client): + """ + Scenario: + - Search for a specific computer and get a list of computers in a group. + Given: + - The user has entered a connector_guid and a group_guid. + When: + - cisco-amp-computer-list is called. + Then: + - Ensure an exception has been raised. + """ + args = {"connector_guid": "1", "group_guid": "2"} + + requests_mock.get(f'{BASE_URL}/computers/{args["connector_guid"]}') + + from AMPv2 import computer_list_command + + with pytest.raises(ValueError) as ve: + computer_list_command(mock_client, args) + + assert ( + str(ve) + == "connector_guid must be the only input, when fetching a specific computer." + ) + + +def test_computer_trajectory_list_command(requests_mock, mock_client): + """ + Scenario: + - Get a computer's trajectory with pagination. + Given: + - The user has entered a connector_guid, page and page_size. + When: + - cisco-amp-computer-trajectory-get is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure length of the events in context output is correct. + - Ensure connector_guid is in the events. + - Ensure pagination worked. + """ + args = {"connector_guid": "1", "page": 2, "page_size": 2} + + mock_response = load_mock_response("computer_trajectory_response.json") + requests_mock.get( + f'{BASE_URL}/computers/{args["connector_guid"]}/trajectory', json=mock_response + ) + + from AMPv2 import computer_trajectory_list_command + + response = computer_trajectory_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.ComputerTrajectory" + assert len(response.outputs) == args["page_size"] + assert response.outputs == [ + { + "timestamp": "data_events[2]_timestamp", + "timestamp_nanoseconds": "data_events[2]_timestamp_nanoseconds", + "date": "data_events[2]_date", + "event_type": "data_events[2]_event_type", + "group_guids": ["data_events[2]_group_guids_0"], + "file": { + "disposition": "data_events[2]_file_disposition", + "file_name": "data_events[2]_file_file_name", + "file_path": "data_events[2]_file_file_path", + "file_type": "data_events[2]_file_file_type", + "identity": {"sha256": "data_events[2]_file_identity_sha256"}, + "parent": { + "disposition": "data_events[2]_file_parent_disposition", + "identity": { + "sha256": "data_events[2]_file_parent_identity_sha256" + }, + }, + }, + "connector_guid": "data_computer_connector_guid", + }, + { + "timestamp": "data_events[3]_timestamp", + "timestamp_nanoseconds": "data_events[3]_timestamp_nanoseconds", + "date": "data_events[3]_date", + "event_type": "data_events[3]_event_type", + "group_guids": ["data_events[3]_group_guids_0"], + "file": { + "disposition": "data_events[3]_file_disposition", + "file_name": "data_events[3]_file_file_name", + "file_path": "data_events[3]_file_file_path", + "file_type": "data_events[3]_file_file_type", + "identity": {"sha256": "data_events[3]_file_identity_sha256"}, + "parent": { + "disposition": "data_events[3]_file_parent_disposition", + "identity": { + "sha256": "data_events[3]_file_parent_identity_sha256" + }, + }, + }, + "connector_guid": "data_computer_connector_guid", + }, + ] + assert_output_has_no_links(response.outputs) + + +def test_computer_trajectory_list_error_command(requests_mock, mock_client): + """ + Scenario: + - Get a computer's trajectory and filter it by a false query. + Given: + - The user has entered a connector_guid and a query_string. + When: + - cisco-amp-computer-trajectory-get is called. + Then: + - Ensure an exception has been raised. + """ + args = {"connector_guid": "1", "query_string": '"'} + + with pytest.raises(ValueError) as ve: + from AMPv2 import computer_trajectory_list_command + + computer_trajectory_list_command(mock_client, args) + + assert str(ve) == "query_string must be: SHA-256/IPv4/URL" + + +def test_computer_user_activity_list_command(requests_mock, mock_client): + """ + Scenario: + - Get user activity on computers. + Given: + - The user has entered a username. + When: + - cisco-amp-computer-user-activity-get is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure isn't in the outputs. + """ + mock_response = load_mock_response("computer_user_activity_response.json") + requests_mock.get(f"{BASE_URL}/computers/user_activity", json=mock_response) + + args = {"username": "johndoe"} + + from AMPv2 import computer_user_activity_list_command + + response = computer_user_activity_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.ComputerUserActivity" + assert_output_has_no_links(response.outputs) + + for output, mock_output in zip(response.outputs, mock_response["data"]): + mock_output.pop("links", None) + assert output == mock_output + + +def test_computer_user_trajectory_list_command(requests_mock, mock_client): + """ + Scenario: + - Get a computer's trajectory with pagination. + Given: + - The user has entered a connector_guid, page and page_size. + When: + - cisco-amp-computer-user-trajectory-get is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure length of the outputs is correct. + - Ensure connector_guid is in the outputs. + """ + args = {"connector_guid": "1", "page": "1", "page_size": "1"} + + mock_response = load_mock_response("computer_user_trajectory_response.json") + requests_mock.get( + f'{BASE_URL}/computers/{args["connector_guid"]}/user_trajectory', + json=mock_response, + ) + + from AMPv2 import computer_user_trajectory_list_command + + response = computer_user_trajectory_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.ComputerUserTrajectory" + assert len(response.outputs) == 1 + assert response.outputs == [ + { + "id": "data_events[0]_id", + "timestamp": "data_events[0]_timestamp", + "timestamp_nanoseconds": "data_events[0]_timestamp_nanoseconds", + "date": "data_events[0]_date", + "event_type": "data_events[0]_event_type", + "event_type_id": "data_events[0]_event_type_id", + "detection_id": "data_events[0]_detection_id", + "group_guids": ["data_events[0]_group_guids_0"], + "severity": "data_events[0]_severity", + "file": { + "disposition": "data_events[0]_file_disposition", + "file_name": "data_events[0]_file_file_name", + "file_path": "data_events[0]_file_file_path", + "identity": { + "sha256": "data_events[0]_file_identity_sha256", + "sha1": "data_events[0]_file_identity_sha1", + "md5": "data_events[0]_file_identity_md5", + }, + "attack_details": { + "application": "data_events[0]_file_attack_details_application", + "attacked_module": "data_events[0]_file_attack_details_attacked_module", + "base_address": "data_events[0]_file_attack_details_base_address", + "suspicious_files": [ + "data_events[0]_file_attack_details_suspicious_files_0" + ], + "indicators": [ + { + "tactics": [ + "data_events[0]_file_attack_details_indicators[0]_tactics_0" + ], + "severity": "data_events[0]_file_attack_details_indicators[0]_severity", + "description": "data_events[0]_file_attack_details_indicators[0]_description", + "short_description": "data_events[0]_file_attack_details_indicators[0]_short_description", + "id": "data_events[0]_file_attack_details_indicators[0]_id", + "techniques": [ + "data_events[0]_file_attack_details_indicators[0]_techniques_0" + ], + } + ], + }, + }, + "user_name": "data_events[0]_user_name", + "tactics": ["data_events[0]_tactics_0"], + "techniques": ["data_events[0]_techniques_0"], + "connector_guid": "data_computer_connector_guid", + } + ] + + +def test_computer_vulnerabilities_list_command(requests_mock, mock_client): + """ + Scenario: + - Get vulnerabilities of a computer. + Given: + - The user has entered a connector_guid. + When: + - cisco-amp-computer-vulnerabilities-get is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure length of the outputs is correct. + - Ensure connector_guid is in the outputs. + """ + args = {"connector_guid": "12345"} + + mock_response = load_mock_response("computer_vulnerabilities_response.json") + requests_mock.get( + f'{BASE_URL}/computers/{args["connector_guid"]}/vulnerabilities', + json=mock_response, + ) + + from AMPv2 import computer_vulnerabilities_list_command + + response = computer_vulnerabilities_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.ComputerVulnerability" + assert len(response.outputs) == 1 + assert_output_has_no_links(response.outputs) + + for output, mock_output in zip( + response.outputs, mock_response["data"]["vulnerabilities"] + ): + assert output["connector_guid"] == mock_response["data"]["connector_guid"] + + output.pop("connector_guid", None) + mock_output.pop("links", None) + assert output == mock_output + + +def test_computer_move_command(requests_mock, mock_client): + """ + Scenario: + - Move a computer to another group. + Given: + - The user has entered a connector_guid and a group_guid. + When: + - cisco-amp-computer-move is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure a links doesn't exist in outputs. + """ + args: Dict[str, Any] = {"connector_guid": 1, "group_guid": 2} + + mock_response = load_mock_response("computer_move_response.json") + requests_mock.patch( + f'{BASE_URL}/computers/{args["connector_guid"]}', json=mock_response + ) + + from AMPv2 import computer_move_command + + response = computer_move_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.Computer" + assert "links" not in response.outputs + mock_response["data"].pop("links", None) + assert response.outputs[0] == mock_response["data"] + + +def test_computer_delete_command(requests_mock, mock_client): + """ + Scenario: + - Delete a computer. + Given: + - The user has entered a connector_guid. + When: + - cisco-amp-computer-delete is called. + Then: + - Ensure the computer has been deleted. + """ + args: Dict[str, Any] = {"connector_guid": 1} + + mock_response = load_mock_response("computer_delete_response.json") + requests_mock.delete( + f'{BASE_URL}/computers/{args["connector_guid"]}', json=mock_response + ) + + from AMPv2 import computer_delete_command + + response = computer_delete_command(mock_client, args) + + assert response.raw_response["data"]["deleted"] is True + + +def test_computer_delete_error_command(requests_mock, mock_client): + """ + Scenario: + - Delete a computer. + Given: + - The user has entered a connector_guid. + When: + - cisco-amp-computer-delete is called. + Then: + - Ensure a value error has been raised. + """ + args: Dict[str, Any] = {"connector_guid": 1} + + mock_response = load_mock_response("computer_delete_fail_response.json") + requests_mock.delete( + f'{BASE_URL}/computers/{args["connector_guid"]}', json=mock_response + ) + + with pytest.raises(DemistoException) as de: + from AMPv2 import computer_delete_command + + computer_delete_command(mock_client, args) + + assert de.message.startswith("Failed to delete Connector GUID:") + + +def test_computer_activity_list_command(requests_mock, mock_client): + """ + Scenario: + - Get activity on computers by query. + Given: + - The user has entered a url to query. + When: + - cisco-amp-computer-activity-list is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure a links doesn't exist in outputs. + """ + args = {"query_string": "8.8.8.8"} + + mock_response = load_mock_response("computer_activity_response.json") + requests_mock.get(f"{BASE_URL}/computers/activity", json=mock_response) + + from AMPv2 import computer_activity_list_command + + response = computer_activity_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.ComputerActivity" + assert_output_has_no_links(response.outputs) + + for output, mock_output in zip(response.outputs, mock_response["data"]): + mock_output.pop("links", None) + assert output == mock_output + + +def test_computer_activity_list_error_command(requests_mock, mock_client): + """ + Scenario: + - Get activity on computers by query. + Given: + - The user has entered a false query. + When: + - cisco-amp-computer-activity-list is called. + Then: + - Ensure a value has been raised. + """ + args = {"query_string": '"'} + + requests_mock.get(f"{BASE_URL}/computers/activity") + + with pytest.raises(ValueError) as ve: + from AMPv2 import computer_activity_list_command + + computer_activity_list_command(mock_client, args) + + assert str(ve) == "query_string must be: SHA-256/IPv4/URL/Filename" + + +def test_computer_isolation_feature_availability_get_command( + requests_mock, mock_client +): + """ + Scenario: + - Get available features on a computer. + When: + - cisco-amp-computer_isolation_feature_availability_get is called. + Then: + - Ensure readable_output is correct. + """ + args: Dict[str, Any] = {"connector_guid": 1} + + requests_mock.options( + f'{BASE_URL}/computers/{args["connector_guid"]}/isolation', + headers={"Allow": "GET, PUT, DELETE"}, + ) + + from AMPv2 import computers_isolation_feature_availability_get_command + + response = computers_isolation_feature_availability_get_command(mock_client, args) + + assert ( + response.readable_output + == "Can get information about an isolation with computer-isolation-get\n" + + "Can request to create a new isolation with computer-isolation-create\n" + + "Can request to stop the isolation with computer-isolation-delete\n" + ) + + +def test_computer_isolation_get_command(requests_mock, mock_client): + """ + Scenario: + - Get isolation status on a computer. + Given: + - The user has entered a connector_guid. + When: + - cisco-amp-computer-isolation-get is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure comment is set in readable_output. + """ + args: Dict[str, Any] = {"connector_guid": 1} + mock_response = load_mock_response("isolation_response.json") + + requests_mock.get( + f'{BASE_URL}/computers/{args["connector_guid"]}/isolation', json=mock_response + ) + + from AMPv2 import computer_isolation_get_command + + response = computer_isolation_get_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.ComputerIsolation" + assert response.outputs["connector_guid"] == args["connector_guid"] + response.outputs.pop("connector_guid", None) + assert response.outputs == mock_response["data"] + + +def test_computer_isolation_create_command(requests_mock, mock_client): + """ + Scenario: + - Put a computer in isolation. + Given: + - The user has entered a connector_guid, comment adn unlock_code. + When: + - cisco-amp-computer-isolation-create is called. + Then: + - Ensure outputs_prefix is correct. + """ + args: Dict[str, Any] = { + "connector_guid": "1", + "comment": "Hello", + "unlock_code": "Goodbye", + } + + mock_response = load_mock_response("isolation_response.json") + requests_mock.put( + f'{BASE_URL}/computers/{args["connector_guid"]}/isolation', json=mock_response + ) + + from AMPv2 import computer_isolation_create_command + + response = computer_isolation_create_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.ComputerIsolation" + assert response.outputs["connector_guid"] == args["connector_guid"] + response.outputs.pop("connector_guid", None) + assert response.outputs == mock_response["data"] + + +def test_computer_isolation_delete_command(requests_mock, mock_client): + """ + Scenario: + - Delete a computer in isolation. + Given: + - The user has entered a connector_guid. + When: + - cisco-amp-computer-isolation-delete is called. + Then: + - Ensure outputs_prefix is correct. + """ + args: Dict[str, Any] = { + "connector_guid": "1", + } + + mock_response = load_mock_response("isolation_response.json") + requests_mock.delete( + f'{BASE_URL}/computers/{args["connector_guid"]}/isolation', json=mock_response + ) + + from AMPv2 import computer_isolation_delete_command + + response = computer_isolation_delete_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.ComputerIsolation" + assert response.outputs[0]["available"] == mock_response["data"]["available"] + assert response.outputs[0]["status"] == mock_response["data"]["status"] + assert response.outputs[0]["unlock_code"] == mock_response["data"]["unlock_code"] + + +def test_event_list_command(requests_mock, mock_client): + """ + Scenario: + - Get list of events. + Given: + - The user has entered no arguments. + When: + - cisco-amp-event-list is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure there are no links in the outputs. + """ + mock_response = load_mock_response("event_list_response.json") + requests_mock.get(f"{BASE_URL}/events", json=mock_response) + + args: Dict[str, Any] = {} + + from AMPv2 import event_list_command + + responses = event_list_command(mock_client, args) + + for response in responses[:-1]: + assert response.outputs_prefix == "CiscoAMP.Event" + + if "file" in response.outputs: + assert ( + response.indicator.sha256 + == response.outputs["file"]["identity"]["sha256"] + ) + assert response.indicator.path == response.outputs["file"]["file_path"] + assert response.indicator.name == response.outputs["file"]["file_name"] + + if computer := response.outputs.get("computer"): + assert "links" not in computer + + assert ( + responses[-1].readable_output + == "### Results\n" + + "|Current Item Count|Index|Items Per Page|Total|\n" + + "|---|---|---|---|\n" + + "| metadata_results_current_item_count | metadata_results_index | " + + "metadata_results_items_per_page | metadata_results_total |\n" + + "### Event Information\n" + + "|ID|Date|Event Type|Detection|Connector GUID|Severity|\n" + + "|---|---|---|---|---|---|\n" + + "| data[0]_id | data[0]_date | data[0]_event_type | | data[0]_connector_guid | |\n" + + "| data[1]_id | data[1]_date | data[1]_event_type | | data[1]_connector_guid | |\n" + + "| data[2]_id | data[2]_date | data[2]_event_type | | data[2]_connector_guid | |\n" + + "| data[3]_id | data[3]_date | data[3]_event_type | | data[3]_connector_guid | |\n" + + "| data[4]_id | data[4]_date | data[4]_event_type | | data[4]_connector_guid | |\n" + + "| data[5]_id | data[5]_date | data[5]_event_type | | data[5]_connector_guid | |\n" + + "| data[6]_id | data[6]_date | data[6]_event_type | | data[6]_connector_guid | |\n" + + "| data[7]_id | data[7]_date | data[7]_event_type | | data[7]_connector_guid | |\n" + + "| data[8]_id | data[8]_date | data[8]_event_type | | data[8]_connector_guid | |\n" + + "| data[9]_id | data[9]_date | data[9]_event_type | | data[9]_connector_guid | |\n" + + "| data[10]_id | data[10]_date | data[10]_event_type | | data[10]_connector_guid | |\n" + + "| data[11]_id | data[11]_date | data[11]_event_type | | data[11]_connector_guid | |\n" + + "| data[12]_id | data[12]_date | data[12]_event_type | | data[12]_connector_guid | |\n" + + "| data[13]_id | data[13]_date | data[13]_event_type | | | |\n" + + "| data[14]_id | data[14]_date | data[14]_event_type | " + + "data[14]_detection | data[14]_connector_guid | data[14]_severity |\n" + ) + + +@pytest.mark.parametrize( + "args, expected_number_of_results, start, end", + [ + ({}, 100, 0, 100), + ({"limit": "50"}, 50, 0, 50), + ({"page": "7", "page_size": "5"}, 5, 30, 35), + ], +) +def test_event_types_list_command( + requests_mock, mock_client, args, expected_number_of_results, start, end +): + """ + Scenario: + - Get list of event types. + Given: + - The user has entered no arguments. + - The user has entered automatic pagination. + - The user has entered manual pagination. + When: + - cisco-amp-event-type-list is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure pagination has worked. + """ + mock_response = load_mock_response("event_type_list_response.json") + requests_mock.get(f"{BASE_URL}/event_types", json=mock_response) + + from AMPv2 import event_type_list_command + + response = event_type_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.EventType" + assert len(response.outputs) == expected_number_of_results + + for output, mock_output in zip(response.outputs, mock_response["data"][start:end]): + mock_output.pop("links", None) + assert output == mock_output + + +@pytest.mark.parametrize( + "file, suffix, args, expected_file_list_type", + [ + ( + "file_list_list_response.json", + "file_lists/1", + {"file_list_guid": "1"}, + "application_blocking", + ), + ( + "file_list_application_blocking_response.json", + "file_lists/application_blocking", + {}, + "application_blocking", + ), + ( + "file_list_simple_custom_detections_response.json", + "file_lists/simple_custom_detections", + {"file_list_type": "Simple Custom Detection"}, + "simple_custom_detections", + ), + ], +) +def test_file_list_list_command( + requests_mock, mock_client, file, suffix, args, expected_file_list_type +): + """ + Scenario: + - Get a specific file list. + - Get an application_blocking list. + - Get a simple_custom_detections list. + Given: + - The user has entered a file_list_guid. + - The user has entered no arguments. + - The user has entered a file_list_type. + When: + - cisco-amp-file-list-list is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure there are no links in the outputs. + - Ensure the correct file list type has been returned. + """ + mock_response = load_mock_response(file) + requests_mock.get(f"{BASE_URL}/{suffix}", json=mock_response) + + from AMPv2 import file_list_list_command + + response = file_list_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.FileList" + + if not isinstance(response.outputs, List): + response.outputs = [response.outputs] + + if isinstance(mock_response["data"], dict): + mock_response["data"] = [mock_response["data"]] + + for output in response.outputs: + assert "links" not in output + assert output["type"] == expected_file_list_type + + for output, mock_output in zip(response.outputs, mock_response["data"]): + mock_output.pop("links", None) + assert output == mock_output + + +@pytest.mark.parametrize( + "file, suffix, args", + [ + ( + "file_list_item_list_response.json", + "file_lists/1/files", + {"file_list_guid": "1"}, + ), + ( + "file_list_item_get_response.json", + "file_lists/1/files/1", + {"file_list_guid": "1", "sha256": "1"}, + ), + ], +) +def test_file_list_item_list_command(requests_mock, mock_client, file, suffix, args): + """ + Scenario: + - Get a file item list. + - Get a specific file item list item. + Given: + - The user has entered a file_list_guid. + - The user has entered a file_list_guid and a sha256. + When: + - cisco-amp-file-list-item-list is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure there are no links in the outputs. + """ + mock_response = load_mock_response(file) + requests_mock.get(f"{BASE_URL}/{suffix}", json=mock_response) + + from AMPv2 import file_list_item_list_command + + response = file_list_item_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.FileListItem" + assert "links" not in response.outputs + + if policies := response.outputs[0].get("policies"): + assert_output_has_no_links(policies) + + for policy, mock_policy in zip(policies, mock_response["data"]["policies"]): + mock_policy.pop("links", None) + assert policy == mock_policy + + if items := response.outputs[0].get("items"): + assert_output_has_no_links(items) + + for item, mock_item in zip(items, mock_response["data"]["items"]): + mock_item.pop("links", None) + assert item == mock_item + + +def test_file_list_item_create_command(requests_mock, mock_client): + """ + Scenario: + - Create an item for a file item list + Given: + - The user has entered a file_list_guid and a sha256. + When: + - cisco-amp-file-list-item-create is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure there are no links in the outputs. + """ + args: Dict[str, Any] = {"file_list_guid": "1", "sha256": "1"} + + mock_response = load_mock_response("file_list_item_create_response.json") + requests_mock.post( + f'{BASE_URL}/file_lists/{args["file_list_guid"]}/files/{args["sha256"]}', + json=mock_response, + ) + + from AMPv2 import file_list_item_create_command + + response = file_list_item_create_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.FileListItem" + assert "links" not in response.outputs + mock_response["data"].pop("links", None) + assert response.outputs[0] == mock_response["data"] + + +def test_file_list_item_delete_command(requests_mock, mock_client): + """ + Scenario: + - Delete a file item from a file item list. + Given: + - The user has entered a file_list_guid and a sha256. + When: + - cisco-amp-file-list-item-delete is called. + Then: + - Ensure the deletion succeeded. + """ + args = {"file_list_guid": "1", "sha256": "1"} + + mock_response = load_mock_response("file_list_item_delete_response.json") + requests_mock.delete( + f'{BASE_URL}/file_lists/{args["file_list_guid"]}/files/{args["sha256"]}', + json=mock_response, + ) + + from AMPv2 import file_list_item_delete_command + + response = file_list_item_delete_command(mock_client, args) + + assert ( + response.readable_output + == f'SHA-256: "{args["sha256"]}" Successfully deleted from File List GUID: "{args["file_list_guid"]}".' + ) + + +def test_file_list_item_delete_error_command(requests_mock, mock_client): + """ + Scenario: + - Delete a file item from a file item list. + Given: + - The user has entered a file_list_guid and a sha256. + When: + - cisco-amp-file-list-item-delete is called. + Then: + - Ensure the deletion failed. + """ + args = {"file_list_guid": "1", "sha256": "1"} + + mock_response = load_mock_response("file_list_item_delete_fail_response.json") + requests_mock.delete( + f'{BASE_URL}/file_lists/{args["file_list_guid"]}/files/{args["sha256"]}', + json=mock_response, + ) + + with pytest.raises(DemistoException) as de: + from AMPv2 import file_list_item_delete_command + + file_list_item_delete_command(mock_client, args) + + assert ( + de.message + == f'Failed to delete-\nFile List GUID: "{args["file_list_guid"]}"\nSHA-256: "{args["sha256"]}" not found.' + ) + + +@pytest.mark.parametrize( + "file, args, suffix", + [ + ("group_list_response.json", {}, ""), + ("group_response.json", {"group_guid": "1"}, "/1"), + ], +) +def test_group_list_command(requests_mock, mock_client, file, args, suffix): + """ + Scenario: + - Get a group list. + - Get a specific group. + Given: + - The user hasn't entered any arguments. + - The user has entered a group_guid. + When: + - cisco-amp-group-list is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure there are no links in the outputs. + """ + mock_response = load_mock_response(file) + requests_mock.get(f"{BASE_URL}/groups{suffix}", json=mock_response) + + from AMPv2 import group_list_command + + response = group_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.Group" + + assert_output_has_no_links(response.outputs) + + if policies := response.outputs[0].get("policies"): + assert_output_has_no_links(policies) + + if isinstance(mock_response["data"], dict): + mock_response["data"] = [mock_response["data"]] + + for output, mock_output in zip(response.outputs, mock_response["data"]): + mock_output.pop("links", None) + + for policy in mock_output.get("policies", []): + policy.pop("links", None) + + assert output == mock_output + + +def test_group_policy_update_command(requests_mock, mock_client): + """ + Scenario: + - Update a group policy. + Given: + - The user hasn't entered any policy arguments. + - The user has entered a group_guid and a policy argument. + When: + - cisco-amp-group-policy-update is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure there are no links in the outputs. + """ + args = {"group_guid": "1", "windows_policy_guid": "1"} + + mock_response = load_mock_response("group_response.json") + requests_mock.patch(f'{BASE_URL}/groups/{args["group_guid"]}', json=mock_response) + + from AMPv2 import group_policy_update_command + + response = group_policy_update_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.Group" + + if policies := response.outputs[0].get("policies"): + assert_output_has_no_links(policies) + + if isinstance(mock_response["data"], dict): + mock_response["data"] = [mock_response["data"]] + + for output, mock_output in zip(response.outputs, mock_response["data"]): + mock_output.pop("links", None) + + for policy in mock_output.get("policies", []): + policy.pop("links", None) + + assert output == mock_output + + +def test_group_policy_update_error_command(requests_mock, mock_client): + """ + Scenario: + - Update a group policy. + Given: + - The user hasn't entered any policy arguments. + When: + - cisco-amp-group-policy-update is called. + Then: + - Ensure an error has been raised + """ + args = {"group_guid": "1"} + + requests_mock.patch(f'{BASE_URL}/groups/{args["group_guid"]}') + + with pytest.raises(ValueError) as ve: + from AMPv2 import group_policy_update_command + + group_policy_update_command(mock_client, args) + + assert str(ve) == "At least one Policy GUID must be entered." + + +@pytest.mark.parametrize("file", [("group_response.json"), ("group_response.json")]) +def test_group_parent_update_command(requests_mock, mock_client, file): + """ + Scenario: + - Update a group policy. + Given: + - The user has entered a child_guid. + When: + - cisco-amp-group-parent-update is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure there are no links in the outputs. + """ + args: Dict[str, Any] = {"child_guid": "1"} + + mock_response = load_mock_response(file) + requests_mock.patch( + f'{BASE_URL}/groups/{args["child_guid"]}/parent', json=mock_response + ) + + from AMPv2 import group_parent_update_command + + response = group_parent_update_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.Group" + + if policies := response.outputs[0].get("policies"): + assert_output_has_no_links(policies) + + if isinstance(mock_response["data"], dict): + mock_response["data"] = [mock_response["data"]] + + for output, mock_output in zip(response.outputs, mock_response["data"]): + mock_output.pop("links", None) + + for policy in mock_output.get("policies", []): + policy.pop("links", None) + + assert output == mock_output + + +def test_group_create_command(requests_mock, mock_client): + """ + Scenario: + - Create a new group. + Given: + - The user has entered a name and description. + When: + - cisco-amp-group-create is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure there are no links in the outputs. + """ + args: Dict[str, Any] = { + "name": "Til", + "description": "Tamar", + } + + mock_response = load_mock_response("group_response.json") + requests_mock.post(f"{BASE_URL}/groups", json=mock_response) + + from AMPv2 import group_create_command + + response = group_create_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.Group" + + if policies := response.outputs[0].get("policies"): + assert_output_has_no_links(policies) + + if isinstance(mock_response["data"], dict): + mock_response["data"] = [mock_response["data"]] + + for output, mock_output in zip(response.outputs, mock_response["data"]): + mock_output.pop("links", None) + + for policy in mock_output.get("policies", []): + policy.pop("links", None) + + assert output == mock_output + + +def test_group_delete_command(requests_mock, mock_client): + """ + Scenario: + - Delete a group. + Given: + - The user has entered a group_guid. + When: + - cisco-amp-groups-delete is called. + Then: + - Ensure the deletion succeeded. + """ + args: Dict[str, Any] = { + "group_guid": "1", + } + + mock_response = load_mock_response("group_delete_response.json") + requests_mock.delete(f'{BASE_URL}/groups/{args["group_guid"]}', json=mock_response) + + from AMPv2 import groups_delete_command + + response = groups_delete_command(mock_client, args) + + assert ( + response.readable_output + == f'Group GUID: "{args["group_guid"]}"\nSuccessfully deleted.' + ) + + +def test_group_delete_error_command(requests_mock, mock_client): + """ + Scenario: + - Delete a group. + Given: + - The user has entered a group_guid. + When: + - cisco-amp-groups-delete is called. + Then: + - Ensure the deletion failed. + """ + args: Dict[str, Any] = { + "group_guid": "1", + } + + mock_response = load_mock_response("group_delete_fail_response.json") + requests_mock.delete(f'{BASE_URL}/groups/{args["group_guid"]}', json=mock_response) + + with pytest.raises(DemistoException) as de: + from AMPv2 import groups_delete_command + + groups_delete_command(mock_client, args) + + assert de.message == f'Failed to delete Group GUID: "{args["group_guid"]}".' + + +@pytest.mark.parametrize( + "file, args, suffix", + [ + ("indicator_list_response.json", {}, ""), + ("indicator_get_response.json", {"indicator_guid": "1"}, "/1"), + ], +) +def test_indicator_list_command(requests_mock, mock_client, file, args, suffix): + """ + Scenario: + - Get an indicator list. + - Get a specific indicator. + Given: + - The user hasn't entered any arguments. + - The user has entered an indicator_guid. + When: + - cisco-amp-indicator-list is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure there are no links in the outputs. + """ + mock_response = load_mock_response(file) + requests_mock.get(f"{BASE_URL}/indicators{suffix}", json=mock_response) + + from AMPv2 import indicator_list_command + + response = indicator_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.Indicator" + assert_output_has_no_links(response.outputs) + + if isinstance(mock_response["data"], dict): + mock_response["data"] = [mock_response["data"]] + + for output, mock_output in zip(response.outputs, mock_response["data"]): + mock_output.pop("links", None) + assert output == mock_output + + +@pytest.mark.parametrize( + "file, args, suffix", + [ + ("policy_list_response.json", {}, ""), + ("policy_get_response.json", {"policy_guid": "1"}, "/1"), + ], +) +def test_policy_list_command(requests_mock, mock_client, file, args, suffix): + """ + Scenario: + - Get a policy list. + - Get a specific policy. + Given: + - The user hasn't entered any arguments. + - The user has entered an policy_guid. + When: + - cisco-amp-policy-list is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure there are no links in the outputs. + """ + mock_response = load_mock_response(file) + requests_mock.get(f"{BASE_URL}/policies{suffix}", json=mock_response) + + from AMPv2 import policy_list_command + + response = policy_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.Policy" + assert_output_has_no_links(response.outputs) + + if isinstance(mock_response["data"], dict): + mock_response["data"] = [mock_response["data"]] + + for output, mock_output in zip(response.outputs, mock_response["data"]): + mock_output.pop("links", None) + assert output == mock_output + + +@pytest.mark.parametrize( + "args, expected_number_of_results, start, end", + [ + ({"ios_bid": "Gotta"}, 100, 0, 100), + ({"ios_bid": "Catch-em", "limit": "50"}, 50, 0, 50), + ({"ios_bid": "All", "page": "7", "page_size": "5"}, 5, 30, 35), + ], +) +def test_app_trajectory_query_list_command( + requests_mock, + mock_client, + args, + expected_number_of_results, + start, + end, +): + """ + Scenario: + - Get an app trajectory. + Given: + - The user has entered an ios_bid. + - The user has entered an ios_bid and automatic pagination. + - The user has entered an ios_bid and manual pagination. + When: + - cisco-amp-app-trajectory-query-list is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure pagination has worked. + """ + mock_response = load_mock_response("app_trajectory_query_response.json") + requests_mock.get(f"{BASE_URL}/app_trajectory/queries", json=mock_response) + + from AMPv2 import app_trajectory_query_list_command + + response = app_trajectory_query_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.AppTrajectoryQuery" + assert len(response.outputs) == expected_number_of_results + + for output, mock_output in zip(response.outputs, mock_response["data"][start:end]): + mock_output.pop("links", None) + assert output == mock_output + + +def test_version_get_command(requests_mock, mock_client): + """ + Scenario: + - Get current version of API. + When: + - cisco-amp-version-get is called. + Then: + - Ensure outputs_prefix is correct. + """ + arg: Dict[str, Any] = {} + + mock_response = load_mock_response("version_get_response.json") + requests_mock.get(f"{BASE_URL}/version", json=mock_response) + + from AMPv2 import version_get_command + + response = version_get_command(mock_client, arg) + + assert response.outputs_prefix == "CiscoAMP.Version" + + +@pytest.mark.parametrize( + "file, args, suffix, is_list", + [ + ("vulnerability_list_response.json", {}, "", True), + ("vulnerability_get_response.json", {"sha256": "1"}, "/1/computers", False), + ], +) +def test_vulnerability_list_command( + requests_mock, mock_client, file, args, suffix, is_list +): + """ + Scenario: + - Get a vulnerability list. + - Get a vulnerable item trajectory. + Given: + - The user hasn't entered any arguments. + - The user has entered a sha256. + When: + - cisco-amp-vulnerability-list is called. + Then: + - Ensure outputs_prefix is correct. + - Ensure there are no links in the outputs. + """ + mock_response = load_mock_response(file) + requests_mock.get(f"{BASE_URL}/vulnerabilities{suffix}", json=mock_response) + + from AMPv2 import vulnerability_list_command + + response = vulnerability_list_command(mock_client, args) + + assert response.outputs_prefix == "CiscoAMP.Vulnerability" + assert_output_has_no_links(response.outputs) + + for output, mock_output in zip(response.outputs, mock_response["data"]): + mock_output.pop("links", None) + + for computer in mock_output.get("computers", []): + computer.pop("links", None) + + assert output == mock_output diff --git a/Packs/AMP/Integrations/AMPv2/README.md b/Packs/AMP/Integrations/AMPv2/README.md new file mode 100644 index 000000000000..a08c74e95a07 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/README.md @@ -0,0 +1,5060 @@ +Cisco Advanced Malware Protection software is designed to prevent, detect, and help remove threats in an efficient manner from computer systems. Threats can take the form of software viruses and other malware such as ransomware, worms, Trojans, spyware, adware, and fileless malware. +This integration was integrated and tested with version 1 of CiscoAMP. + +## Configure Cisco AMP Secure Endpoint on Cortex XSOAR + +1. Navigate to **Settings** > **Integrations** > **Servers & Services**. +2. Search for Cisco AMP Secure Endpoint. +3. Click **Add instance** to create and configure a new integration instance. + + | **Parameter** | **Description** | **Required** | + | --- | --- | --- | + | Server URL | | True | + | 3rd Party API Client ID | | True | + | API Key | | True | + | Trust any certificate (unsecure) | | False | + | Use system proxy | | False | + | Maximum incidents to fetch. | Maximum number of incidents per fetch. The maximum is 200. | False | + | Incident severity to fetch. | | False | + | First fetch time | First alert created date to fetch. e.g., "1 min ago","2 weeks ago","3 months ago" | False | + | Event types | Comma-separated list of Event Type IDs. | False | + +4. Click **Test** to validate the URLs, token, and connection. +## Commands +You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. +After you successfully execute a command, a DBot message appears in the War Room with the command details. +### cisco-amp-computer-list +*** +Fetch computers to shows information about them. Can be filtered by a variety of criteria. + + +#### Base Command + +`cisco-amp-computer-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | +| connector_guid | The connector GUID for a specific computer. | Optional | +| hostname | Comma-separated list of host names to filter by (has auto complete capabilities). | Optional | +| internal_ip | Internal IP to filter by. | Optional | +| external_ip | External IP to filter by. | Optional | +| group_guid | Comma-separated list of group GUIDs to filter by. | Optional | +| last_seen_within | Time range to filter by. | Optional | +| last_seen_over | Time range to filter over by. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.Computer.connector_guid | String | GUID of the connector. | +| CiscoAMP.Computer.hostname | String | Host's name. | +| CiscoAMP.Computer.windows_processor_id | String | Windows processor ID. | +| CiscoAMP.Computer.active | Boolean | Whether the computer is active. | +| CiscoAMP.Computer.connector_version | String | Version of the connector. | +| CiscoAMP.Computer.operating_system | String | Operating system of the computer. | +| CiscoAMP.Computer.os_version | String | Operating system version. | +| CiscoAMP.Computer.internal_ips | String | List of internal IPs. | +| CiscoAMP.Computer.external_ip | String | External IP. | +| CiscoAMP.Computer.group_guid | String | GUID of the group. | +| CiscoAMP.Computer.install_date | Date | Installation date. | +| CiscoAMP.Computer.is_compromised | Boolean | Whether the computer is compromised. | +| CiscoAMP.Computer.demo | Boolean | Whether the computer is a demo. | +| CiscoAMP.Computer.network_addresses.mac | String | List of MAC addresses. | +| CiscoAMP.Computer.network_addresses.ip | String | List of IP addresses. | +| CiscoAMP.Computer.policy.guid | String | GUID of the policy. | +| CiscoAMP.Computer.policy.name | String | Name of the policy. | +| CiscoAMP.Computer.groups.guid | String | GUID of the group. | +| CiscoAMP.Computer.groups.name | String | Name of the group. | +| CiscoAMP.Computer.last_seen | Date | Last date seen. | +| CiscoAMP.Computer.faults | String | Faults. | +| CiscoAMP.Computer.isolation.available | Boolean | Whether the isolation is available. | +| CiscoAMP.Computer.isolation.status | String | Status of the isolation. | +| CiscoAMP.Computer.orbital.status | String | Status of the orbital. | +| Endpoint.Hostname | String | The hostname of the endpoint. | +| Endpoint.ID | String | The endpoint's identifier. | +| Endpoint.IPAddress | String | The endpoint's IP address. | +| Endpoint.OS | String | The endpoint's operating system. | +| Endpoint.OSVersion | String | The endpoint's operating system's version. | +| Endpoint.Status | String | The status of the endpoint \(online/offline\). | +| Endpoint.MACAddress | String | The endpoint's MAC address. | +| Endpoint.Vendor | String | The integration name of the endpoint vendor. | + +#### Command example +```!cisco-amp-computer-list limit=5``` +#### Context Example +```json +{ + "CiscoAMP": { + "Computer": [ + { + "active": "CiscoAMP_Computer[0]_active", + "connector_guid": "CiscoAMP_Computer[0]_connector_guid", + "connector_version": "CiscoAMP_Computer[0]_connector_version", + "demo": "CiscoAMP_Computer[0]_demo", + "external_ip": "CiscoAMP_Computer[0]_external_ip", + "faults": [], + "group_guid": "CiscoAMP_Computer[0]_group_guid", + "groups": [ + { + "guid": "CiscoAMP_Computer[0]_groups[0]_guid", + "name": "CiscoAMP_Computer[0]_groups[0]_name" + } + ], + "hostname": "CiscoAMP_Computer[0]_hostname", + "install_date": "CiscoAMP_Computer[0]_install_date", + "internal_ips": [ + "CiscoAMP_Computer[0]_internal_ips_0" + ], + "is_compromised": "CiscoAMP_Computer[0]_is_compromised", + "isolation": { + "available": "CiscoAMP_Computer[0]_isolation_available", + "status": "CiscoAMP_Computer[0]_isolation_status" + }, + "last_seen": "CiscoAMP_Computer[0]_last_seen", + "network_addresses": [ + { + "ip": "CiscoAMP_Computer[0]_network_addresses[0]_ip", + "mac": "CiscoAMP_Computer[0]_network_addresses[0]_mac" + } + ], + "operating_system": "CiscoAMP_Computer[0]_operating_system", + "os_version": "CiscoAMP_Computer[0]_os_version", + "policy": { + "guid": "CiscoAMP_Computer[0]_policy_guid", + "name": "CiscoAMP_Computer[0]_policy_name" + }, + "windows_processor_id": "CiscoAMP_Computer[0]_windows_processor_id" + }, + { + "active": "CiscoAMP_Computer[1]_active", + "connector_guid": "CiscoAMP_Computer[1]_connector_guid", + "connector_version": "CiscoAMP_Computer[1]_connector_version", + "demo": "CiscoAMP_Computer[1]_demo", + "external_ip": "CiscoAMP_Computer[1]_external_ip", + "faults": [], + "group_guid": "CiscoAMP_Computer[1]_group_guid", + "groups": [ + { + "guid": "CiscoAMP_Computer[1]_groups[0]_guid", + "name": "CiscoAMP_Computer[1]_groups[0]_name" + } + ], + "hostname": "CiscoAMP_Computer[1]_hostname", + "install_date": "CiscoAMP_Computer[1]_install_date", + "internal_ips": [ + "CiscoAMP_Computer[1]_internal_ips_0" + ], + "is_compromised": "CiscoAMP_Computer[1]_is_compromised", + "isolation": { + "available": "CiscoAMP_Computer[1]_isolation_available", + "status": "CiscoAMP_Computer[1]_isolation_status" + }, + "last_seen": "CiscoAMP_Computer[1]_last_seen", + "network_addresses": [ + { + "ip": "CiscoAMP_Computer[1]_network_addresses[0]_ip", + "mac": "CiscoAMP_Computer[1]_network_addresses[0]_mac" + } + ], + "operating_system": "CiscoAMP_Computer[1]_operating_system", + "os_version": "CiscoAMP_Computer[1]_os_version", + "policy": { + "guid": "CiscoAMP_Computer[1]_policy_guid", + "name": "CiscoAMP_Computer[1]_policy_name" + }, + "windows_processor_id": "CiscoAMP_Computer[1]_windows_processor_id" + }, + { + "active": "CiscoAMP_Computer[2]_active", + "connector_guid": "CiscoAMP_Computer[2]_connector_guid", + "connector_version": "CiscoAMP_Computer[2]_connector_version", + "demo": "CiscoAMP_Computer[2]_demo", + "external_ip": "CiscoAMP_Computer[2]_external_ip", + "faults": [], + "group_guid": "CiscoAMP_Computer[2]_group_guid", + "groups": [ + { + "guid": "CiscoAMP_Computer[2]_groups[0]_guid", + "name": "CiscoAMP_Computer[2]_groups[0]_name" + } + ], + "hostname": "CiscoAMP_Computer[2]_hostname", + "install_date": "CiscoAMP_Computer[2]_install_date", + "internal_ips": [ + "CiscoAMP_Computer[2]_internal_ips_0" + ], + "is_compromised": "CiscoAMP_Computer[2]_is_compromised", + "isolation": { + "available": "CiscoAMP_Computer[2]_isolation_available", + "status": "CiscoAMP_Computer[2]_isolation_status" + }, + "last_seen": "CiscoAMP_Computer[2]_last_seen", + "network_addresses": [ + { + "ip": "CiscoAMP_Computer[2]_network_addresses[0]_ip", + "mac": "CiscoAMP_Computer[2]_network_addresses[0]_mac" + } + ], + "operating_system": "CiscoAMP_Computer[2]_operating_system", + "os_version": "CiscoAMP_Computer[2]_os_version", + "policy": { + "guid": "CiscoAMP_Computer[2]_policy_guid", + "name": "CiscoAMP_Computer[2]_policy_name" + }, + "windows_processor_id": "CiscoAMP_Computer[2]_windows_processor_id" + }, + { + "active": "CiscoAMP_Computer[3]_active", + "connector_guid": "CiscoAMP_Computer[3]_connector_guid", + "connector_version": "CiscoAMP_Computer[3]_connector_version", + "demo": "CiscoAMP_Computer[3]_demo", + "external_ip": "CiscoAMP_Computer[3]_external_ip", + "faults": [], + "group_guid": "CiscoAMP_Computer[3]_group_guid", + "groups": [ + { + "guid": "CiscoAMP_Computer[3]_groups[0]_guid", + "name": "CiscoAMP_Computer[3]_groups[0]_name" + } + ], + "hostname": "CiscoAMP_Computer[3]_hostname", + "install_date": "CiscoAMP_Computer[3]_install_date", + "internal_ips": [ + "CiscoAMP_Computer[3]_internal_ips_0" + ], + "is_compromised": "CiscoAMP_Computer[3]_is_compromised", + "isolation": { + "available": "CiscoAMP_Computer[3]_isolation_available", + "status": "CiscoAMP_Computer[3]_isolation_status" + }, + "last_seen": "CiscoAMP_Computer[3]_last_seen", + "network_addresses": [ + { + "ip": "CiscoAMP_Computer[3]_network_addresses[0]_ip", + "mac": "CiscoAMP_Computer[3]_network_addresses[0]_mac" + } + ], + "operating_system": "CiscoAMP_Computer[3]_operating_system", + "os_version": "CiscoAMP_Computer[3]_os_version", + "policy": { + "guid": "CiscoAMP_Computer[3]_policy_guid", + "name": "CiscoAMP_Computer[3]_policy_name" + }, + "windows_processor_id": "CiscoAMP_Computer[3]_windows_processor_id" + }, + { + "active": "CiscoAMP_Computer[4]_active", + "connector_guid": "CiscoAMP_Computer[4]_connector_guid", + "connector_version": "CiscoAMP_Computer[4]_connector_version", + "demo": "CiscoAMP_Computer[4]_demo", + "external_ip": "CiscoAMP_Computer[4]_external_ip", + "faults": [], + "group_guid": "CiscoAMP_Computer[4]_group_guid", + "groups": [ + { + "guid": "CiscoAMP_Computer[4]_groups[0]_guid", + "name": "CiscoAMP_Computer[4]_groups[0]_name" + } + ], + "hostname": "CiscoAMP_Computer[4]_hostname", + "install_date": "CiscoAMP_Computer[4]_install_date", + "internal_ips": [ + "CiscoAMP_Computer[4]_internal_ips_0" + ], + "is_compromised": "CiscoAMP_Computer[4]_is_compromised", + "isolation": { + "available": "CiscoAMP_Computer[4]_isolation_available", + "status": "CiscoAMP_Computer[4]_isolation_status" + }, + "last_seen": "CiscoAMP_Computer[4]_last_seen", + "network_addresses": [ + { + "ip": "CiscoAMP_Computer[4]_network_addresses[0]_ip", + "mac": "CiscoAMP_Computer[4]_network_addresses[0]_mac" + } + ], + "operating_system": "CiscoAMP_Computer[4]_operating_system", + "os_version": "CiscoAMP_Computer[4]_os_version", + "policy": { + "guid": "CiscoAMP_Computer[4]_policy_guid", + "name": "CiscoAMP_Computer[4]_policy_name" + }, + "windows_processor_id": "CiscoAMP_Computer[4]_windows_processor_id" + } + ] + }, + "Endpoint": [ + { + "Hostname": "Endpoint[0]_Hostname", + "ID": "Endpoint[0]_ID", + "IPAddress": "Endpoint[0]_IPAddress", + "MACAddress": "Endpoint[0]_MACAddress", + "OS": "Endpoint[0]_OS", + "OSVersion": "Endpoint[0]_OSVersion", + "Status": "Endpoint[0]_Status", + "Vendor": "Endpoint[0]_Vendor" + }, + { + "Hostname": "Endpoint[1]_Hostname", + "ID": "Endpoint[1]_ID", + "IPAddress": "Endpoint[1]_IPAddress", + "MACAddress": "Endpoint[1]_MACAddress", + "OS": "Endpoint[1]_OS", + "OSVersion": "Endpoint[1]_OSVersion", + "Status": "Endpoint[1]_Status", + "Vendor": "Endpoint[1]_Vendor" + }, + { + "Hostname": "Endpoint[2]_Hostname", + "ID": "Endpoint[2]_ID", + "IPAddress": "Endpoint[2]_IPAddress", + "MACAddress": "Endpoint[2]_MACAddress", + "OS": "Endpoint[2]_OS", + "OSVersion": "Endpoint[2]_OSVersion", + "Status": "Endpoint[2]_Status", + "Vendor": "Endpoint[2]_Vendor" + }, + { + "Hostname": "Endpoint[3]_Hostname", + "ID": "Endpoint[3]_ID", + "IPAddress": "Endpoint[3]_IPAddress", + "MACAddress": "Endpoint[3]_MACAddress", + "OS": "Endpoint[3]_OS", + "OSVersion": "Endpoint[3]_OSVersion", + "Status": "Endpoint[3]_Status", + "Vendor": "Endpoint[3]_Vendor" + }, + { + "Hostname": "Endpoint[4]_Hostname", + "ID": "Endpoint[4]_ID", + "IPAddress": "Endpoint[4]_IPAddress", + "MACAddress": "Endpoint[4]_MACAddress", + "OS": "Endpoint[4]_OS", + "OSVersion": "Endpoint[4]_OSVersion", + "Status": "Endpoint[4]_Status", + "Vendor": "Endpoint[4]_Vendor" + } + ] +} +``` + +#### Human Readable Output + +>### Results +>|Current Item Count|Index|Items Per Page|Total| +>|---|---|---|---| +>| 5 | 0 | 5 | 32 | +>### Computer Information +>|Host Name|Connector GUID|Operating System|External IP|Group GUID|Policy GUID| +>|---|---|---|---|---|---| +>| Demo_AMP | 22d4a486-1732-4f8b-9a6f-18f172fe7af0 | Windows 10 (Build 10.0.19044.1466) | IP | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | 91c7894d-dd69-4a21-8cf6-5ebfc57ef4df | +>| Demo_AMP_Exploit_Prevention | 113c1a8e-8e66-409e-92a8-41b7d586be5d | Windows 10 (Build 10.0.19044.1466) | IP | 6ed80412-0739-42c1-8f6d-32fb51b3f894 | 1a352c59-793b-44f3-b8f9-0ddd354057bc | +>| Demo_AMP_Exploit_Prevention_Audit | 93f395a2-e31f-4022-b1dd-afb16e093b8d | Windows 10 (Build 10.0.19044.1466) | IP | 5b1857e3-ba49-46cf-9bf1-0cad6b5ecd18 | a599bf5b-2cb7-4a5b-90bd-d0199e2ccd67 | +>| Demo_AMP_Intel | d6f49c17-9721-4c5b-a04f-32ba30be36a0 | Windows 10 (Build 10.0.19043.1202) | IP | fedd82f8-c74f-49f4-a463-e576d3beee92 | be84e169-0830-4b95-915b-1e203a82ed58 | +>| Demo_AMP_MAP_FriedEx | 9a2abee8-b988-473b-9e99-a7abe6d068a5 | Windows 10 (Build 10.0.19044.1466) | IP | 6ed80412-0739-42c1-8f6d-32fb51b3f894 | 1a352c59-793b-44f3-b8f9-0ddd354057bc | + + +### cisco-amp-computer-trajectory-list +*** +Provides a list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP console. + + +#### Base Command + +`cisco-amp-computer-trajectory-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| connector_guid | The connector GUID for a specific computer. | Required | +| query_string | Freeform query string which currently accepts an: IP address, SHA-256, or URL. | Optional | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 5000. | Optional | +| limit | Number of total results to return. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.ComputerTrajectory.connector_guid | String | GUID of the connector. | +| CiscoAMP.ComputerTrajectory.id | String | Event's ID. | +| CiscoAMP.ComputerTrajectory.timestamp | Number | Event's timestamp. | +| CiscoAMP.ComputerTrajectory.timestamp_nanoseconds | Number | Event's timestamp in nano seconds. | +| CiscoAMP.ComputerTrajectory.date | Date | Event's date. | +| CiscoAMP.ComputerTrajectory.event_type | String | Event's type. | +| CiscoAMP.ComputerTrajectory.event_type_id | Number | Event's type ID. | +| CiscoAMP.ComputerTrajectory.group_guids | String | Group GUID. | +| CiscoAMP.ComputerTrajectory.severity | String | Event's severity. | +| CiscoAMP.ComputerTrajectory.detection | String | Event's detection. | +| CiscoAMP.ComputerTrajectory.detection_id | String | Event's detection ID. | +| CiscoAMP.ComputerTrajectory.file.disposition | String | Disposition of the file. | +| CiscoAMP.ComputerTrajectory.file.file_name | String | Name of the file. | +| CiscoAMP.ComputerTrajectory.file.file_path | String | Path to the file. | +| CiscoAMP.ComputerTrajectory.file.file_type | String | Type of the file. | +| CiscoAMP.ComputerTrajectory.file.identity.sha256 | String | File's SHA-256. | +| CiscoAMP.ComputerTrajectory.file.identity.sha1 | String | File's SHA-1. | +| CiscoAMP.ComputerTrajectory.file.identity.md5 | String | File's MD5. | +| CiscoAMP.ComputerTrajectory.file.parent.disposition | String | Disposition of parent. | +| CiscoAMP.ComputerTrajectory.file.parent.identity.sha256 | String | SHA-256 of parent. | +| CiscoAMP.ComputerTrajectory.scan.description | String | Description of the scan. | +| CiscoAMP.ComputerTrajectory.scan.clean | Boolean | Whether the scan is clean. | +| CiscoAMP.ComputerTrajectory.scan.scanned_files | Number | Number of scanned files. | +| CiscoAMP.ComputerTrajectory.scan.scanned_processes | Number | Number of scanned processes. | +| CiscoAMP.ComputerTrajectory.scan.scanned_paths | Number | Number of scanned paths. | +| CiscoAMP.ComputerTrajectory.scan.malicious_detections | Number | Number of malicious detections. | + +#### Command example +```!cisco-amp-computer-trajectory-list connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 limit=5``` +#### Context Example +```json +{ + "CiscoAMP": { + "ComputerTrajectory": [ + { + "connector_guid": "CiscoAMP_ComputerTrajectory[0]_connector_guid", + "date": "CiscoAMP_ComputerTrajectory[0]_date", + "event_type": "CiscoAMP_ComputerTrajectory[0]_event_type", + "event_type_id": "CiscoAMP_ComputerTrajectory[0]_event_type_id", + "group_guids": [ + "CiscoAMP_ComputerTrajectory[0]_group_guids_0" + ], + "id": "CiscoAMP_ComputerTrajectory[0]_id", + "isolation": { + "duration": "CiscoAMP_ComputerTrajectory[0]_isolation_duration" + }, + "timestamp": "CiscoAMP_ComputerTrajectory[0]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_ComputerTrajectory[0]_timestamp_nanoseconds" + }, + { + "connector_guid": "CiscoAMP_ComputerTrajectory[1]_connector_guid", + "date": "CiscoAMP_ComputerTrajectory[1]_date", + "event_type": "CiscoAMP_ComputerTrajectory[1]_event_type", + "event_type_id": "CiscoAMP_ComputerTrajectory[1]_event_type_id", + "group_guids": [ + "CiscoAMP_ComputerTrajectory[1]_group_guids_0" + ], + "id": "CiscoAMP_ComputerTrajectory[1]_id", + "timestamp": "CiscoAMP_ComputerTrajectory[1]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_ComputerTrajectory[1]_timestamp_nanoseconds" + }, + { + "connector_guid": "CiscoAMP_ComputerTrajectory[2]_connector_guid", + "date": "CiscoAMP_ComputerTrajectory[2]_date", + "event_type": "CiscoAMP_ComputerTrajectory[2]_event_type", + "event_type_id": "CiscoAMP_ComputerTrajectory[2]_event_type_id", + "group_guids": [ + "CiscoAMP_ComputerTrajectory[2]_group_guids_0" + ], + "id": "CiscoAMP_ComputerTrajectory[2]_id", + "isolation": { + "duration": "CiscoAMP_ComputerTrajectory[2]_isolation_duration" + }, + "timestamp": "CiscoAMP_ComputerTrajectory[2]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_ComputerTrajectory[2]_timestamp_nanoseconds" + }, + { + "connector_guid": "CiscoAMP_ComputerTrajectory[3]_connector_guid", + "date": "CiscoAMP_ComputerTrajectory[3]_date", + "event_type": "CiscoAMP_ComputerTrajectory[3]_event_type", + "event_type_id": "CiscoAMP_ComputerTrajectory[3]_event_type_id", + "group_guids": [ + "CiscoAMP_ComputerTrajectory[3]_group_guids_0" + ], + "id": "CiscoAMP_ComputerTrajectory[3]_id", + "timestamp": "CiscoAMP_ComputerTrajectory[3]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_ComputerTrajectory[3]_timestamp_nanoseconds" + }, + { + "connector_guid": "CiscoAMP_ComputerTrajectory[4]_connector_guid", + "date": "CiscoAMP_ComputerTrajectory[4]_date", + "event_type": "CiscoAMP_ComputerTrajectory[4]_event_type", + "event_type_id": "CiscoAMP_ComputerTrajectory[4]_event_type_id", + "group_guids": [ + "CiscoAMP_ComputerTrajectory[4]_group_guids_0" + ], + "id": "CiscoAMP_ComputerTrajectory[4]_id", + "isolation": { + "duration": "CiscoAMP_ComputerTrajectory[4]_isolation_duration" + }, + "timestamp": "CiscoAMP_ComputerTrajectory[4]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_ComputerTrajectory[4]_timestamp_nanoseconds" + } + ] + } +} +``` + +#### Human Readable Output + +>### Computer Information +>|Host Name|Connector GUID|Operating System|External IP|Group GUID|Policy GUID| +>|---|---|---|---|---|---| +>| Demo_AMP | 22d4a486-1732-4f8b-9a6f-18f172fe7af0 | Windows 10 (Build 10.0.19044.1466) | IP | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | 91c7894d-dd69-4a21-8cf6-5ebfc57ef4df | +>### Event Information +>|ID|Date|Event Type|Group GUIDs| +>|---|---|---|---| +>| 1667217305855411965 | 2022-10-31T11:55:05+00:00 | Endpoint Isolation Stop Success | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | +>| 1667217298837175263 | 2022-10-31T11:54:58+00:00 | Endpoint Isolation Start Success | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | +>| 1667216545769121964 | 2022-10-31T11:42:25+00:00 | Endpoint Isolation Stop Success | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | +>| 1667216538974189121 | 2022-10-31T11:42:18+00:00 | Endpoint Isolation Start Success | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | +>| 1667214907330813011 | 2022-10-31T11:15:07+00:00 | Endpoint Isolation Stop Success | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | + + +### cisco-amp-computer-user-activity-list +*** +Fetch a list of computers that have observed activity by given username. + + +#### Base Command + +`cisco-amp-computer-user-activity-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| username | Username to filter by. | Required | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.ComputerUserActivity.connector_guid | String | GUID of the connector. | +| CiscoAMP.ComputerUserActivity.hostname | String | Host's name. | +| CiscoAMP.ComputerUserActivity.active | Boolean | Whether the computer is active. | + +#### Command example +```!cisco-amp-computer-user-activity-list username=johndoe``` +#### Context Example +```json +{ + "CiscoAMP": { + "ComputerUserActivity": [ + { + "active": "CiscoAMP_ComputerUserActivity[0]_active", + "connector_guid": "CiscoAMP_ComputerUserActivity[0]_connector_guid", + "hostname": "CiscoAMP_ComputerUserActivity[0]_hostname" + }, + { + "active": "CiscoAMP_ComputerUserActivity[1]_active", + "connector_guid": "CiscoAMP_ComputerUserActivity[1]_connector_guid", + "hostname": "CiscoAMP_ComputerUserActivity[1]_hostname" + }, + { + "active": "CiscoAMP_ComputerUserActivity[2]_active", + "connector_guid": "CiscoAMP_ComputerUserActivity[2]_connector_guid", + "hostname": "CiscoAMP_ComputerUserActivity[2]_hostname" + }, + { + "active": "CiscoAMP_ComputerUserActivity[3]_active", + "connector_guid": "CiscoAMP_ComputerUserActivity[3]_connector_guid", + "hostname": "CiscoAMP_ComputerUserActivity[3]_hostname" + }, + { + "active": "CiscoAMP_ComputerUserActivity[4]_active", + "connector_guid": "CiscoAMP_ComputerUserActivity[4]_connector_guid", + "hostname": "CiscoAMP_ComputerUserActivity[4]_hostname" + }, + { + "active": "CiscoAMP_ComputerUserActivity[5]_active", + "connector_guid": "CiscoAMP_ComputerUserActivity[5]_connector_guid", + "hostname": "CiscoAMP_ComputerUserActivity[5]_hostname" + }, + { + "active": "CiscoAMP_ComputerUserActivity[6]_active", + "connector_guid": "CiscoAMP_ComputerUserActivity[6]_connector_guid", + "hostname": "CiscoAMP_ComputerUserActivity[6]_hostname" + }, + { + "active": "CiscoAMP_ComputerUserActivity[7]_active", + "connector_guid": "CiscoAMP_ComputerUserActivity[7]_connector_guid", + "hostname": "CiscoAMP_ComputerUserActivity[7]_hostname" + } + ] + } +} +``` + +#### Human Readable Output + +>### Results +>|Current Item Count|Index|Items Per Page|Total| +>|---|---|---|---| +>| 8 | 0 | 100 | 8 | +>### Activity Information +>|Connector GUID|Host Name|Active| +>|---|---|---| +>| 113c1a8e-8e66-409e-92a8-41b7d586be5d | Demo_AMP_Exploit_Prevention | true | +>| 307ada77-5776-4de6-ab3b-9c42fe723c9c | Demo_WannaCry_Ransomware | true | +>| 32ac3d60-4038-4cac-8df8-7588cd959926 | Demo_AMP_Threat_Audit | true | +>| 7704bf95-5343-4825-8d68-2ecea81feda4 | Demo_Qakbot_3 | true | +>| 790e9bd4-99b5-433c-b027-9a9a5b9d426f | Demo_Qakbot_2 | true | +>| cd9ae0b3-b566-47f4-811b-980dcb7988d6 | Demo_Qakbot_1 | true | +>| d42cab73-c142-4c25-85d3-4bdefacb6b5b | Demo_AMP_Threat_Quarantined | true | +>| d6f49c17-9721-4c5b-a04f-32ba30be36a0 | Demo_AMP_Intel | true | + + +### cisco-amp-computer-user-trajectory-list +*** +Fetch a specific computer's trajectory with a given connector_guid and filter for events with user name activity. + + +#### Base Command + +`cisco-amp-computer-user-trajectory-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| connector_guid | The connector GUID for a specific computer. | Required | +| username | Username to filter by. | Optional | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 5000. | Optional | +| limit | Number of total results to return. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.ComputerUserTrajectory.connector_guid | String | GUID of the connector. | +| CiscoAMP.ComputerUserTrajectory.id | String | Event's ID. | +| CiscoAMP.ComputerUserTrajectory.timestamp | Number | Event's timestamp. | +| CiscoAMP.ComputerUserTrajectory.timestamp_nanoseconds | Number | Event's timestamp in nano seconds. | +| CiscoAMP.ComputerUserTrajectory.date | Date | Event's date. | +| CiscoAMP.ComputerUserTrajectory.event_type | String | Event's type. | +| CiscoAMP.ComputerUserTrajectory.event_type_id | Number | Event's type ID. | +| CiscoAMP.ComputerUserTrajectory.group_guids | String | Group GUID. | +| CiscoAMP.ComputerUserTrajectory.severity | String | Event's severity. | +| CiscoAMP.ComputerUserTrajectory.detection | String | Event's detection. | +| CiscoAMP.ComputerUserTrajectory.detection_id | String | Event's detection ID. | +| CiscoAMP.ComputerUserTrajectory.file.disposition | String | Disposition of the file. | +| CiscoAMP.ComputerUserTrajectory.file.file_name | String | Name of the file. | +| CiscoAMP.ComputerUserTrajectory.file.file_path | String | Path to the file. | +| CiscoAMP.ComputerUserTrajectory.file.file_type | String | Type of the file. | +| CiscoAMP.ComputerUserTrajectory.file.identity.sha256 | String | File's SHA-256. | +| CiscoAMP.ComputerUserTrajectory.file.identity.sha1 | String | File's SHA-1. | +| CiscoAMP.ComputerUserTrajectory.file.identity.md5 | String | File's MD5. | +| CiscoAMP.ComputerUserTrajectory.file.parent.disposition | String | Disposition of parent. | +| CiscoAMP.ComputerUserTrajectory.file.parent.identity.sha256 | String | SHA-256 of parent. | +| CiscoAMP.ComputerUserTrajectory.scan.description | String | Description. | +| CiscoAMP.ComputerUserTrajectory.scan.clean | Boolean | Whether the scan is clean. | +| CiscoAMP.ComputerUserTrajectory.scan.scanned_files | Number | Number of scanned files. | +| CiscoAMP.ComputerUserTrajectory.scan.scanned_processes | Number | Number of scanned processes. | +| CiscoAMP.ComputerUserTrajectory.scan.scanned_paths | Number | Number of scanned paths. | +| CiscoAMP.ComputerUserTrajectory.scan.malicious_detections | Number | Number of malicious detections. | + +#### Command example +```!cisco-amp-computer-user-trajectory-list connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 limit=5``` +#### Context Example +```json +{ + "CiscoAMP": { + "ComputerUserTrajectory": [ + { + "connector_guid": "CiscoAMP_ComputerUserTrajectory[0]_connector_guid", + "date": "CiscoAMP_ComputerUserTrajectory[0]_date", + "event_type": "CiscoAMP_ComputerUserTrajectory[0]_event_type", + "event_type_id": "CiscoAMP_ComputerUserTrajectory[0]_event_type_id", + "group_guids": [ + "CiscoAMP_ComputerUserTrajectory[0]_group_guids_0" + ], + "id": "CiscoAMP_ComputerUserTrajectory[0]_id", + "isolation": { + "duration": "CiscoAMP_ComputerUserTrajectory[0]_isolation_duration" + }, + "timestamp": "CiscoAMP_ComputerUserTrajectory[0]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_ComputerUserTrajectory[0]_timestamp_nanoseconds" + }, + { + "connector_guid": "CiscoAMP_ComputerUserTrajectory[1]_connector_guid", + "date": "CiscoAMP_ComputerUserTrajectory[1]_date", + "event_type": "CiscoAMP_ComputerUserTrajectory[1]_event_type", + "event_type_id": "CiscoAMP_ComputerUserTrajectory[1]_event_type_id", + "group_guids": [ + "CiscoAMP_ComputerUserTrajectory[1]_group_guids_0" + ], + "id": "CiscoAMP_ComputerUserTrajectory[1]_id", + "timestamp": "CiscoAMP_ComputerUserTrajectory[1]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_ComputerUserTrajectory[1]_timestamp_nanoseconds" + }, + { + "connector_guid": "CiscoAMP_ComputerUserTrajectory[2]_connector_guid", + "date": "CiscoAMP_ComputerUserTrajectory[2]_date", + "event_type": "CiscoAMP_ComputerUserTrajectory[2]_event_type", + "event_type_id": "CiscoAMP_ComputerUserTrajectory[2]_event_type_id", + "group_guids": [ + "CiscoAMP_ComputerUserTrajectory[2]_group_guids_0" + ], + "id": "CiscoAMP_ComputerUserTrajectory[2]_id", + "isolation": { + "duration": "CiscoAMP_ComputerUserTrajectory[2]_isolation_duration" + }, + "timestamp": "CiscoAMP_ComputerUserTrajectory[2]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_ComputerUserTrajectory[2]_timestamp_nanoseconds" + }, + { + "connector_guid": "CiscoAMP_ComputerUserTrajectory[3]_connector_guid", + "date": "CiscoAMP_ComputerUserTrajectory[3]_date", + "event_type": "CiscoAMP_ComputerUserTrajectory[3]_event_type", + "event_type_id": "CiscoAMP_ComputerUserTrajectory[3]_event_type_id", + "group_guids": [ + "CiscoAMP_ComputerUserTrajectory[3]_group_guids_0" + ], + "id": "CiscoAMP_ComputerUserTrajectory[3]_id", + "timestamp": "CiscoAMP_ComputerUserTrajectory[3]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_ComputerUserTrajectory[3]_timestamp_nanoseconds" + }, + { + "connector_guid": "CiscoAMP_ComputerUserTrajectory[4]_connector_guid", + "date": "CiscoAMP_ComputerUserTrajectory[4]_date", + "event_type": "CiscoAMP_ComputerUserTrajectory[4]_event_type", + "event_type_id": "CiscoAMP_ComputerUserTrajectory[4]_event_type_id", + "group_guids": [ + "CiscoAMP_ComputerUserTrajectory[4]_group_guids_0" + ], + "id": "CiscoAMP_ComputerUserTrajectory[4]_id", + "isolation": { + "duration": "CiscoAMP_ComputerUserTrajectory[4]_isolation_duration" + }, + "timestamp": "CiscoAMP_ComputerUserTrajectory[4]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_ComputerUserTrajectory[4]_timestamp_nanoseconds" + } + ] + } +} +``` + +#### Human Readable Output + +>### Computer Information +>|Host Name|Connector GUID|Operating System| +>|---|---|---| +>| Demo_AMP | 22d4a486-1732-4f8b-9a6f-18f172fe7af0 | None (Build None) | +>### Event Information +>|ID|Date|Event Type|Group GUIDs| +>|---|---|---|---| +>| 1667217305855411965 | 2022-10-31T11:55:05+00:00 | Endpoint Isolation Stop Success | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | +>| 1667217298837175263 | 2022-10-31T11:54:58+00:00 | Endpoint Isolation Start Success | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | +>| 1667216545769121964 | 2022-10-31T11:42:25+00:00 | Endpoint Isolation Stop Success | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | +>| 1667216538974189121 | 2022-10-31T11:42:18+00:00 | Endpoint Isolation Start Success | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | +>| 1667214907330813011 | 2022-10-31T11:15:07+00:00 | Endpoint Isolation Stop Success | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | + + +### cisco-amp-computer-vulnerabilities-list +*** +Provides a list of vulnerabilities observed on a specific computer. The vulnerabilities can be filtered to show only vulnerable applications observed for a specific time range. + + +#### Base Command + +`cisco-amp-computer-vulnerabilities-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| connector_guid | The connector GUID for a specific computer. | Required | +| start_time | The start date and time expressed according to ISO 8601. The retrieved list will include vulnerable programs detected at start_time. | Optional | +| end_time | The end date and/or time expressed according to ISO 8601. Exclusive - if end_time is a time, the list will only include vulnerable programs detected before end_time). Inclusive - if end_time is a date, the list will include vulnerable programs detected on the date. | Optional | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.ComputerVulnerability.connector_guid | String | GUID of the connector. | +| CiscoAMP.ComputerVulnerability.application | String | Name of the application. | +| CiscoAMP.ComputerVulnerability.version | String | Version of the application. | +| CiscoAMP.ComputerVulnerability.file.filename | String | Name of the file. | +| CiscoAMP.ComputerVulnerability.file.identity.sha256 | String | File's SHA-256. | +| CiscoAMP.ComputerVulnerability.file.identity.sha1 | String | File's SHA-1. | +| CiscoAMP.ComputerVulnerability.file.identity.md5 | String | File's MD5. | +| CiscoAMP.ComputerVulnerability.cves.id | String | Common vulnerability exposure ID. | +| CiscoAMP.ComputerVulnerability.cves.link | String | Common vulnerability exposure link. | +| CiscoAMP.ComputerVulnerability.cves.cvss | Number | Common vulnerability scoring system. | +| CiscoAMP.ComputerVulnerability.latest_timestamp | Number | Vulnerability latest timestamp. | +| CiscoAMP.ComputerVulnerability.latest_date | Date | Vulnerability latest date. | + +#### Command example +```!cisco-amp-computer-vulnerabilities-list connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0``` +#### Context Example +```json +{ + "CiscoAMP": { + "ComputerVulnerability": { + "application": "CiscoAMP_ComputerVulnerability_application", + "connector_guid": "CiscoAMP_ComputerVulnerability_connector_guid", + "cves": [ + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[0]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[0]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[0]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[1]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[1]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[1]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[2]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[2]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[2]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[3]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[3]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[3]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[4]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[4]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[4]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[5]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[5]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[5]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[6]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[6]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[6]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[7]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[7]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[7]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[8]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[8]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[8]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[9]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[9]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[9]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[10]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[10]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[10]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[11]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[11]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[11]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[12]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[12]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[12]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[13]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[13]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[13]_link" + }, + { + "cvss": "CiscoAMP_ComputerVulnerability_cves[14]_cvss", + "id": "CiscoAMP_ComputerVulnerability_cves[14]_id", + "link": "CiscoAMP_ComputerVulnerability_cves[14]_link" + } + ], + "file": { + "filename": "CiscoAMP_ComputerVulnerability_file_filename", + "identity": { + "sha256": "CiscoAMP_ComputerVulnerability_file_identity_sha256" + } + }, + "latest_date": "CiscoAMP_ComputerVulnerability_latest_date", + "latest_timestamp": "CiscoAMP_ComputerVulnerability_latest_timestamp", + "version": "CiscoAMP_ComputerVulnerability_version" + } + } +} +``` + +#### Human Readable Output + +>### Results +>|Current Item Count|Index|Items Per Page|Total| +>|---|---|---|---| +>| 1 | 0 | 100 | 1 | +>### Computer Information +>|Host Name|Connector GUID|Operating System|Group GUID| +>|---|---|---|---| +>| Demo_AMP | 22d4a486-1732-4f8b-9a6f-18f172fe7af0 | None (Build None) | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | +>### Vulnerabilities Information +>|Application|Version|Latest Date|File Name|SHA-256| +>|---|---|---|---|---| +>| Microsoft Office | 2013 | 2022-10-23T12:37:33+00:00 | WINWORD.EXE | 3D46E95284F93BBB76B3B7E1BF0E1B2D51E8A9411C2B6E649112F22F92DE63C2 | + + +### cisco-amp-computer-move +*** +Moves a computer to a group with a given connector_guid and group_guid. + + +#### Base Command + +`cisco-amp-computer-move` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| connector_guid | The connector GUID for a specific computer. | Required | +| group_guid | Group GUID to move the computer to. | Required | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.Computer.connector_guid | String | GUID of the connector. | +| CiscoAMP.Computer.hostname | String | Host's name. | +| CiscoAMP.Computer.windows_processor_id | String | Windows processor ID. | +| CiscoAMP.Computer.active | Boolean | Whether the computer is active. | +| CiscoAMP.Computer.connector_version | String | Version of the connector. | +| CiscoAMP.Computer.operating_system | String | Operating system of the computer. | +| CiscoAMP.Computer.os_version | String | Operating system version. | +| CiscoAMP.Computer.internal_ips | String | List of internal IPs. | +| CiscoAMP.Computer.external_ip | String | External IP. | +| CiscoAMP.Computer.group_guid | String | GUID of the group. | +| CiscoAMP.Computer.install_date | Date | Installation date. | +| CiscoAMP.Computer.is_compromised | Boolean | Whether the computer is compromised. | +| CiscoAMP.Computer.demo | Boolean | Whether the computer is a demo. | +| CiscoAMP.Computer.network_addresses.mac | String | List of MAC addresses. | +| CiscoAMP.Computer.network_addresses.ip | String | List of IP addresses. | +| CiscoAMP.Computer.policy.guid | String | GUID of the policy. | +| CiscoAMP.Computer.policy.name | String | Name of the policy. | +| CiscoAMP.Computer.groups.guid | String | GUID of the group. | +| CiscoAMP.Computer.groups.name | String | Name of the group. | +| CiscoAMP.Computer.last_seen | Date | Last date seen. | +| CiscoAMP.Computer.faults | String | Faults. | +| CiscoAMP.Computer.isolation.available | Boolean | Whether the isolation is available. | +| CiscoAMP.Computer.isolation.status | String | Status of the isolation. | +| CiscoAMP.Computer.orbital.status | String | Status of the orbital. | + +#### Command example +```!cisco-amp-computer-move connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 group_guid=bb5a9f90-d6fa-4fe7-99c8-e91060b49a98``` +#### Context Example +```json +{ + "CiscoAMP": { + "Computer": { + "active": "CiscoAMP_Computer_active", + "connector_guid": "CiscoAMP_Computer_connector_guid", + "connector_version": "CiscoAMP_Computer_connector_version", + "demo": "CiscoAMP_Computer_demo", + "external_ip": "CiscoAMP_Computer_external_ip", + "faults": [], + "group_guid": "CiscoAMP_Computer_group_guid", + "groups": [ + { + "guid": "CiscoAMP_Computer_groups[0]_guid", + "name": "CiscoAMP_Computer_groups[0]_name" + } + ], + "hostname": "CiscoAMP_Computer_hostname", + "install_date": "CiscoAMP_Computer_install_date", + "internal_ips": [ + "CiscoAMP_Computer_internal_ips_0" + ], + "is_compromised": "CiscoAMP_Computer_is_compromised", + "isolation": { + "available": "CiscoAMP_Computer_isolation_available", + "status": "CiscoAMP_Computer_isolation_status" + }, + "network_addresses": [ + { + "ip": "CiscoAMP_Computer_network_addresses[0]_ip", + "mac": "CiscoAMP_Computer_network_addresses[0]_mac" + } + ], + "operating_system": "CiscoAMP_Computer_operating_system", + "os_version": "CiscoAMP_Computer_os_version", + "policy": { + "guid": "CiscoAMP_Computer_policy_guid", + "name": "CiscoAMP_Computer_policy_name" + }, + "windows_processor_id": "CiscoAMP_Computer_windows_processor_id" + } + } +} +``` + +#### Human Readable Output + +>### Computer Information +>|Host Name|Connector GUID|Operating System|External IP|Group GUID|Policy GUID| +>|---|---|---|---|---|---| +>| Demo_AMP | 22d4a486-1732-4f8b-9a6f-18f172fe7af0 | Windows 10 (Build 10.0.19044.1466) | IP | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | 91c7894d-dd69-4a21-8cf6-5ebfc57ef4df | + + +### cisco-amp-computer-delete +*** +Deletes a specific computer with given connector GUID. + + +#### Base Command + +`cisco-amp-computer-delete` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| connector_guid | The connector GUID for a specific computer. | Required | + + +#### Context Output + +There is no context output for this command. +#### Command example +```!cisco-amp-computer-delete connector_guid=dddd4ceb-4ce1-4f81-a7a7-04d13cc1df43``` +#### Human Readable Output + +>Connector GUID: "dddd4ceb-4ce1-4f81-a7a7-04d13cc1df43" +>Successfully deleted. + +### cisco-amp-computer-activity-list +*** +Fetch a list of computers that have observed files with a given file name. Provides the ability to search all computers across an organization for any events or activities associated with a file or network operation, and returns computers matching those criteria. There is a hard limit of 5000 historical entries searched. + + +#### Base Command + +`cisco-amp-computer-activity-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| query_string | Freeform query string which currently accepts: IPv4 address (CIDR not supported), SHA-256, file name, and a URL Fragment. | Required | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.ComputerActivity.connector_guid | String | GUID of the connector. | +| CiscoAMP.ComputerActivity.hostname | String | Host's name. | +| CiscoAMP.ComputerActivity.windows_processor_id | String | Windows processor ID. | +| CiscoAMP.ComputerActivity.active | Boolean | Whether the computer is active. | + +#### Command example +```!cisco-amp-computer-activity-list query_string=8.8.8.8``` +#### Context Example +```json +{ + "CiscoAMP": { + "ComputerActivity": [ + { + "active": "CiscoAMP_ComputerActivity[0]_active", + "connector_guid": "CiscoAMP_ComputerActivity[0]_connector_guid", + "hostname": "CiscoAMP_ComputerActivity[0]_hostname", + "windows_processor_id": "CiscoAMP_ComputerActivity[0]_windows_processor_id" + }, + { + "active": "CiscoAMP_ComputerActivity[1]_active", + "connector_guid": "CiscoAMP_ComputerActivity[1]_connector_guid", + "hostname": "CiscoAMP_ComputerActivity[1]_hostname", + "windows_processor_id": "CiscoAMP_ComputerActivity[1]_windows_processor_id" + }, + { + "active": "CiscoAMP_ComputerActivity[2]_active", + "connector_guid": "CiscoAMP_ComputerActivity[2]_connector_guid", + "hostname": "CiscoAMP_ComputerActivity[2]_hostname", + "windows_processor_id": "CiscoAMP_ComputerActivity[2]_windows_processor_id" + }, + { + "active": "CiscoAMP_ComputerActivity[3]_active", + "connector_guid": "CiscoAMP_ComputerActivity[3]_connector_guid", + "hostname": "CiscoAMP_ComputerActivity[3]_hostname", + "windows_processor_id": "CiscoAMP_ComputerActivity[3]_windows_processor_id" + }, + { + "active": "CiscoAMP_ComputerActivity[4]_active", + "connector_guid": "CiscoAMP_ComputerActivity[4]_connector_guid", + "hostname": "CiscoAMP_ComputerActivity[4]_hostname", + "windows_processor_id": "CiscoAMP_ComputerActivity[4]_windows_processor_id" + } + ] + } +} +``` + +#### Human Readable Output + +>### Results +>|Current Item Count|Index|Items Per Page|Total| +>|---|---|---|---| +>| 5 | 0 | 100 | 5 | +>### Activity Information +>|Connector GUID|Host Name|Windows Processor ID|Active| +>|---|---|---|---| +>| 1e104704-0b8f-4703-a49f-ec3d13e1e079 | Demo_Dyre | 346b8f2ad9e5107 | true | +>| 22b1d33c-b875-445f-8a98-d7fd05616ff0 | Demo_Upatre | b2a9e0f43861d75 | true | +>| 33c101dd-4f50-4fd3-bce5-d3bd9d94e1a2 | Demo_ZAccess | b047d5268e9a13f | true | +>| 4d91c4ea-4f4d-4b87-b5d7-d34cc2c678a5 | Demo_Global_Threat_Alerts | 9af0463d1852be7 | true | +>| ab22d66b-3443-4653-99ec-1fdeb680f30b | Demo_TDSS | 0ad79f21856e34b | true | + + +### cisco-amp-computer-isolation-feature-availability-get +*** +Performs a feature availability request on a computer. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation. + + +#### Base Command + +`cisco-amp-computer-isolation-feature-availability-get` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| connector_guid | The connector GUID for a specific computer. | Required | + + +#### Context Output + +There is no context output for this command. +#### Command example +```!cisco-amp-computer-isolation-feature-availability-get connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0``` +#### Human Readable Output + +>Can get information about an isolation with computer-isolation-get +>Can request to create a new isolation with computer-isolation-create + + +### cisco-amp-computer-isolation-get +*** +Returns a fine-grained isolation status for a computer. The available flag is set to true if isolation can be performed on the computer. Status will be set to one of - not_isolated, pending_start, isolated and pending_stop. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation. + + +#### Base Command + +`cisco-amp-computer-isolation-get` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| connector_guid | The connector GUID for a specific computer. | Required | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.ComputerIsolation.connector_guid | String | ID of the connector. | +| CiscoAMP.ComputerIsolation.available | Boolean | Set to true if isolation can be performed on the computer. | +| CiscoAMP.ComputerIsolation.status | String | Will be set to one of: not_isolated, pending_start, isolated and pending_stop. | +| CiscoAMP.ComputerIsolation.unlock_code | String | Isolation unlock code. | +| CiscoAMP.ComputerIsolation.comment | String | Isolation comment. | +| CiscoAMP.ComputerIsolation.ccms_message_guid | String | Cisco Cluster Management Suite message GUID. | +| CiscoAMP.ComputerIsolation.ccms_job_guid | String | Cisco Cluster Management Suite job GUID. | + +#### Command example +```!cisco-amp-computer-isolation-get connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0``` +#### Context Example +```json +{ + "CiscoAMP": { + "ComputerIsolation": { + "available": "CiscoAMP_ComputerIsolation_available", + "comment": "CiscoAMP_ComputerIsolation_comment", + "connector_guid": "CiscoAMP_ComputerIsolation_connector_guid", + "status": "CiscoAMP_ComputerIsolation_status", + "unlock_code": "CiscoAMP_ComputerIsolation_unlock_code" + } + } +} +``` + +#### Human Readable Output + +>### Isolation Information +>|Available|Status|Unlock Code|Comment| +>|---|---|---|---| +>| true | not_isolated | unlockme | End readme test | + + +### cisco-amp-computer-isolation-create +*** +Request isolation for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation. + + +#### Base Command + +`cisco-amp-computer-isolation-create` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| interval_in_seconds | The interval in seconds between each poll. Default is 30. | Optional | +| timeout_in_seconds | The timeout in seconds until polling ends. Default is 600. | Optional | +| connector_guid | The connector GUID for a specific computer. | Required | +| comment | Comment for isolation. | Required | +| unlock_code | Isolation unlock code. | Required | +| status | Status of the current run. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.ComputerIsolation.connector_guid | String | ID of the connector. | +| CiscoAMP.ComputerIsolation.available | Boolean | Set to true if isolation can be performed on the computer. | +| CiscoAMP.ComputerIsolation.status | String | Will be set to one of: not_isolated, pending_start, isolated and pending_stop. | +| CiscoAMP.ComputerIsolation.unlock_code | String | Isolation unlock code. | +| CiscoAMP.ComputerIsolation.comment | String | Isolation comment. | +| CiscoAMP.ComputerIsolation.isolated_by | String | Isolation initiator. | + +#### Command example +```!cisco-amp-computer-isolation-create connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 comment="readme generate test" unlock_code=unlockme interval_in_seconds=5 timeout_in_seconds=20``` +#### Context Example +```json +{ + "CiscoAMP": { + "ComputerIsolation": { + "available": "CiscoAMP_ComputerIsolation_available", + "comment": "CiscoAMP_ComputerIsolation_comment", + "connector_guid": "CiscoAMP_ComputerIsolation_connector_guid", + "isolated_by": "CiscoAMP_ComputerIsolation_isolated_by", + "status": "CiscoAMP_ComputerIsolation_status", + "unlock_code": "CiscoAMP_ComputerIsolation_unlock_code" + } + } +} +``` + +#### Human Readable Output + +>### Isolation Information +>|Available|Status|Unlock Code|Comment|Isolated By| +>|---|---|---|---|---| +>| true | isolated | unlockme | readme generate test | Lior Sabri | + + +### cisco-amp-computer-isolation-delete +*** +Request isolation stop for a computer. Supports polling. Isolation must be enabled within the computer's policy. This can be done through the instance. Log in to your account -> Management -> Policies -> Choose the relevant policy -> Edit -> Advanced Settings -> Endpoint Isolation -> Allow Endpoint Isolation. + + +#### Base Command + +`cisco-amp-computer-isolation-delete` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| interval_in_seconds | The interval in seconds between each poll. Default is 30. | Optional | +| timeout_in_seconds | The timeout in seconds until polling ends. Default is 600. | Optional | +| connector_guid | The connector GUID for a specific computer. | Required | +| comment | Comment for isolation deletion. | Optional | +| status | Status of the current run. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.ComputerIsolation.available | Boolean | Set to true if isolation can be performed on the computer. | +| CiscoAMP.ComputerIsolation.status | String | Will be set to one of: not_isolated, pending_start, isolated and pending_stop. | +| CiscoAMP.ComputerIsolation.unlock_code | String | Isolation unlock code. | +| CiscoAMP.ComputerIsolation.comment | String | Isolation comment. | +| CiscoAMP.ComputerIsolation.isolated_by | String | Isolation initiator. | + +#### Command example +```!cisco-amp-computer-isolation-delete connector_guid=22d4a486-1732-4f8b-9a6f-18f172fe7af0 comment="End readme test" interval_in_seconds=5 timeout_in_seconds=20``` +#### Human Readable Output + +>Fetching Results: + +### cisco-amp-event-list +*** +Fetch a list of events that can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria, each selection of a criteria is logically ORed. This is analogous to the Events view on the FireAMP Console. + + +#### Base Command + +`cisco-amp-event-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| detection_sha256 | Detection SHA-256 to filter by. | Optional | +| application_sha256 | Application SHA-256 to filter by. | Optional | +| connector_guid | Comma-separated list for connector GUIDs to filter by. | Optional | +| group_guid | Comma-separated list for group GUIDs to filter by. | Optional | +| start_date | Fetch events that are newer than the given time. | Optional | +| event_type | Comma-separated list for event types to filter by. | Optional | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.Event.id | Number | Event's ID. | +| CiscoAMP.Event.timestamp | Number | Event's timestamp. | +| CiscoAMP.Event.timestamp_nanoseconds | Number | Event's timestamp in nano seconds. | +| CiscoAMP.Event.date | Date | Event's date. | +| CiscoAMP.Event.event_type | String | Event's type. | +| CiscoAMP.Event.event_type_id | Number | Event's type ID. | +| CiscoAMP.Event.detection | String | Event's detection. | +| CiscoAMP.Event.detection_id | String | Event's detection ID. | +| CiscoAMP.Event.connector_guid | String | GUID of the connector. | +| CiscoAMP.Event.group_guids | String | Event's group GUID. | +| CiscoAMP.Event.severity | String | Event's severity. | +| CiscoAMP.Event.computer.connector_guid | String | GUID of the connector. | +| CiscoAMP.Event.computer.hostname | String | Host's name. | +| CiscoAMP.Event.computer.external_ip | String | External IP. | +| CiscoAMP.Event.computer.active | Boolean | Whether the computer is active. | +| CiscoAMP.Event.computer.user | String | Computer user. | +| CiscoAMP.Event.computer.network_addresses.ip | String | List of IP addresses. | +| CiscoAMP.Event.computer.network_addresses.mac | String | List of MAC addresses. | +| CiscoAMP.Event.file.disposition | String | Disposition of the file. | +| CiscoAMP.Event.file.file_name | String | Name of the file. | +| CiscoAMP.Event.file.file_path | String | Path to the file. | +| CiscoAMP.Event.file.identity.sha256 | String | File's SHA-256. | +| CiscoAMP.Event.file.identity.sha1 | String | File's SHA-1. | +| CiscoAMP.Event.file.identity.md5 | String | File's MD5 | +| CiscoAMP.Event.file.parent.process_id | Number | Parent's process ID. | +| CiscoAMP.Event.file.parent.file_name | String | Parent's file name. | +| CiscoAMP.Event.file.parent.disposition | String | Parent's disposition. | +| CiscoAMP.Event.file.parent.identity.sha256 | String | Parent's SHA-256. | +| CiscoAMP.Event.file.parent.identity.sha1 | String | Parent's SHA-1. | +| CiscoAMP.Event.file.parent.identity.md5 | String | Parent's MD5. | +| CiscoAMP.Event.scan.description | String | Description of the scan. | +| CiscoAMP.Event.scan.clean | Boolean | Whether the scam is clean. | +| CiscoAMP.Event.scan.scanned_files | Number | Number of scanned files. | +| CiscoAMP.Event.scan.scanned_processes | Number | Number of scanned processes. | +| CiscoAMP.Event.scan.scanned_paths | Number | Number of scanned paths. | +| CiscoAMP.Event.scan.malicious_detections | Number | Number of malicious detections. | +| File.MD5 | String | The MD5 hash of the file. | +| File.SHA1 | String | The SHA1 hash of the file. | +| File.SHA256 | String | The SHA256 hash of the file. | +| File.Name | String | The full file name \(including file extension\). | +| File.Path | String | The path where the file is located. | +| File.Hostname | String | The name of the host where the file was found. | +| File.Malicious.Vendor | String | The vendor that reported the file as malicious. | +| File.Malicious.Description | String | A description of why the file was determined to be malicious. | +| DBotScore.Indicator | String | The indicator that was tested. | +| DBotScore.Type | String | The indicator type. | +| DBotScore.Vendor | String | The vendor used to calculate the score. | +| DBotScore.Reliability | String | Reliability of the source providing the intelligence data. | +| DBotScore.Score | Number | The actual score. | + +#### Command example +```!cisco-amp-event-list limit=5``` +#### Context Example +```json +{ + "CiscoAMP": { + "Event": [ + { + "computer": { + "active": "CiscoAMP_Event[0]_computer_active", + "connector_guid": "CiscoAMP_Event[0]_computer_connector_guid", + "external_ip": "CiscoAMP_Event[0]_computer_external_ip", + "hostname": "CiscoAMP_Event[0]_computer_hostname", + "network_addresses": [ + { + "ip": "CiscoAMP_Event[0]_computer_network_addresses[0]_ip", + "mac": "CiscoAMP_Event[0]_computer_network_addresses[0]_mac" + } + ] + }, + "connector_guid": "CiscoAMP_Event[0]_connector_guid", + "date": "CiscoAMP_Event[0]_date", + "event_type": "CiscoAMP_Event[0]_event_type", + "event_type_id": "CiscoAMP_Event[0]_event_type_id", + "group_guids": [ + "CiscoAMP_Event[0]_group_guids_0" + ], + "id": "CiscoAMP_Event[0]_id", + "isolation": { + "duration": "CiscoAMP_Event[0]_isolation_duration" + }, + "timestamp": "CiscoAMP_Event[0]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_Event[0]_timestamp_nanoseconds" + }, + { + "computer": { + "active": "CiscoAMP_Event[1]_computer_active", + "connector_guid": "CiscoAMP_Event[1]_computer_connector_guid", + "external_ip": "CiscoAMP_Event[1]_computer_external_ip", + "hostname": "CiscoAMP_Event[1]_computer_hostname", + "network_addresses": [ + { + "ip": "CiscoAMP_Event[1]_computer_network_addresses[0]_ip", + "mac": "CiscoAMP_Event[1]_computer_network_addresses[0]_mac" + } + ] + }, + "connector_guid": "CiscoAMP_Event[1]_connector_guid", + "date": "CiscoAMP_Event[1]_date", + "event_type": "CiscoAMP_Event[1]_event_type", + "event_type_id": "CiscoAMP_Event[1]_event_type_id", + "group_guids": [ + "CiscoAMP_Event[1]_group_guids_0" + ], + "id": "CiscoAMP_Event[1]_id", + "timestamp": "CiscoAMP_Event[1]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_Event[1]_timestamp_nanoseconds" + }, + { + "computer": { + "active": "CiscoAMP_Event[2]_computer_active", + "connector_guid": "CiscoAMP_Event[2]_computer_connector_guid", + "external_ip": "CiscoAMP_Event[2]_computer_external_ip", + "hostname": "CiscoAMP_Event[2]_computer_hostname", + "network_addresses": [ + { + "ip": "CiscoAMP_Event[2]_computer_network_addresses[0]_ip", + "mac": "CiscoAMP_Event[2]_computer_network_addresses[0]_mac" + } + ] + }, + "connector_guid": "CiscoAMP_Event[2]_connector_guid", + "date": "CiscoAMP_Event[2]_date", + "event_type": "CiscoAMP_Event[2]_event_type", + "event_type_id": "CiscoAMP_Event[2]_event_type_id", + "group_guids": [ + "CiscoAMP_Event[2]_group_guids_0" + ], + "id": "CiscoAMP_Event[2]_id", + "isolation": { + "duration": "CiscoAMP_Event[2]_isolation_duration" + }, + "timestamp": "CiscoAMP_Event[2]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_Event[2]_timestamp_nanoseconds" + }, + { + "computer": { + "active": "CiscoAMP_Event[3]_computer_active", + "connector_guid": "CiscoAMP_Event[3]_computer_connector_guid", + "external_ip": "CiscoAMP_Event[3]_computer_external_ip", + "hostname": "CiscoAMP_Event[3]_computer_hostname", + "network_addresses": [ + { + "ip": "CiscoAMP_Event[3]_computer_network_addresses[0]_ip", + "mac": "CiscoAMP_Event[3]_computer_network_addresses[0]_mac" + } + ] + }, + "connector_guid": "CiscoAMP_Event[3]_connector_guid", + "date": "CiscoAMP_Event[3]_date", + "event_type": "CiscoAMP_Event[3]_event_type", + "event_type_id": "CiscoAMP_Event[3]_event_type_id", + "group_guids": [ + "CiscoAMP_Event[3]_group_guids_0" + ], + "id": "CiscoAMP_Event[3]_id", + "timestamp": "CiscoAMP_Event[3]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_Event[3]_timestamp_nanoseconds" + }, + { + "computer": { + "active": "CiscoAMP_Event[4]_computer_active", + "connector_guid": "CiscoAMP_Event[4]_computer_connector_guid", + "external_ip": "CiscoAMP_Event[4]_computer_external_ip", + "hostname": "CiscoAMP_Event[4]_computer_hostname", + "network_addresses": [ + { + "ip": "CiscoAMP_Event[4]_computer_network_addresses[0]_ip", + "mac": "CiscoAMP_Event[4]_computer_network_addresses[0]_mac" + } + ] + }, + "connector_guid": "CiscoAMP_Event[4]_connector_guid", + "date": "CiscoAMP_Event[4]_date", + "event_type": "CiscoAMP_Event[4]_event_type", + "event_type_id": "CiscoAMP_Event[4]_event_type_id", + "group_guids": [ + "CiscoAMP_Event[4]_group_guids_0" + ], + "id": "CiscoAMP_Event[4]_id", + "isolation": { + "duration": "CiscoAMP_Event[4]_isolation_duration" + }, + "timestamp": "CiscoAMP_Event[4]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_Event[4]_timestamp_nanoseconds" + } + ] + } +} +``` + +#### Human Readable Output + +>### Results +>|Current Item Count|Index|Items Per Page|Total| +>|---|---|---|---| +>| 5 | 0 | 5 | 1228 | +>### Event Information +>|ID|Date|Event Type|Connector GUID| +>|---|---|---|---| +>| 1667218513509436397 | 2022-10-31T12:15:13+00:00 | Endpoint Isolation Stop Success | 22d4a486-1732-4f8b-9a6f-18f172fe7af0 | +>| 1667218506680244597 | 2022-10-31T12:15:06+00:00 | Endpoint Isolation Start Success | 22d4a486-1732-4f8b-9a6f-18f172fe7af0 | +>| 1667217305855411965 | 2022-10-31T11:55:05+00:00 | Endpoint Isolation Stop Success | 22d4a486-1732-4f8b-9a6f-18f172fe7af0 | +>| 1667217298837175263 | 2022-10-31T11:54:58+00:00 | Endpoint Isolation Start Success | 22d4a486-1732-4f8b-9a6f-18f172fe7af0 | +>| 1667216545769121964 | 2022-10-31T11:42:25+00:00 | Endpoint Isolation Stop Success | 22d4a486-1732-4f8b-9a6f-18f172fe7af0 | + + +### cisco-amp-event-type-list +*** +Fetches a list of event types. Events are identified and filtered by a unique ID. + + +#### Base Command + +`cisco-amp-event-type-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.EventType.id | Number | Event type ID. | +| CiscoAMP.EventType.name | String | Event type name. | +| CiscoAMP.EventType.description | String | Event type description. | + +#### Command example +```!cisco-amp-event-type-list limit=5``` +#### Context Example +```json +{ + "CiscoAMP": { + "EventType": [ + { + "description": "CiscoAMP_EventType[0]_description", + "id": "CiscoAMP_EventType[0]_id", + "name": "CiscoAMP_EventType[0]_name" + }, + { + "description": "CiscoAMP_EventType[1]_description", + "id": "CiscoAMP_EventType[1]_id", + "name": "CiscoAMP_EventType[1]_name" + }, + { + "description": "CiscoAMP_EventType[2]_description", + "id": "CiscoAMP_EventType[2]_id", + "name": "CiscoAMP_EventType[2]_name" + }, + { + "description": "CiscoAMP_EventType[3]_description", + "id": "CiscoAMP_EventType[3]_id", + "name": "CiscoAMP_EventType[3]_name" + }, + { + "description": "CiscoAMP_EventType[4]_description", + "id": "CiscoAMP_EventType[4]_id", + "name": "CiscoAMP_EventType[4]_name" + } + ] + } +} +``` + +#### Human Readable Output + +>### Results +>|Total| +>|---| +>| 106 | +>### Event Type Information +>|ID|Name|Description| +>|---|---|---| +>| 50331649 | Initial Agent Registration | A new agent has registered with the system. | +>| 553648130 | Policy Update | An agent has been told to fetch policy. | +>| 554696714 | Scan Started | An agent has started scanning. | +>| 554696715 | Scan Completed, No Detections | A scan has completed without detecting anything malicious. | +>| 1091567628 | Scan Completed With Detections | A scan has completed and detected malicious items. | + + +### cisco-amp-file-list-list +*** +Returns a particular file list for application blocking or simple custom detection. file_list_guid must be provided to retrieve information about a particular file_list. Can fetch an application_blocking or simple_custom_detection file list. Defaults to application_blocking. + + +#### Base Command + +`cisco-amp-file-list-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| file_list_type | Fetch a list type to return. Possible values are: Application Blocking, Simple Custom Detection. Default is Application Blocking. | Optional | +| name | Comma-separated list for name to filter by (has auto complete capabilities). | Optional | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | +| file_list_guid | GUID of the file list to return. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.FileList.name | String | Name of blocking. | +| CiscoAMP.FileList.guid | String | File list GUID. | +| CiscoAMP.FileList.type | String | Type of blocking. | + +#### Command example +```!cisco-amp-file-list-list``` +#### Context Example +```json +{ + "CiscoAMP": { + "FileList": { + "guid": "CiscoAMP_FileList_guid", + "name": "CiscoAMP_FileList_name", + "type": "CiscoAMP_FileList_type" + } + } +} +``` + +#### Human Readable Output + +>### Results +>|Current Item Count|Index|Items Per Page|Total| +>|---|---|---|---| +>| 1 | 0 | 100 | 1 | +>### File List Information +>|GUID|Name|Type| +>|---|---|---| +>| 1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12 | Blocked Application List | application_blocking | + + +### cisco-amp-file-list-item-list +*** +Returns a list of items for a particular file_list. file_list_guid must be provided to retrieve these items. A particular item can be returned by providing a SHA-256. + + +#### Base Command + +`cisco-amp-file-list-item-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| file_list_guid | File list to return. | Required | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | +| sha256 | File list item SHA-256 to search. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.FileListItem.name | String | Name of file list. | +| CiscoAMP.FileListItem.guid | String | File list GUID. | +| CiscoAMP.FileListItem.policies.name | String | Name of the policy. | +| CiscoAMP.FileListItem.policies.guid | String | Policy GUID. | +| CiscoAMP.FileListItem.items.sha256 | String | Item SHA-256. | +| CiscoAMP.FileListItem.items.source | String | Item source. | + +#### Command example +```!cisco-amp-file-list-item-list file_list_guid=1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12``` +#### Context Example +```json +{ + "CiscoAMP": { + "FileListItem": { + "guid": "CiscoAMP_FileListItem_guid", + "items": [], + "name": "CiscoAMP_FileListItem_name", + "policies": [ + { + "guid": "CiscoAMP_FileListItem_policies[0]_guid", + "name": "CiscoAMP_FileListItem_policies[0]_name" + }, + { + "guid": "CiscoAMP_FileListItem_policies[1]_guid", + "name": "CiscoAMP_FileListItem_policies[1]_name" + }, + { + "guid": "CiscoAMP_FileListItem_policies[2]_guid", + "name": "CiscoAMP_FileListItem_policies[2]_name" + }, + { + "guid": "CiscoAMP_FileListItem_policies[3]_guid", + "name": "CiscoAMP_FileListItem_policies[3]_name" + }, + { + "guid": "CiscoAMP_FileListItem_policies[4]_guid", + "name": "CiscoAMP_FileListItem_policies[4]_name" + }, + { + "guid": "CiscoAMP_FileListItem_policies[5]_guid", + "name": "CiscoAMP_FileListItem_policies[5]_name" + }, + { + "guid": "CiscoAMP_FileListItem_policies[6]_guid", + "name": "CiscoAMP_FileListItem_policies[6]_name" + }, + { + "guid": "CiscoAMP_FileListItem_policies[7]_guid", + "name": "CiscoAMP_FileListItem_policies[7]_name" + }, + { + "guid": "CiscoAMP_FileListItem_policies[8]_guid", + "name": "CiscoAMP_FileListItem_policies[8]_name" + }, + { + "guid": "CiscoAMP_FileListItem_policies[9]_guid", + "name": "CiscoAMP_FileListItem_policies[9]_name" + } + ] + } + } +} +``` + +#### Human Readable Output + +>### Results +>|Current Item Count|Index|Items Per Page|Total| +>|---|---|---|---| +>| 0 | 0 | 100 | 0 | +>### File List Item Information +>**No entries.** +>### Related Policy Information +>|Name|Guid| +>|---|---| +>| Audit | be84e169-0830-4b95-915b-1e203a82ed58 | +>| Protect | a599bf5b-2cb7-4a5b-90bd-d0199e2ccd67 | +>| Triage | 1a352c59-793b-44f3-b8f9-0ddd354057bc | +>| Server | dd1da971-926c-42ab-9e5a-154f2695d995 | +>| Domain Controller | fa0c377e-8f0a-40ab-885a-afc8c08d3732 | +>| Audit | 9f2fa537-df5d-4c6c-abf3-edc25a893a7a | +>| Protect | 30fba653-eb4e-4c3d-b1bb-1cef9f0e31e4 | +>| Triage | cfcf4841-bf00-4030-8ac3-4a607ecf245e | +>| Audit | b4e266c8-ebd1-4e94-80b6-b04a966cb0d5 | +>| Protect | 653508ed-28d4-465a-80c4-7ed9c0232b55 | + + +### cisco-amp-file-list-item-create +*** +Creates a file list item with a given SHA-256 for a specific file list with a given file_list_guid. + + +#### Base Command + +`cisco-amp-file-list-item-create` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| file_list_guid | File list to add to. | Required | +| sha256 | File list item's SHA-256 to add. | Required | +| description | Description for the created item. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.FileListItem.sha256 | String | Item SHA-256. | +| CiscoAMP.FileListItem.description | String | File's description. | +| CiscoAMP.FileListItem.source | String | Item source. | + +#### Command example +```!cisco-amp-file-list-item-create file_list_guid=1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12 sha256=ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad``` +#### Context Example +```json +{ + "CiscoAMP": { + "FileListItem": { + "sha256": "CiscoAMP_FileListItem_sha256", + "source": "CiscoAMP_FileListItem_source" + } + } +} +``` + +#### Human Readable Output + +>### File List Item Information +>|SHA-256|Source| +>|---|---| +>| ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad | Created by entering SHA-256 via Public api. | + + +### cisco-amp-file-list-item-delete +*** +Deletes a file list item with a given SHA-256 and associated to a file list with a given file_list_guid. + + +#### Base Command + +`cisco-amp-file-list-item-delete` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| file_list_guid | File list to delete from. | Required | +| sha256 | File list item SHA-256 to delete. | Required | + + +#### Context Output + +There is no context output for this command. +#### Command example +```!cisco-amp-file-list-item-delete file_list_guid=1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12 sha256=ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad``` +#### Human Readable Output + +>SHA-256: "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" Successfully deleted from File List GUID: "1bb5a8e3-fb59-4b3d-a106-d90b2a02ac12". + +### cisco-amp-group-list +*** +Provides information about groups in an organization. + + +#### Base Command + +`cisco-amp-group-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| name | Name to filter by (has auto complete capabilities). | Optional | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | +| group_guid | Group's GUID. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.Group.name | String | Name of the group. | +| CiscoAMP.Group.description | String | Group's description. | +| CiscoAMP.Group.guid | String | Group GUID. | +| CiscoAMP.Group.source | String | Creation source. | +| CiscoAMP.Group.creator | String | Creator of the group. | +| CiscoAMP.Group.created_at | Date | Date of creation. | +| CiscoAMP.Group.computers_count | Number | Number of computers in the group. | +| CiscoAMP.Group.descendant_computers_count | Number | Number of computers from descendant groups. | +| CiscoAMP.Group.ancestry.name | String | Parent group name. | +| CiscoAMP.Group.ancestry.guid | String | Parent group GUID. | +| CiscoAMP.Group.child_groups.name | String | Child group name. | +| CiscoAMP.Group.child_groups.guid | String | Child group GUID. | +| CiscoAMP.Group.policies.name | String | Policy name. | +| CiscoAMP.Group.policies.description | String | Policy description. | +| CiscoAMP.Group.policies.guid | String | Policy GUID. | +| CiscoAMP.Group.policies.product | String | Policy operating system product. | +| CiscoAMP.Group.policies.default | Boolean | Whether the policy is the default policy. | +| CiscoAMP.Group.policies.serial_number | Number | Policy serial number. | +| CiscoAMP.Group.policies.inherited | Boolean | Whether the policy is inherited. | +| CiscoAMP.Group.policies.file_lists.name | String | File list name. | +| CiscoAMP.Group.policies.file_lists.guid | String | File list GUID. | +| CiscoAMP.Group.policies.file_lists.type | String | File list type. | +| CiscoAMP.Group.policies.ip_lists.name | String | IP list name. | +| CiscoAMP.Group.policies.ip_lists.guid | String | IP list GUID. | +| CiscoAMP.Group.policies.ip_lists.type | String | IP list type. | +| CiscoAMP.Group.policies.exclusion_sets.name | String | Exclusion set name. | +| CiscoAMP.Group.policies.exclusion_sets.guid | String | Exclusion set GUID. | +| CiscoAMP.Group.policies.used_in_groups.name | String | Name of the group it is used in. | +| CiscoAMP.Group.policies.used_in_groups.description | String | Description of the group it is used in. | +| CiscoAMP.Group.policies.used_in_groups.guid | String | GUID of the group it is used in. | +| CiscoAMP.Group.policies.used_in_groups.source | String | Creation source of the group it is used in. | + +#### Command example +```!cisco-amp-group-list``` +#### Context Example +```json +{ + "CiscoAMP": { + "Group": [ + { + "description": "CiscoAMP_Group[0]_description", + "guid": "CiscoAMP_Group[0]_guid", + "name": "CiscoAMP_Group[0]_name", + "source": "CiscoAMP_Group[0]_source" + }, + { + "description": "CiscoAMP_Group[1]_description", + "guid": "CiscoAMP_Group[1]_guid", + "name": "CiscoAMP_Group[1]_name", + "source": "CiscoAMP_Group[1]_source" + }, + { + "description": "CiscoAMP_Group[2]_description", + "guid": "CiscoAMP_Group[2]_guid", + "name": "CiscoAMP_Group[2]_name", + "source": "CiscoAMP_Group[2]_source" + }, + { + "description": "CiscoAMP_Group[3]_description", + "guid": "CiscoAMP_Group[3]_guid", + "name": "CiscoAMP_Group[3]_name", + "source": "CiscoAMP_Group[3]_source" + }, + { + "ancestry": [ + { + "guid": "CiscoAMP_Group[4]_ancestry[0]_guid", + "name": "CiscoAMP_Group[4]_ancestry[0]_name" + } + ], + "description": "CiscoAMP_Group[4]_description", + "guid": "CiscoAMP_Group[4]_guid", + "name": "CiscoAMP_Group[4]_name", + "source": "CiscoAMP_Group[4]_source" + }, + { + "description": "CiscoAMP_Group[5]_description", + "guid": "CiscoAMP_Group[5]_guid", + "name": "CiscoAMP_Group[5]_name", + "source": "CiscoAMP_Group[5]_source" + }, + { + "description": "CiscoAMP_Group[6]_description", + "guid": "CiscoAMP_Group[6]_guid", + "name": "CiscoAMP_Group[6]_name", + "source": "CiscoAMP_Group[6]_source" + }, + { + "description": "CiscoAMP_Group[7]_description", + "guid": "CiscoAMP_Group[7]_guid", + "name": "CiscoAMP_Group[7]_name", + "source": "CiscoAMP_Group[7]_source" + }, + { + "description": "CiscoAMP_Group[8]_description", + "guid": "CiscoAMP_Group[8]_guid", + "name": "CiscoAMP_Group[8]_name", + "source": "CiscoAMP_Group[8]_source" + } + ] + } +} +``` + +#### Human Readable Output + +>### Results +>|Current Item Count|Index|Items Per Page|Total| +>|---|---|---|---| +>| 9 | 0 | 100 | 9 | +>### Group Information +>|Name|Description|GUID|Source| +>|---|---|---|---| +>| Audit | Audit Group for QMASTERS SECURITY SERVICES LTD | fedd82f8-c74f-49f4-a463-e576d3beee92 | | +>| Domain Controller | Domain Controller Group for QMASTERS SECURITY SERVICES LTD | 92615a6b-631f-4436-b2da-47e94b349737 | | +>| group todelete | playbook delete | e66a0f8a-47f6-4da5-bf95-2834f668d71b | Created via API | +>| Lior-Group | Test group | bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 | | +>| Lior-Group-child | Test child group | 8b5245b5-993b-4ba9-9fe0-fb0454e815e5 | | +>| Protect | Protect Group for QMASTERS SECURITY SERVICES LTD | 5b1857e3-ba49-46cf-9bf1-0cad6b5ecd18 | | +>| readme group to delete | readme test group to be deleted | d088adeb-7cb4-48e4-807b-edcb828f4d29 | Created via API | +>| Server | Server Group for QMASTERS SECURITY SERVICES LTD | 9b54e512-b5ac-4865-ba1f-8cf2fbfbe052 | | +>| Triage | Triage Group for QMASTERS SECURITY SERVICES LTD | 6ed80412-0739-42c1-8f6d-32fb51b3f894 | | + + +### cisco-amp-group-policy-update +*** +Updates a group to a given policy and returns all the policies in that group. + + +#### Base Command + +`cisco-amp-group-policy-update` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| group_guid | Group's GUID. | Required | +| windows_policy_guid | Policy GUID for Windows. | Optional | +| mac_policy_guid | Policy GUID for MAC. | Optional | +| android_policy_guid | Policy GUID for Android. | Optional | +| linux_policy_guid | Policy GUID for Linux. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.Group.name | String | Name of the group. | +| CiscoAMP.Group.description | String | Group's description. | +| CiscoAMP.Group.guid | String | Group GUID. | +| CiscoAMP.Group.source | String | Creation source. | +| CiscoAMP.Group.creator | String | Creator of the group. | +| CiscoAMP.Group.created_at | Date | Date of creation. | +| CiscoAMP.Group.computers_count | Number | Number of computers in the group. | +| CiscoAMP.Group.descendant_computers_count | Number | Number of computers from descendant groups. | +| CiscoAMP.Group.ancestry.name | String | Parent group name. | +| CiscoAMP.Group.ancestry.guid | String | Parent group GUID. | +| CiscoAMP.Group.child_groups.name | String | Child group name. | +| CiscoAMP.Group.child_groups.guid | String | Child group GUID. | +| CiscoAMP.Group.policies.name | String | Policy name. | +| CiscoAMP.Group.policies.description | String | Policy description. | +| CiscoAMP.Group.policies.guid | String | Policy GUID. | +| CiscoAMP.Group.policies.product | String | Policy operating system product. | +| CiscoAMP.Group.policies.default | Boolean | Whether the policy is the default policy. | +| CiscoAMP.Group.policies.serial_number | Number | Policy serial number. | +| CiscoAMP.Group.policies.inherited | Boolean | Whether the policy is inherited. | +| CiscoAMP.Group.policies.file_lists.name | String | File list name. | +| CiscoAMP.Group.policies.file_lists.guid | String | File list GUID. | +| CiscoAMP.Group.policies.file_lists.type | String | File list type. | +| CiscoAMP.Group.policies.ip_lists.name | String | IP list name. | +| CiscoAMP.Group.policies.ip_lists.guid | String | IP list GUID. | +| CiscoAMP.Group.policies.ip_lists.type | String | IP list type. | +| CiscoAMP.Group.policies.exclusion_sets.name | String | Exclusion set name. | +| CiscoAMP.Group.policies.exclusion_sets.guid | String | Exclusion set GUID. | +| CiscoAMP.Group.policies.used_in_groups.name | String | Name of the group the policy is used in. | +| CiscoAMP.Group.policies.used_in_groups.description | String | Description of the group the policy is used in. | +| CiscoAMP.Group.policies.used_in_groups.guid | String | GUID of the group the policy is used in. | +| CiscoAMP.Group.policies.used_in_groups.source | String | Creation source of the group the policy is used in. | + +#### Command example +```!cisco-amp-group-policy-update group_guid=bb5a9f90-d6fa-4fe7-99c8-e91060b49a98 windows_policy_guid=91c7894d-dd69-4a21-8cf6-5ebfc57ef4df``` +#### Context Example +```json +{ + "CiscoAMP": { + "Group": { + "child_groups": [ + { + "guid": "CiscoAMP_Group_child_groups[0]_guid", + "name": "CiscoAMP_Group_child_groups[0]_name" + } + ], + "computers_count": "CiscoAMP_Group_computers_count", + "created_at": "CiscoAMP_Group_created_at", + "creator": "CiscoAMP_Group_creator", + "descendant_computers_count": "CiscoAMP_Group_descendant_computers_count", + "description": "CiscoAMP_Group_description", + "guid": "CiscoAMP_Group_guid", + "name": "CiscoAMP_Group_name", + "policies": [ + { + "default": "CiscoAMP_Group_policies[0]_default", + "description": "CiscoAMP_Group_policies[0]_description", + "exclusion_sets": [ + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[0]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[0]_name" + } + ], + "file_lists": [], + "guid": "CiscoAMP_Group_policies[0]_guid", + "inherited": "CiscoAMP_Group_policies[0]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[0]_name", + "product": "CiscoAMP_Group_policies[0]_product", + "serial_number": "CiscoAMP_Group_policies[0]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[0]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[0]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[0]_used_in_groups[0]_name" + } + ] + }, + { + "default": "CiscoAMP_Group_policies[1]_default", + "description": "CiscoAMP_Group_policies[1]_description", + "file_lists": [], + "guid": "CiscoAMP_Group_policies[1]_guid", + "inherited": "CiscoAMP_Group_policies[1]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[1]_name", + "product": "CiscoAMP_Group_policies[1]_product", + "serial_number": "CiscoAMP_Group_policies[1]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[1]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[1]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[1]_used_in_groups[0]_name" + }, + { + "description": "CiscoAMP_Group_policies[1]_used_in_groups[1]_description", + "guid": "CiscoAMP_Group_policies[1]_used_in_groups[1]_guid", + "name": "CiscoAMP_Group_policies[1]_used_in_groups[1]_name" + } + ] + }, + { + "default": "CiscoAMP_Group_policies[2]_default", + "description": "CiscoAMP_Group_policies[2]_description", + "exclusion_sets": [ + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[0]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[0]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[1]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[1]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[2]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[2]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[3]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[3]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[4]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[4]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[5]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[5]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[6]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[6]_name" + } + ], + "file_lists": [ + { + "guid": "CiscoAMP_Group_policies[2]_file_lists[0]_guid", + "name": "CiscoAMP_Group_policies[2]_file_lists[0]_name", + "type": "CiscoAMP_Group_policies[2]_file_lists[0]_type" + }, + { + "guid": "CiscoAMP_Group_policies[2]_file_lists[1]_guid", + "name": "CiscoAMP_Group_policies[2]_file_lists[1]_name", + "type": "CiscoAMP_Group_policies[2]_file_lists[1]_type" + }, + { + "guid": "CiscoAMP_Group_policies[2]_file_lists[2]_guid", + "name": "CiscoAMP_Group_policies[2]_file_lists[2]_name", + "type": "CiscoAMP_Group_policies[2]_file_lists[2]_type" + } + ], + "guid": "CiscoAMP_Group_policies[2]_guid", + "inherited": "CiscoAMP_Group_policies[2]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[2]_name", + "product": "CiscoAMP_Group_policies[2]_product", + "serial_number": "CiscoAMP_Group_policies[2]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[2]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[2]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[2]_used_in_groups[0]_name" + }, + { + "description": "CiscoAMP_Group_policies[2]_used_in_groups[1]_description", + "guid": "CiscoAMP_Group_policies[2]_used_in_groups[1]_guid", + "name": "CiscoAMP_Group_policies[2]_used_in_groups[1]_name" + } + ] + }, + { + "default": "CiscoAMP_Group_policies[3]_default", + "description": "CiscoAMP_Group_policies[3]_description", + "file_lists": [ + { + "guid": "CiscoAMP_Group_policies[3]_file_lists[0]_guid", + "name": "CiscoAMP_Group_policies[3]_file_lists[0]_name", + "type": "CiscoAMP_Group_policies[3]_file_lists[0]_type" + }, + { + "guid": "CiscoAMP_Group_policies[3]_file_lists[1]_guid", + "name": "CiscoAMP_Group_policies[3]_file_lists[1]_name", + "type": "CiscoAMP_Group_policies[3]_file_lists[1]_type" + }, + { + "guid": "CiscoAMP_Group_policies[3]_file_lists[2]_guid", + "name": "CiscoAMP_Group_policies[3]_file_lists[2]_name", + "type": "CiscoAMP_Group_policies[3]_file_lists[2]_type" + } + ], + "guid": "CiscoAMP_Group_policies[3]_guid", + "inherited": "CiscoAMP_Group_policies[3]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[3]_name", + "product": "CiscoAMP_Group_policies[3]_product", + "serial_number": "CiscoAMP_Group_policies[3]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[3]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[3]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[3]_used_in_groups[0]_name" + }, + { + "description": "CiscoAMP_Group_policies[3]_used_in_groups[1]_description", + "guid": "CiscoAMP_Group_policies[3]_used_in_groups[1]_guid", + "name": "CiscoAMP_Group_policies[3]_used_in_groups[1]_name" + } + ] + }, + { + "default": "CiscoAMP_Group_policies[4]_default", + "description": "CiscoAMP_Group_policies[4]_description", + "file_lists": [], + "guid": "CiscoAMP_Group_policies[4]_guid", + "inherited": "CiscoAMP_Group_policies[4]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[4]_name", + "product": "CiscoAMP_Group_policies[4]_product", + "serial_number": "CiscoAMP_Group_policies[4]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[4]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[4]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[4]_used_in_groups[0]_name" + }, + { + "description": "CiscoAMP_Group_policies[4]_used_in_groups[1]_description", + "guid": "CiscoAMP_Group_policies[4]_used_in_groups[1]_guid", + "name": "CiscoAMP_Group_policies[4]_used_in_groups[1]_name" + } + ] + } + ], + "source": "CiscoAMP_Group_source" + } + } +} +``` + +#### Human Readable Output + +>### Group Information +>|Name|Description|Creator|Created At|Computers Count|Descendant Computers Count| +>|---|---|---|---|---|---| +>| Lior-Group | Test group | Email | 2022-10-25 13:42:36 | 1 | 0 | + + +### cisco-amp-group-parent-update +*** +Converts an existing group to a child of another group or an existing child group to a root group (that is, one with no parent groups). + + +#### Base Command + +`cisco-amp-group-parent-update` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| child_guid | Group's GUID. | Required | +| parent_group_guid | Group parent to set to child group. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.Group.name | String | Name of the group. | +| CiscoAMP.Group.description | String | Group's description. | +| CiscoAMP.Group.guid | String | Group GUID. | +| CiscoAMP.Group.source | String | Creation source. | +| CiscoAMP.Group.creator | String | Creator of the group. | +| CiscoAMP.Group.created_at | Date | Date of creation. | +| CiscoAMP.Group.computers_count | Number | Number of computers in the group. | +| CiscoAMP.Group.descendant_computers_count | Number | Number of computers from descendant groups. | +| CiscoAMP.Group.ancestry.name | String | Parent group name. | +| CiscoAMP.Group.ancestry.guid | String | Parent group GUID. | +| CiscoAMP.Group.child_groups.name | String | Child group name. | +| CiscoAMP.Group.child_groups.guid | String | Child group GUID. | +| CiscoAMP.Group.policies.name | String | Policy name. | +| CiscoAMP.Group.policies.description | String | Policy description. | +| CiscoAMP.Group.policies.guid | String | Policy GUID. | +| CiscoAMP.Group.policies.product | String | Policy operating system product. | +| CiscoAMP.Group.policies.default | Boolean | Whether the policy is the default policy. | +| CiscoAMP.Group.policies.serial_number | Number | Policy serial number. | +| CiscoAMP.Group.policies.inherited | Boolean | Whether the policy is inherited. | +| CiscoAMP.Group.policies.file_lists.name | String | File list name. | +| CiscoAMP.Group.policies.file_lists.guid | String | File list GUID. | +| CiscoAMP.Group.policies.file_lists.type | String | File list type. | +| CiscoAMP.Group.policies.ip_lists.name | String | IP list name. | +| CiscoAMP.Group.policies.ip_lists.guid | String | IP list GUID. | +| CiscoAMP.Group.policies.ip_lists.type | String | IP list type. | +| CiscoAMP.Group.policies.exclusion_sets.name | String | Exclusion set name. | +| CiscoAMP.Group.policies.exclusion_sets.guid | String | Exclusion set GUID. | +| CiscoAMP.Group.policies.used_in_groups.name | String | Name of the group it is used in. | +| CiscoAMP.Group.policies.used_in_groups.description | String | Description of the group it is used in. | +| CiscoAMP.Group.policies.used_in_groups.guid | String | GUID of the group it is used in. | +| CiscoAMP.Group.policies.used_in_groups.source | String | Creation source of the group it is used in. | + +#### Command example +```!cisco-amp-group-parent-update child_guid=bb5a9f90-d6fa-4fe7-99c8-e91060b49a98``` +#### Context Example +```json +{ + "CiscoAMP": { + "Group": { + "child_groups": [ + { + "guid": "CiscoAMP_Group_child_groups[0]_guid", + "name": "CiscoAMP_Group_child_groups[0]_name" + } + ], + "computers_count": "CiscoAMP_Group_computers_count", + "created_at": "CiscoAMP_Group_created_at", + "creator": "CiscoAMP_Group_creator", + "descendant_computers_count": "CiscoAMP_Group_descendant_computers_count", + "description": "CiscoAMP_Group_description", + "guid": "CiscoAMP_Group_guid", + "name": "CiscoAMP_Group_name", + "policies": [ + { + "default": "CiscoAMP_Group_policies[0]_default", + "description": "CiscoAMP_Group_policies[0]_description", + "exclusion_sets": [ + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[0]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[0]_name" + } + ], + "file_lists": [], + "guid": "CiscoAMP_Group_policies[0]_guid", + "inherited": "CiscoAMP_Group_policies[0]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[0]_name", + "product": "CiscoAMP_Group_policies[0]_product", + "serial_number": "CiscoAMP_Group_policies[0]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[0]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[0]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[0]_used_in_groups[0]_name" + } + ] + }, + { + "default": "CiscoAMP_Group_policies[1]_default", + "description": "CiscoAMP_Group_policies[1]_description", + "file_lists": [], + "guid": "CiscoAMP_Group_policies[1]_guid", + "inherited": "CiscoAMP_Group_policies[1]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[1]_name", + "product": "CiscoAMP_Group_policies[1]_product", + "serial_number": "CiscoAMP_Group_policies[1]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[1]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[1]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[1]_used_in_groups[0]_name" + }, + { + "description": "CiscoAMP_Group_policies[1]_used_in_groups[1]_description", + "guid": "CiscoAMP_Group_policies[1]_used_in_groups[1]_guid", + "name": "CiscoAMP_Group_policies[1]_used_in_groups[1]_name" + } + ] + }, + { + "default": "CiscoAMP_Group_policies[2]_default", + "description": "CiscoAMP_Group_policies[2]_description", + "exclusion_sets": [ + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[0]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[0]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[1]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[1]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[2]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[2]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[3]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[3]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[4]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[4]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[5]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[5]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[6]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[6]_name" + } + ], + "file_lists": [ + { + "guid": "CiscoAMP_Group_policies[2]_file_lists[0]_guid", + "name": "CiscoAMP_Group_policies[2]_file_lists[0]_name", + "type": "CiscoAMP_Group_policies[2]_file_lists[0]_type" + }, + { + "guid": "CiscoAMP_Group_policies[2]_file_lists[1]_guid", + "name": "CiscoAMP_Group_policies[2]_file_lists[1]_name", + "type": "CiscoAMP_Group_policies[2]_file_lists[1]_type" + }, + { + "guid": "CiscoAMP_Group_policies[2]_file_lists[2]_guid", + "name": "CiscoAMP_Group_policies[2]_file_lists[2]_name", + "type": "CiscoAMP_Group_policies[2]_file_lists[2]_type" + } + ], + "guid": "CiscoAMP_Group_policies[2]_guid", + "inherited": "CiscoAMP_Group_policies[2]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[2]_name", + "product": "CiscoAMP_Group_policies[2]_product", + "serial_number": "CiscoAMP_Group_policies[2]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[2]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[2]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[2]_used_in_groups[0]_name" + }, + { + "description": "CiscoAMP_Group_policies[2]_used_in_groups[1]_description", + "guid": "CiscoAMP_Group_policies[2]_used_in_groups[1]_guid", + "name": "CiscoAMP_Group_policies[2]_used_in_groups[1]_name" + } + ] + }, + { + "default": "CiscoAMP_Group_policies[3]_default", + "description": "CiscoAMP_Group_policies[3]_description", + "file_lists": [ + { + "guid": "CiscoAMP_Group_policies[3]_file_lists[0]_guid", + "name": "CiscoAMP_Group_policies[3]_file_lists[0]_name", + "type": "CiscoAMP_Group_policies[3]_file_lists[0]_type" + }, + { + "guid": "CiscoAMP_Group_policies[3]_file_lists[1]_guid", + "name": "CiscoAMP_Group_policies[3]_file_lists[1]_name", + "type": "CiscoAMP_Group_policies[3]_file_lists[1]_type" + }, + { + "guid": "CiscoAMP_Group_policies[3]_file_lists[2]_guid", + "name": "CiscoAMP_Group_policies[3]_file_lists[2]_name", + "type": "CiscoAMP_Group_policies[3]_file_lists[2]_type" + } + ], + "guid": "CiscoAMP_Group_policies[3]_guid", + "inherited": "CiscoAMP_Group_policies[3]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[3]_name", + "product": "CiscoAMP_Group_policies[3]_product", + "serial_number": "CiscoAMP_Group_policies[3]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[3]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[3]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[3]_used_in_groups[0]_name" + }, + { + "description": "CiscoAMP_Group_policies[3]_used_in_groups[1]_description", + "guid": "CiscoAMP_Group_policies[3]_used_in_groups[1]_guid", + "name": "CiscoAMP_Group_policies[3]_used_in_groups[1]_name" + } + ] + }, + { + "default": "CiscoAMP_Group_policies[4]_default", + "description": "CiscoAMP_Group_policies[4]_description", + "file_lists": [], + "guid": "CiscoAMP_Group_policies[4]_guid", + "inherited": "CiscoAMP_Group_policies[4]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[4]_name", + "product": "CiscoAMP_Group_policies[4]_product", + "serial_number": "CiscoAMP_Group_policies[4]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[4]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[4]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[4]_used_in_groups[0]_name" + }, + { + "description": "CiscoAMP_Group_policies[4]_used_in_groups[1]_description", + "guid": "CiscoAMP_Group_policies[4]_used_in_groups[1]_guid", + "name": "CiscoAMP_Group_policies[4]_used_in_groups[1]_name" + } + ] + } + ], + "source": "CiscoAMP_Group_source" + } + } +} +``` + +#### Human Readable Output + +>### Group Information +>|Name|Description|Creator|Created At|Computers Count|Descendant Computers Count| +>|---|---|---|---|---|---| +>| Lior-Group | Test group | Email | 2022-10-25 13:42:36 | 1 | 0 | + + +### cisco-amp-group-create +*** +Creates a new group along with a group name or description. + + +#### Base Command + +`cisco-amp-group-create` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| name | Group name. | Required | +| description | Group description. | Required | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.Group.name | String | Name of the group. | +| CiscoAMP.Group.description | String | Group's description. | +| CiscoAMP.Group.guid | String | Group GUID. | +| CiscoAMP.Group.source | String | Creation source. | +| CiscoAMP.Group.creator | String | Creator of the group. | +| CiscoAMP.Group.created_at | Date | Date of creation. | +| CiscoAMP.Group.computers_count | Number | Number of computers in the group. | +| CiscoAMP.Group.descendant_computers_count | Number | Number of computers from descendant groups. | +| CiscoAMP.Group.policies.name | String | Policy name. | +| CiscoAMP.Group.policies.description | String | Policy description. | +| CiscoAMP.Group.policies.guid | String | Policy GUID. | +| CiscoAMP.Group.policies.product | String | Policy operating system product. | +| CiscoAMP.Group.policies.default | Boolean | Whether the policy is the default policy. | +| CiscoAMP.Group.policies.serial_number | Number | Policy serial number. | +| CiscoAMP.Group.policies.inherited | Boolean | Whether the policy is inherited. | +| CiscoAMP.Group.policies.file_lists.name | String | File list name. | +| CiscoAMP.Group.policies.file_lists.guid | String | File list GUID. | +| CiscoAMP.Group.policies.file_lists.type | String | File list type. | +| CiscoAMP.Group.policies.ip_lists.name | String | IP list name. | +| CiscoAMP.Group.policies.ip_lists.guid | String | IP list GUID. | +| CiscoAMP.Group.policies.ip_lists.type | String | IP list type. | +| CiscoAMP.Group.policies.exclusion_sets.name | String | Exclusion set name. | +| CiscoAMP.Group.policies.exclusion_sets.guid | String | Exclusion set GUID. | +| CiscoAMP.Group.policies.used_in_groups.name | String | Name of the group it is used in. | +| CiscoAMP.Group.policies.used_in_groups.description | String | Description of the group it is used in. | +| CiscoAMP.Group.policies.used_in_groups.guid | String | GUID of the group it is used in. | +| CiscoAMP.Group.policies.used_in_groups.source | String | Creation source of the group it is used in. | + +#### Command example +```!cisco-amp-group-create description="readme test group to be deleted" name="readme group"``` +#### Context Example +```json +{ + "CiscoAMP": { + "Group": { + "computers_count": "CiscoAMP_Group_computers_count", + "created_at": "CiscoAMP_Group_created_at", + "creator": "CiscoAMP_Group_creator", + "descendant_computers_count": "CiscoAMP_Group_descendant_computers_count", + "description": "CiscoAMP_Group_description", + "guid": "CiscoAMP_Group_guid", + "name": "CiscoAMP_Group_name", + "policies": [ + { + "default": "CiscoAMP_Group_policies[0]_default", + "description": "CiscoAMP_Group_policies[0]_description", + "exclusion_sets": [ + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[0]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[0]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[1]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[1]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[2]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[2]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[3]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[3]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[4]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[4]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[5]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[5]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[6]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[6]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[7]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[7]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[8]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[8]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[9]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[9]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[10]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[10]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[11]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[11]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[12]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[12]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[13]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[13]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[14]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[14]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[15]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[15]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[16]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[16]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[17]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[17]_name" + }, + { + "guid": "CiscoAMP_Group_policies[0]_exclusion_sets[18]_guid", + "name": "CiscoAMP_Group_policies[0]_exclusion_sets[18]_name" + } + ], + "file_lists": [ + { + "guid": "CiscoAMP_Group_policies[0]_file_lists[0]_guid", + "name": "CiscoAMP_Group_policies[0]_file_lists[0]_name", + "type": "CiscoAMP_Group_policies[0]_file_lists[0]_type" + }, + { + "guid": "CiscoAMP_Group_policies[0]_file_lists[1]_guid", + "name": "CiscoAMP_Group_policies[0]_file_lists[1]_name", + "type": "CiscoAMP_Group_policies[0]_file_lists[1]_type" + }, + { + "guid": "CiscoAMP_Group_policies[0]_file_lists[2]_guid", + "name": "CiscoAMP_Group_policies[0]_file_lists[2]_name", + "type": "CiscoAMP_Group_policies[0]_file_lists[2]_type" + } + ], + "guid": "CiscoAMP_Group_policies[0]_guid", + "inherited": "CiscoAMP_Group_policies[0]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[0]_name", + "product": "CiscoAMP_Group_policies[0]_product", + "serial_number": "CiscoAMP_Group_policies[0]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[0]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[0]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[0]_used_in_groups[0]_name" + } + ] + }, + { + "default": "CiscoAMP_Group_policies[1]_default", + "description": "CiscoAMP_Group_policies[1]_description", + "file_lists": [], + "guid": "CiscoAMP_Group_policies[1]_guid", + "inherited": "CiscoAMP_Group_policies[1]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[1]_name", + "product": "CiscoAMP_Group_policies[1]_product", + "serial_number": "CiscoAMP_Group_policies[1]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[1]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[1]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[1]_used_in_groups[0]_name" + }, + { + "description": "CiscoAMP_Group_policies[1]_used_in_groups[1]_description", + "guid": "CiscoAMP_Group_policies[1]_used_in_groups[1]_guid", + "name": "CiscoAMP_Group_policies[1]_used_in_groups[1]_name" + } + ] + }, + { + "default": "CiscoAMP_Group_policies[2]_default", + "description": "CiscoAMP_Group_policies[2]_description", + "exclusion_sets": [ + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[0]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[0]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[1]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[1]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[2]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[2]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[3]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[3]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[4]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[4]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[5]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[5]_name" + }, + { + "guid": "CiscoAMP_Group_policies[2]_exclusion_sets[6]_guid", + "name": "CiscoAMP_Group_policies[2]_exclusion_sets[6]_name" + } + ], + "file_lists": [ + { + "guid": "CiscoAMP_Group_policies[2]_file_lists[0]_guid", + "name": "CiscoAMP_Group_policies[2]_file_lists[0]_name", + "type": "CiscoAMP_Group_policies[2]_file_lists[0]_type" + }, + { + "guid": "CiscoAMP_Group_policies[2]_file_lists[1]_guid", + "name": "CiscoAMP_Group_policies[2]_file_lists[1]_name", + "type": "CiscoAMP_Group_policies[2]_file_lists[1]_type" + }, + { + "guid": "CiscoAMP_Group_policies[2]_file_lists[2]_guid", + "name": "CiscoAMP_Group_policies[2]_file_lists[2]_name", + "type": "CiscoAMP_Group_policies[2]_file_lists[2]_type" + } + ], + "guid": "CiscoAMP_Group_policies[2]_guid", + "inherited": "CiscoAMP_Group_policies[2]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[2]_name", + "product": "CiscoAMP_Group_policies[2]_product", + "serial_number": "CiscoAMP_Group_policies[2]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[2]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[2]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[2]_used_in_groups[0]_name" + } + ] + }, + { + "default": "CiscoAMP_Group_policies[3]_default", + "description": "CiscoAMP_Group_policies[3]_description", + "file_lists": [ + { + "guid": "CiscoAMP_Group_policies[3]_file_lists[0]_guid", + "name": "CiscoAMP_Group_policies[3]_file_lists[0]_name", + "type": "CiscoAMP_Group_policies[3]_file_lists[0]_type" + }, + { + "guid": "CiscoAMP_Group_policies[3]_file_lists[1]_guid", + "name": "CiscoAMP_Group_policies[3]_file_lists[1]_name", + "type": "CiscoAMP_Group_policies[3]_file_lists[1]_type" + }, + { + "guid": "CiscoAMP_Group_policies[3]_file_lists[2]_guid", + "name": "CiscoAMP_Group_policies[3]_file_lists[2]_name", + "type": "CiscoAMP_Group_policies[3]_file_lists[2]_type" + } + ], + "guid": "CiscoAMP_Group_policies[3]_guid", + "inherited": "CiscoAMP_Group_policies[3]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[3]_name", + "product": "CiscoAMP_Group_policies[3]_product", + "serial_number": "CiscoAMP_Group_policies[3]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[3]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[3]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[3]_used_in_groups[0]_name" + } + ] + }, + { + "default": "CiscoAMP_Group_policies[4]_default", + "description": "CiscoAMP_Group_policies[4]_description", + "file_lists": [], + "guid": "CiscoAMP_Group_policies[4]_guid", + "inherited": "CiscoAMP_Group_policies[4]_inherited", + "ip_lists": [], + "isolation_ip_lists": [], + "name": "CiscoAMP_Group_policies[4]_name", + "product": "CiscoAMP_Group_policies[4]_product", + "serial_number": "CiscoAMP_Group_policies[4]_serial_number", + "used_in_groups": [ + { + "description": "CiscoAMP_Group_policies[4]_used_in_groups[0]_description", + "guid": "CiscoAMP_Group_policies[4]_used_in_groups[0]_guid", + "name": "CiscoAMP_Group_policies[4]_used_in_groups[0]_name" + } + ] + } + ], + "source": "CiscoAMP_Group_source" + } + } +} +``` + +#### Human Readable Output + +>### Group Information +>|Name|Description|Created At|Computers Count|Descendant Computers Count| +>|---|---|---|---|---| +>| readme group | readme test group to be deleted | 2022-10-31 12:16:25 | 0 | 0 | + + +### cisco-amp-group-delete +*** +Destroys a group with a given GUID. + + +#### Base Command + +`cisco-amp-group-delete` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| group_guid | Group's GUID. | Required | + + +#### Context Output + +There is no context output for this command. +#### Command example +```!cisco-amp-group-delete group_guid=d088adeb-7cb4-48e4-807b-edcb828f4d29``` +#### Human Readable Output + +>Group GUID: "d088adeb-7cb4-48e4-807b-edcb828f4d29" +>Successfully deleted. + +### cisco-amp-indicator-list +*** +Show information about indicators. + + +#### Base Command + +`cisco-amp-indicator-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| indicator_guid | Indicator GUID. | Optional | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.Indicator.name | String | Indicator name. | +| CiscoAMP.Indicator.description | String | Indicator description. | +| CiscoAMP.Indicator.guid | String | Indicator GUID. | +| CiscoAMP.Indicator.severity | String | Indicator severity. | +| CiscoAMP.Indicator.mitre.tactics.external_id | String | Mitre tactic ID. | +| CiscoAMP.Indicator.mitre.tactics.name | String | Mitre tactic name. | +| CiscoAMP.Indicator.mitre.tactics.mitre_url | String | Mitre tactic URL. | +| CiscoAMP.Indicator.mitre.techniques.external_id | String | Mitre technique ID. | +| CiscoAMP.Indicator.mitre.techniques.name | String | Mitre technique name. | +| CiscoAMP.Indicator.mitre.techniques.mitre_url | String | Mitre technique URL. | +| CiscoAMP.Indicator.observed_compromises | Number | Total number of observed compromises. | +| CiscoAMP.Indicator.observed_compromises.unresolved | Number | Number of unresolved compromises. | +| CiscoAMP.Indicator.observed_compromises.in_progress | Number | Number of compromises in progress. | +| CiscoAMP.Indicator.observed_compromises.resolved | Number | Number of resolved compromises. | + +#### Command example +```!cisco-amp-indicator-list limit=5``` +#### Context Example +```json +{ + "CiscoAMP": { + "Indicator": [ + { + "description": "CiscoAMP_Indicator[0]_description", + "guid": "CiscoAMP_Indicator[0]_guid", + "name": "CiscoAMP_Indicator[0]_name", + "observed_compromises": "CiscoAMP_Indicator[0]_observed_compromises", + "severity": "CiscoAMP_Indicator[0]_severity" + }, + { + "description": "CiscoAMP_Indicator[1]_description", + "guid": "CiscoAMP_Indicator[1]_guid", + "name": "CiscoAMP_Indicator[1]_name", + "observed_compromises": "CiscoAMP_Indicator[1]_observed_compromises", + "severity": "CiscoAMP_Indicator[1]_severity" + }, + { + "description": "CiscoAMP_Indicator[2]_description", + "guid": "CiscoAMP_Indicator[2]_guid", + "name": "CiscoAMP_Indicator[2]_name", + "observed_compromises": "CiscoAMP_Indicator[2]_observed_compromises", + "severity": "CiscoAMP_Indicator[2]_severity" + }, + { + "description": "CiscoAMP_Indicator[3]_description", + "guid": "CiscoAMP_Indicator[3]_guid", + "name": "CiscoAMP_Indicator[3]_name", + "observed_compromises": "CiscoAMP_Indicator[3]_observed_compromises", + "severity": "CiscoAMP_Indicator[3]_severity" + }, + { + "description": "CiscoAMP_Indicator[4]_description", + "guid": "CiscoAMP_Indicator[4]_guid", + "name": "CiscoAMP_Indicator[4]_name", + "observed_compromises": "CiscoAMP_Indicator[4]_observed_compromises", + "severity": "CiscoAMP_Indicator[4]_severity" + } + ] + } +} +``` + +#### Human Readable Output + +>### Results +>|Current Item Count|Index|Items Per Page|Total| +>|---|---|---|---| +>| 5 | 0 | 5 | 910 | +>### Indicator Information +>|GUID|Name|Description|Severity|Observed Compromises| +>|---|---|---|---|---| +>| 5593ab7e-1db5-4759-9785-96c55824b675 | Crossrider.ioc | Crossrider is a an Adware variant that targets Mac with the intent of displaying ads. It also changes the default home page of Safari and Chrome browsers. | Medium | 0 | +>| fef2d8b2-95f6-4392-abec-fc1f6a670251 | Dummy.ioc | OSX.Dummy is a poorly executed Trojan variant. It requires users to input their password in order to complete it's install. However, once this is done the malware will have complete access to the whole system, and it will persist itself via a LaunchDaemon. | Medium | 0 | +>| dcc66a98-5658-41d4-a1ca-887933a8b24f | GateDotPhp.ioc | Accessed URL matches characteristics of several malware families. | High | 1 | +>| 940bdaf4-4c89-4423-a55e-410ed56143a8 | JS.Trojan.Generic_48153.ioc | JS.Trojan.Generic_48153 is malware that contacts a remote server over HTTP. This IOC is based on Snort Intrusion Prevention System (IPS) rule id:48153 from the malware detection rulesets. This IOC fires when a URI pattern similar to this malware has been detected. The components of the URI this IOC inspects for are: "/01/Carontex". | Critical | 0 | +>| 318d030d-7fdc-48f4-afcd-66c7c75cade7 | Linux.AutostartPersistence.ioc | Most Linux distributions support creation of auto-start files. This consists of placing a configuration file with a .desktop extension in the .config/autostart location. In this case, a suspicious auto-start entry was created. Linux malware such as x-agent also known as sofacy/sednit are known to do that. | High | 0 | + + +### cisco-amp-policy-list +*** +Gets information about policies by filtering with a product and name of a specific policy with a policy_guid. + + +#### Base Command + +`cisco-amp-policy-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| policy_guid | Policy GUID. | Optional | +| product | Comma-separated list for products to filter by. | Optional | +| name | Comma-separated list for names to filter by (has auto complete capabilities). | Optional | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.Policy.name | String | Policy name. | +| CiscoAMP.Policy.description | String | Policy description. | +| CiscoAMP.Policy.guid | String | Policy GUID. | +| CiscoAMP.Policy.product | String | Product used. | +| CiscoAMP.Policy.default | Boolean | Whether the policy is the default policy. | +| CiscoAMP.Policy.serial_number | Number | Policy serial number. | +| CiscoAMP.Policy.file_lists.name | String | File list name. | +| CiscoAMP.Policy.file_lists.guid | String | File list GUID. | +| CiscoAMP.Policy.file_lists.type | String | File list type. | +| CiscoAMP.Policy.ip_lists.name | String | IP list name. | +| CiscoAMP.Policy.ip_lists.guid | String | IP list GUID. | +| CiscoAMP.Policy.ip_lists.type | String | IP list type. | +| CiscoAMP.Policy.exclusion_sets.name | String | Exclusion set name. | +| CiscoAMP.Policy.exclusion_sets.guid | String | Exclusion set GUID. | +| CiscoAMP.Policy.used_in_groups.name | String | Group name. | +| CiscoAMP.Policy.used_in_groups.description | String | Group description. | +| CiscoAMP.Policy.used_in_groups.guid | String | Group GUID. | + +#### Command example +```!cisco-amp-policy-list``` +#### Context Example +```json +{ + "CiscoAMP": { + "Policy": [ + { + "default": "CiscoAMP_Policy[0]_default", + "description": "CiscoAMP_Policy[0]_description", + "guid": "CiscoAMP_Policy[0]_guid", + "name": "CiscoAMP_Policy[0]_name", + "product": "CiscoAMP_Policy[0]_product", + "serial_number": "CiscoAMP_Policy[0]_serial_number" + }, + { + "default": "CiscoAMP_Policy[1]_default", + "description": "CiscoAMP_Policy[1]_description", + "guid": "CiscoAMP_Policy[1]_guid", + "name": "CiscoAMP_Policy[1]_name", + "product": "CiscoAMP_Policy[1]_product", + "serial_number": "CiscoAMP_Policy[1]_serial_number" + }, + { + "default": "CiscoAMP_Policy[2]_default", + "description": "CiscoAMP_Policy[2]_description", + "guid": "CiscoAMP_Policy[2]_guid", + "name": "CiscoAMP_Policy[2]_name", + "product": "CiscoAMP_Policy[2]_product", + "serial_number": "CiscoAMP_Policy[2]_serial_number" + }, + { + "default": "CiscoAMP_Policy[3]_default", + "description": "CiscoAMP_Policy[3]_description", + "guid": "CiscoAMP_Policy[3]_guid", + "name": "CiscoAMP_Policy[3]_name", + "product": "CiscoAMP_Policy[3]_product", + "serial_number": "CiscoAMP_Policy[3]_serial_number" + }, + { + "default": "CiscoAMP_Policy[4]_default", + "description": "CiscoAMP_Policy[4]_description", + "guid": "CiscoAMP_Policy[4]_guid", + "name": "CiscoAMP_Policy[4]_name", + "product": "CiscoAMP_Policy[4]_product", + "serial_number": "CiscoAMP_Policy[4]_serial_number" + }, + { + "default": "CiscoAMP_Policy[5]_default", + "description": "CiscoAMP_Policy[5]_description", + "guid": "CiscoAMP_Policy[5]_guid", + "name": "CiscoAMP_Policy[5]_name", + "product": "CiscoAMP_Policy[5]_product", + "serial_number": "CiscoAMP_Policy[5]_serial_number" + }, + { + "default": "CiscoAMP_Policy[6]_default", + "description": "CiscoAMP_Policy[6]_description", + "guid": "CiscoAMP_Policy[6]_guid", + "name": "CiscoAMP_Policy[6]_name", + "product": "CiscoAMP_Policy[6]_product", + "serial_number": "CiscoAMP_Policy[6]_serial_number" + }, + { + "default": "CiscoAMP_Policy[7]_default", + "description": "CiscoAMP_Policy[7]_description", + "guid": "CiscoAMP_Policy[7]_guid", + "name": "CiscoAMP_Policy[7]_name", + "product": "CiscoAMP_Policy[7]_product", + "serial_number": "CiscoAMP_Policy[7]_serial_number" + }, + { + "default": "CiscoAMP_Policy[8]_default", + "description": "CiscoAMP_Policy[8]_description", + "guid": "CiscoAMP_Policy[8]_guid", + "name": "CiscoAMP_Policy[8]_name", + "product": "CiscoAMP_Policy[8]_product", + "serial_number": "CiscoAMP_Policy[8]_serial_number" + }, + { + "default": "CiscoAMP_Policy[9]_default", + "description": "CiscoAMP_Policy[9]_description", + "guid": "CiscoAMP_Policy[9]_guid", + "name": "CiscoAMP_Policy[9]_name", + "product": "CiscoAMP_Policy[9]_product", + "serial_number": "CiscoAMP_Policy[9]_serial_number" + }, + { + "default": "CiscoAMP_Policy[10]_default", + "description": "CiscoAMP_Policy[10]_description", + "guid": "CiscoAMP_Policy[10]_guid", + "name": "CiscoAMP_Policy[10]_name", + "product": "CiscoAMP_Policy[10]_product", + "serial_number": "CiscoAMP_Policy[10]_serial_number" + }, + { + "default": "CiscoAMP_Policy[11]_default", + "description": "CiscoAMP_Policy[11]_description", + "guid": "CiscoAMP_Policy[11]_guid", + "name": "CiscoAMP_Policy[11]_name", + "product": "CiscoAMP_Policy[11]_product", + "serial_number": "CiscoAMP_Policy[11]_serial_number" + }, + { + "default": "CiscoAMP_Policy[12]_default", + "description": "CiscoAMP_Policy[12]_description", + "guid": "CiscoAMP_Policy[12]_guid", + "name": "CiscoAMP_Policy[12]_name", + "product": "CiscoAMP_Policy[12]_product", + "serial_number": "CiscoAMP_Policy[12]_serial_number" + }, + { + "default": "CiscoAMP_Policy[13]_default", + "description": "CiscoAMP_Policy[13]_description", + "guid": "CiscoAMP_Policy[13]_guid", + "name": "CiscoAMP_Policy[13]_name", + "product": "CiscoAMP_Policy[13]_product", + "serial_number": "CiscoAMP_Policy[13]_serial_number" + } + ] + } +} +``` + +#### Human Readable Output + +>### Results +>|Current Item Count|Index|Items Per Page|Total| +>|---|---|---|---| +>| 14 | 0 | 100 | 14 | +>### Policy Information +>|GUID|Name|Description|Product|Serial Number| +>|---|---|---|---|---| +>| 082bc9a3-b73a-4f42-8cc5-de1cd3748700 | Protect | This is the standard policy for the Secure Endpoint Connector that will quarantine malicious files and block malicious network connections. | android | 11 | +>| 5102948a-db78-4a94-849a-b9f12b04e526 | Audit | This policy puts Clarity in a mode that will log and alert on convictions but not block traffic. | ios | 23 | +>| c90936b3-2ad7-458c-90a3-a806d50ed16e | Protect | This is the standard policy for Clarity that will log and alert on convictions and block any potentially malicious traffic. | ios | 25 | +>| b4e266c8-ebd1-4e94-80b6-b04a966cb0d5 | Audit | This policy puts the Secure Endpoint Connector in a mode that will only detect malicious files but not quarantine them. Malicious network traffic is also detected but not blocked. | linux | 19 | +>| 653508ed-28d4-465a-80c4-7ed9c0232b55 | Protect | This is the standard policy for the Secure Endpoint Connector that will quarantine malicious files and block malicious network connections. | linux | 21 | +>| 9f2fa537-df5d-4c6c-abf3-edc25a893a7a | Audit | This policy puts the Secure Endpoint Connector in a mode that will only detect malicious files but not quarantine them. Malicious network traffic is also detected but not blocked. | mac | 13 | +>| 30fba653-eb4e-4c3d-b1bb-1cef9f0e31e4 | Protect | This is the standard policy for the Secure Endpoint Connector that will quarantine malicious files and block malicious network connections. | mac | 15 | +>| cfcf4841-bf00-4030-8ac3-4a607ecf245e | Triage | This is an aggressive policy that enables the offline engine to scan computers that are suspected or known to be infected with malware. | mac | 17 | +>| be84e169-0830-4b95-915b-1e203a82ed58 | Audit | This policy puts the Secure Endpoint Connector in a mode that will only detect malicious files but not quarantine them. Malicious network traffic is also detected but not blocked. | windows | 29 | +>| fa0c377e-8f0a-40ab-885a-afc8c08d3732 | Domain Controller | This is a lightweight policy for use on Active Directory Domain Controllers. | windows | 10 | +>| 91c7894d-dd69-4a21-8cf6-5ebfc57ef4df | Lior-test | Test policy | windows | 27 | +>| a599bf5b-2cb7-4a5b-90bd-d0199e2ccd67 | Protect | This is the standard policy for the Secure Endpoint Connector that will quarantine malicious files and block malicious network connections. | windows | 28 | +>| dd1da971-926c-42ab-9e5a-154f2695d995 | Server | This is a lightweight policy for high availability computers and servers that require maximum performance and uptime. | windows | 8 | +>| 1a352c59-793b-44f3-b8f9-0ddd354057bc | Triage | This is an aggressive policy that enables the offline engine to scan computers that are suspected or known to be infected with malware. | windows | 6 | + + +### cisco-amp-app-trajectory-query-list +*** +Retrieve app_trajectory queries for a given ios bundle id. + + +#### Base Command + +`cisco-amp-app-trajectory-query-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| ios_bid | IOS bundle ID for app trajectory. | Required | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.AppTrajectoryQuery.connector_guid | String | GUID of the connector. | +| CiscoAMP.AppTrajectoryQuery.bundle_id | String | Bundle ID. | +| CiscoAMP.AppTrajectoryQuery.group_guids | String | List of group's GUIDs. | +| CiscoAMP.AppTrajectoryQuery.cdhash | String | CD hash. | +| CiscoAMP.AppTrajectoryQuery.timestamp | Number | Observed timestamp. | +| CiscoAMP.AppTrajectoryQuery.timestamp_nanoseconds | Number | Observed timestamp in nano seconds. | +| CiscoAMP.AppTrajectoryQuery.date | Date | Observed date. | +| CiscoAMP.AppTrajectoryQuery.query_type | String | The type of the query. | +| CiscoAMP.AppTrajectoryQuery.network_info.dirty_url | String | Link to the observed URL. | +| CiscoAMP.AppTrajectoryQuery.network_info.remote_ip | String | Remote IP. | +| CiscoAMP.AppTrajectoryQuery.network_info.remote_port | Number | Remote port. | +| CiscoAMP.AppTrajectoryQuery.network_info.local_ip | String | Local IP. | +| CiscoAMP.AppTrajectoryQuery.network_info.local_port | Number | Local Port. | +| CiscoAMP.AppTrajectoryQuery.network_info.direction | String | Outgoing or incoming connection. | +| CiscoAMP.AppTrajectoryQuery.network_info.protocol | String | Communication protocol used. | +| CiscoAMP.AppTrajectoryQuery.ver | String | Version. | + +#### Command example +```!cisco-amp-app-trajectory-query-list ios_bid=com.apple.Safari.SafeBrowsing limit=5``` +#### Context Example +```json +{ + "CiscoAMP": { + "AppTrajectoryQuery": [ + { + "bundle_id": "CiscoAMP_AppTrajectoryQuery[0]_bundle_id", + "cdhash": "CiscoAMP_AppTrajectoryQuery[0]_cdhash", + "connector_guid": "CiscoAMP_AppTrajectoryQuery[0]_connector_guid", + "date": "CiscoAMP_AppTrajectoryQuery[0]_date", + "group_guids": [ + "CiscoAMP_AppTrajectoryQuery[0]_group_guids_0" + ], + "network_info": { + "direction": "CiscoAMP_AppTrajectoryQuery[0]_network_info_direction", + "dirty_url": "CiscoAMP_AppTrajectoryQuery[0]_network_info_dirty_url", + "local_ip": "CiscoAMP_AppTrajectoryQuery[0]_network_info_local_ip", + "local_port": "CiscoAMP_AppTrajectoryQuery[0]_network_info_local_port", + "protocol": "CiscoAMP_AppTrajectoryQuery[0]_network_info_protocol", + "remote_ip": "CiscoAMP_AppTrajectoryQuery[0]_network_info_remote_ip", + "remote_port": "CiscoAMP_AppTrajectoryQuery[0]_network_info_remote_port" + }, + "query_type": "CiscoAMP_AppTrajectoryQuery[0]_query_type", + "timestamp": "CiscoAMP_AppTrajectoryQuery[0]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_AppTrajectoryQuery[0]_timestamp_nanoseconds", + "ver": "CiscoAMP_AppTrajectoryQuery[0]_ver" + }, + { + "bundle_id": "CiscoAMP_AppTrajectoryQuery[1]_bundle_id", + "cdhash": "CiscoAMP_AppTrajectoryQuery[1]_cdhash", + "connector_guid": "CiscoAMP_AppTrajectoryQuery[1]_connector_guid", + "date": "CiscoAMP_AppTrajectoryQuery[1]_date", + "group_guids": [ + "CiscoAMP_AppTrajectoryQuery[1]_group_guids_0" + ], + "network_info": { + "direction": "CiscoAMP_AppTrajectoryQuery[1]_network_info_direction", + "dirty_url": "CiscoAMP_AppTrajectoryQuery[1]_network_info_dirty_url", + "local_ip": "CiscoAMP_AppTrajectoryQuery[1]_network_info_local_ip", + "local_port": "CiscoAMP_AppTrajectoryQuery[1]_network_info_local_port", + "protocol": "CiscoAMP_AppTrajectoryQuery[1]_network_info_protocol", + "remote_ip": "CiscoAMP_AppTrajectoryQuery[1]_network_info_remote_ip", + "remote_port": "CiscoAMP_AppTrajectoryQuery[1]_network_info_remote_port" + }, + "query_type": "CiscoAMP_AppTrajectoryQuery[1]_query_type", + "timestamp": "CiscoAMP_AppTrajectoryQuery[1]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_AppTrajectoryQuery[1]_timestamp_nanoseconds", + "ver": "CiscoAMP_AppTrajectoryQuery[1]_ver" + }, + { + "bundle_id": "CiscoAMP_AppTrajectoryQuery[2]_bundle_id", + "cdhash": "CiscoAMP_AppTrajectoryQuery[2]_cdhash", + "connector_guid": "CiscoAMP_AppTrajectoryQuery[2]_connector_guid", + "date": "CiscoAMP_AppTrajectoryQuery[2]_date", + "group_guids": [ + "CiscoAMP_AppTrajectoryQuery[2]_group_guids_0" + ], + "network_info": { + "direction": "CiscoAMP_AppTrajectoryQuery[2]_network_info_direction", + "dirty_url": "CiscoAMP_AppTrajectoryQuery[2]_network_info_dirty_url", + "local_ip": "CiscoAMP_AppTrajectoryQuery[2]_network_info_local_ip", + "local_port": "CiscoAMP_AppTrajectoryQuery[2]_network_info_local_port", + "protocol": "CiscoAMP_AppTrajectoryQuery[2]_network_info_protocol", + "remote_ip": "CiscoAMP_AppTrajectoryQuery[2]_network_info_remote_ip", + "remote_port": "CiscoAMP_AppTrajectoryQuery[2]_network_info_remote_port" + }, + "query_type": "CiscoAMP_AppTrajectoryQuery[2]_query_type", + "timestamp": "CiscoAMP_AppTrajectoryQuery[2]_timestamp", + "timestamp_nanoseconds": "CiscoAMP_AppTrajectoryQuery[2]_timestamp_nanoseconds", + "ver": "CiscoAMP_AppTrajectoryQuery[2]_ver" + } + ] + } +} +``` + +#### Human Readable Output + +>### App Trajectory Information +>|Connector GUID|Date|Query Type|Dirty URL| +>|---|---|---|---| +>| dddd4ceb-4ce1-4f81-a7a7-04d13cc1df43 | 2022-10-24T12:01:59+00:00 | Network Query | https://configuration.apple.com/configurations/internetservices/safari/SafeBrowsingRemoteConfiguration-0.plist | +>| 0f6ee17f-a31b-4b76-902f-7cf68a79089d | 2022-10-23T13:48:38+00:00 | Network Query | https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch | +>| 0f6ee17f-a31b-4b76-902f-7cf68a79089d | 2022-10-23T13:18:16+00:00 | Network Query | https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch | +>| 8aa97bc7-3cc1-47aa-ad0a-0e23d5493aff | 2022-10-23T12:30:46+00:00 | Network Query | https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch | +>| 8aa97bc7-3cc1-47aa-ad0a-0e23d5493aff | 2022-10-23T12:00:54+00:00 | Network Query | https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch | + + +### cisco-amp-version-get +*** +Get API version. + + +#### Base Command + +`cisco-amp-version-get` +#### Input + +There are no input arguments for this command. + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.Version.version | String | API version. | + +#### Command example +```!cisco-amp-version-get``` +#### Context Example +```json +{ + "CiscoAMP": { + "Version": { + "version": "CiscoAMP_Version_version" + } + } +} +``` + +#### Human Readable Output + +>Version: v1.2.0 + +### cisco-amp-vulnerability-list +*** +Fetch a list of vulnerabilities. This is analogous to the Vulnerable Software view on the AMP for Endpoints Console. The list can be filtered to show only the vulnerable programs detected for a specific time range. Provide a list of computers on which the vulnerability has been observed with a given SHA-256. The list item contains a summary of information on the vulnerability, including: application name and version, SHA-256 value for the executable file, connectors on which the vulnerable application was observed and the most recent CVSS score. IMPORTANT: The computer's key returns information about the last 1000 connectors on which the vulnerable application was observed. + + +#### Base Command + +`cisco-amp-vulnerability-list` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| sha256 | SHA-256 that has been observed as a vulnerability. | Optional | +| group_guid | Comma-separated list for group GUIDs to filter by. | Optional | +| start_time | The start date and time expressed according to ISO 8601. The retrieved list will include vulnerable programs detected at start_time. | Optional | +| end_time | The end date and/or time expressed according to ISO 8601. Exclusive - if end_time is a time, the list will only include vulnerable programs detected before end_time). Inclusive - if end_time is a date, the list will include vulnerable programs detected on the date. | Optional | +| page | Page number to return. | Optional | +| page_size | Number of results in a page. Maximum is 500. | Optional | +| limit | Number of total results to return. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CiscoAMP.Vulnerability.application | String | Name of the application. | +| CiscoAMP.Vulnerability.version | String | Version of the application. | +| CiscoAMP.Vulnerability.file.filename | String | Name of the file. | +| CiscoAMP.Vulnerability.file.identity.sha256 | String | File's SHA-256. | +| CiscoAMP.Vulnerability.latest_timestamp | Number | Vulnerability latest timestamp. | +| CiscoAMP.Vulnerability.latest_date | Date | Vulnerability latest date. | +| CiscoAMP.Vulnerability.computers_total_count | Number | Number of computers. | +| CiscoAMP.Vulnerability.connector_guid | String | GUID of the connector. | +| CiscoAMP.Vulnerability.hostname | String | Host's name. | +| CiscoAMP.Vulnerability.windows_processor_id | String | Windows processor ID. | +| CiscoAMP.Vulnerability.active | Boolean | Whether the computer is active. | +| CiscoAMP.Vulnerability.group_guid | String | Group's GUID. | +| CiscoAMP.Vulnerability.cves.id | String | Common vulnerability exposure ID. | +| CiscoAMP.Vulnerability.cves.link | String | Common vulnerability exposure link. | +| CiscoAMP.Vulnerability.cves.cvss | Number | Common vulnerability scoring system. | +| CiscoAMP.Vulnerability.groups.name | String | Group's name. | +| CiscoAMP.Vulnerability.groups.description | String | Group's description. | +| CiscoAMP.Vulnerability.groups.guid | String | Group's GUID. | +| CiscoAMP.Vulnerability.groups.source | String | Group's source of creation. | +| CiscoAMP.Vulnerability.computers.connector_guid | String | GUID of the connector. | +| CiscoAMP.Vulnerability.computers.hostname | String | Host's name. | +| CiscoAMP.Vulnerability.computers.windows_processor_id | String | Windows processor ID. | +| CiscoAMP.Vulnerability.computers.active | Boolean | Whether the computer is active. | + +#### Command example +```!cisco-amp-vulnerability-list``` +#### Context Example +```json +{ + "CiscoAMP": { + "Vulnerability": [ + { + "application": "CiscoAMP_Vulnerability[0]_application", + "computers": [ + { + "active": "CiscoAMP_Vulnerability[0]_computers[0]_active", + "connector_guid": "CiscoAMP_Vulnerability[0]_computers[0]_connector_guid", + "hostname": "CiscoAMP_Vulnerability[0]_computers[0]_hostname", + "windows_processor_id": "CiscoAMP_Vulnerability[0]_computers[0]_windows_processor_id" + } + ], + "computers_total_count": "CiscoAMP_Vulnerability[0]_computers_total_count", + "cves": [ + { + "cvss": "CiscoAMP_Vulnerability[0]_cves[0]_cvss", + "id": "CiscoAMP_Vulnerability[0]_cves[0]_id", + "link": "CiscoAMP_Vulnerability[0]_cves[0]_link" + } + ], + "file": { + "filename": "CiscoAMP_Vulnerability[0]_file_filename", + "identity": { + "sha256": "CiscoAMP_Vulnerability[0]_file_identity_sha256" + } + }, + "groups": [ + { + "description": "CiscoAMP_Vulnerability[0]_groups[0]_description", + "guid": "CiscoAMP_Vulnerability[0]_groups[0]_guid", + "name": "CiscoAMP_Vulnerability[0]_groups[0]_name" + } + ], + "latest_date": "CiscoAMP_Vulnerability[0]_latest_date", + "latest_timestamp": "CiscoAMP_Vulnerability[0]_latest_timestamp", + "version": "CiscoAMP_Vulnerability[0]_version" + }, + { + "application": "CiscoAMP_Vulnerability[1]_application", + "computers": [ + { + "active": "CiscoAMP_Vulnerability[1]_computers[0]_active", + "connector_guid": "CiscoAMP_Vulnerability[1]_computers[0]_connector_guid", + "hostname": "CiscoAMP_Vulnerability[1]_computers[0]_hostname", + "windows_processor_id": "CiscoAMP_Vulnerability[1]_computers[0]_windows_processor_id" + } + ], + "computers_total_count": "CiscoAMP_Vulnerability[1]_computers_total_count", + "cves": [ + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[0]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[0]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[0]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[1]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[1]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[1]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[2]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[2]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[2]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[3]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[3]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[3]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[4]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[4]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[4]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[5]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[5]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[5]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[6]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[6]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[6]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[7]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[7]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[7]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[8]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[8]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[8]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[9]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[9]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[9]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[10]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[10]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[10]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[11]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[11]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[11]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[12]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[12]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[12]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[13]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[13]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[13]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[14]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[14]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[14]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[15]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[15]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[15]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[16]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[16]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[16]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[17]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[17]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[17]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[18]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[18]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[18]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[19]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[19]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[19]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[20]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[20]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[20]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[21]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[21]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[21]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[22]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[22]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[22]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[23]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[23]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[23]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[24]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[24]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[24]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[25]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[25]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[25]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[26]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[26]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[26]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[27]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[27]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[27]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[28]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[28]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[28]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[29]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[29]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[29]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[30]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[30]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[30]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[31]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[31]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[31]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[32]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[32]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[32]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[33]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[33]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[33]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[34]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[34]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[34]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[35]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[35]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[35]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[36]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[36]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[36]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[37]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[37]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[37]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[38]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[38]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[38]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[39]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[39]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[39]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[40]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[40]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[40]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[41]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[41]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[41]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[42]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[42]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[42]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[43]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[43]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[43]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[44]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[44]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[44]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[45]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[45]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[45]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[46]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[46]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[46]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[47]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[47]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[47]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[48]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[48]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[48]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[49]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[49]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[49]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[50]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[50]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[50]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[51]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[51]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[51]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[52]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[52]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[52]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[53]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[53]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[53]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[54]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[54]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[54]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[55]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[55]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[55]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[56]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[56]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[56]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[57]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[57]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[57]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[58]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[58]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[58]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[59]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[59]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[59]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[60]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[60]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[60]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[1]_cves[61]_cvss", + "id": "CiscoAMP_Vulnerability[1]_cves[61]_id", + "link": "CiscoAMP_Vulnerability[1]_cves[61]_link" + } + ], + "file": { + "filename": "CiscoAMP_Vulnerability[1]_file_filename", + "identity": { + "sha256": "CiscoAMP_Vulnerability[1]_file_identity_sha256" + } + }, + "groups": [ + { + "description": "CiscoAMP_Vulnerability[1]_groups[0]_description", + "guid": "CiscoAMP_Vulnerability[1]_groups[0]_guid", + "name": "CiscoAMP_Vulnerability[1]_groups[0]_name" + } + ], + "latest_date": "CiscoAMP_Vulnerability[1]_latest_date", + "latest_timestamp": "CiscoAMP_Vulnerability[1]_latest_timestamp", + "version": "CiscoAMP_Vulnerability[1]_version" + }, + { + "application": "CiscoAMP_Vulnerability[2]_application", + "computers": [ + { + "active": "CiscoAMP_Vulnerability[2]_computers[0]_active", + "connector_guid": "CiscoAMP_Vulnerability[2]_computers[0]_connector_guid", + "hostname": "CiscoAMP_Vulnerability[2]_computers[0]_hostname", + "windows_processor_id": "CiscoAMP_Vulnerability[2]_computers[0]_windows_processor_id" + } + ], + "computers_total_count": "CiscoAMP_Vulnerability[2]_computers_total_count", + "cves": [ + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[0]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[0]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[0]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[1]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[1]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[1]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[2]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[2]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[2]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[3]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[3]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[3]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[4]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[4]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[4]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[5]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[5]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[5]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[6]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[6]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[6]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[7]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[7]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[7]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[8]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[8]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[8]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[9]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[9]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[9]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[10]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[10]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[10]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[11]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[11]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[11]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[12]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[12]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[12]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[13]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[13]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[13]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[14]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[14]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[14]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[15]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[15]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[15]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[16]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[16]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[16]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[17]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[17]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[17]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[18]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[18]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[18]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[19]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[19]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[19]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[20]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[20]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[20]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[21]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[21]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[21]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[22]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[22]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[22]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[23]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[23]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[23]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[24]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[24]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[24]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[25]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[25]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[25]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[26]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[26]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[26]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[27]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[27]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[27]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[28]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[28]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[28]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[29]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[29]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[29]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[30]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[30]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[30]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[31]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[31]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[31]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[32]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[32]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[32]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[33]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[33]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[33]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[34]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[34]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[34]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[35]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[35]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[35]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[36]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[36]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[36]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[37]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[37]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[37]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[38]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[38]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[38]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[39]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[39]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[39]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[40]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[40]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[40]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[41]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[41]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[41]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[42]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[42]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[42]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[43]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[43]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[43]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[44]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[44]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[44]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[45]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[45]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[45]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[46]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[46]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[46]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[47]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[47]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[47]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[48]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[48]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[48]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[49]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[49]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[49]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[50]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[50]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[50]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[51]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[51]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[51]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[52]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[52]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[52]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[53]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[53]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[53]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[54]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[54]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[54]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[55]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[55]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[55]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[56]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[56]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[56]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[57]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[57]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[57]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[58]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[58]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[58]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[59]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[59]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[59]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[60]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[60]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[60]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[61]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[61]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[61]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[62]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[62]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[62]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[63]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[63]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[63]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[64]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[64]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[64]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[65]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[65]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[65]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[66]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[66]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[66]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[67]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[67]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[67]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[68]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[68]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[68]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[69]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[69]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[69]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[70]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[70]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[70]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[71]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[71]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[71]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[72]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[72]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[72]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[73]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[73]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[73]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[74]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[74]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[74]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[75]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[75]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[75]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[76]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[76]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[76]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[77]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[77]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[77]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[78]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[78]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[78]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[79]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[79]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[79]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[80]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[80]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[80]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[81]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[81]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[81]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[82]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[82]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[82]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[83]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[83]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[83]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[84]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[84]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[84]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[85]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[85]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[85]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[86]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[86]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[86]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[87]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[87]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[87]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[88]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[88]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[88]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[89]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[89]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[89]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[90]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[90]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[90]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[91]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[91]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[91]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[92]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[92]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[92]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[93]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[93]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[93]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[94]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[94]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[94]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[95]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[95]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[95]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[96]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[96]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[96]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[97]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[97]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[97]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[2]_cves[98]_cvss", + "id": "CiscoAMP_Vulnerability[2]_cves[98]_id", + "link": "CiscoAMP_Vulnerability[2]_cves[98]_link" + } + ], + "file": { + "filename": "CiscoAMP_Vulnerability[2]_file_filename", + "identity": { + "sha256": "CiscoAMP_Vulnerability[2]_file_identity_sha256" + } + }, + "groups": [ + { + "description": "CiscoAMP_Vulnerability[2]_groups[0]_description", + "guid": "CiscoAMP_Vulnerability[2]_groups[0]_guid", + "name": "CiscoAMP_Vulnerability[2]_groups[0]_name" + } + ], + "latest_date": "CiscoAMP_Vulnerability[2]_latest_date", + "latest_timestamp": "CiscoAMP_Vulnerability[2]_latest_timestamp", + "version": "CiscoAMP_Vulnerability[2]_version" + }, + { + "application": "CiscoAMP_Vulnerability[3]_application", + "computers": [ + { + "active": "CiscoAMP_Vulnerability[3]_computers[0]_active", + "connector_guid": "CiscoAMP_Vulnerability[3]_computers[0]_connector_guid", + "hostname": "CiscoAMP_Vulnerability[3]_computers[0]_hostname", + "windows_processor_id": "CiscoAMP_Vulnerability[3]_computers[0]_windows_processor_id" + }, + { + "active": "CiscoAMP_Vulnerability[3]_computers[1]_active", + "connector_guid": "CiscoAMP_Vulnerability[3]_computers[1]_connector_guid", + "hostname": "CiscoAMP_Vulnerability[3]_computers[1]_hostname", + "windows_processor_id": "CiscoAMP_Vulnerability[3]_computers[1]_windows_processor_id" + } + ], + "computers_total_count": "CiscoAMP_Vulnerability[3]_computers_total_count", + "cves": [ + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[0]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[0]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[0]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[1]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[1]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[1]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[2]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[2]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[2]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[3]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[3]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[3]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[4]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[4]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[4]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[5]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[5]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[5]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[6]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[6]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[6]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[7]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[7]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[7]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[8]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[8]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[8]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[9]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[9]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[9]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[10]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[10]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[10]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[11]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[11]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[11]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[12]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[12]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[12]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[13]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[13]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[13]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[14]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[14]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[14]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[15]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[15]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[15]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[16]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[16]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[16]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[17]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[17]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[17]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[18]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[18]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[18]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[19]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[19]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[19]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[20]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[20]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[20]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[21]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[21]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[21]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[22]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[22]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[22]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[23]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[23]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[23]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[24]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[24]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[24]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[25]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[25]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[25]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[26]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[26]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[26]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[27]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[27]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[27]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[28]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[28]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[28]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[29]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[29]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[29]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[30]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[30]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[30]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[31]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[31]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[31]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[32]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[32]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[32]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[33]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[33]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[33]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[34]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[34]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[34]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[35]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[35]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[35]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[36]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[36]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[36]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[37]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[37]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[37]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[38]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[38]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[38]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[39]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[39]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[39]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[40]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[40]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[40]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[41]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[41]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[41]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[42]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[42]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[42]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[43]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[43]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[43]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[44]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[44]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[44]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[45]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[45]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[45]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[46]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[46]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[46]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[47]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[47]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[47]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[48]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[48]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[48]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[49]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[49]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[49]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[50]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[50]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[50]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[51]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[51]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[51]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[52]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[52]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[52]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[3]_cves[53]_cvss", + "id": "CiscoAMP_Vulnerability[3]_cves[53]_id", + "link": "CiscoAMP_Vulnerability[3]_cves[53]_link" + } + ], + "file": { + "filename": "CiscoAMP_Vulnerability[3]_file_filename", + "identity": { + "sha256": "CiscoAMP_Vulnerability[3]_file_identity_sha256" + } + }, + "groups": [ + { + "description": "CiscoAMP_Vulnerability[3]_groups[0]_description", + "guid": "CiscoAMP_Vulnerability[3]_groups[0]_guid", + "name": "CiscoAMP_Vulnerability[3]_groups[0]_name" + }, + { + "description": "CiscoAMP_Vulnerability[3]_groups[1]_description", + "guid": "CiscoAMP_Vulnerability[3]_groups[1]_guid", + "name": "CiscoAMP_Vulnerability[3]_groups[1]_name" + } + ], + "latest_date": "CiscoAMP_Vulnerability[3]_latest_date", + "latest_timestamp": "CiscoAMP_Vulnerability[3]_latest_timestamp", + "version": "CiscoAMP_Vulnerability[3]_version" + }, + { + "application": "CiscoAMP_Vulnerability[4]_application", + "computers": [ + { + "active": "CiscoAMP_Vulnerability[4]_computers[0]_active", + "connector_guid": "CiscoAMP_Vulnerability[4]_computers[0]_connector_guid", + "hostname": "CiscoAMP_Vulnerability[4]_computers[0]_hostname", + "windows_processor_id": "CiscoAMP_Vulnerability[4]_computers[0]_windows_processor_id" + } + ], + "computers_total_count": "CiscoAMP_Vulnerability[4]_computers_total_count", + "cves": [ + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[0]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[0]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[0]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[1]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[1]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[1]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[2]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[2]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[2]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[3]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[3]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[3]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[4]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[4]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[4]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[5]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[5]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[5]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[6]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[6]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[6]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[7]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[7]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[7]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[8]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[8]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[8]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[9]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[9]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[9]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[10]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[10]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[10]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[11]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[11]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[11]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[12]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[12]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[12]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[13]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[13]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[13]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[4]_cves[14]_cvss", + "id": "CiscoAMP_Vulnerability[4]_cves[14]_id", + "link": "CiscoAMP_Vulnerability[4]_cves[14]_link" + } + ], + "file": { + "filename": "CiscoAMP_Vulnerability[4]_file_filename", + "identity": { + "sha256": "CiscoAMP_Vulnerability[4]_file_identity_sha256" + } + }, + "groups": [ + { + "description": "CiscoAMP_Vulnerability[4]_groups[0]_description", + "guid": "CiscoAMP_Vulnerability[4]_groups[0]_guid", + "name": "CiscoAMP_Vulnerability[4]_groups[0]_name" + } + ], + "latest_date": "CiscoAMP_Vulnerability[4]_latest_date", + "latest_timestamp": "CiscoAMP_Vulnerability[4]_latest_timestamp", + "version": "CiscoAMP_Vulnerability[4]_version" + }, + { + "application": "CiscoAMP_Vulnerability[5]_application", + "computers": [ + { + "active": "CiscoAMP_Vulnerability[5]_computers[0]_active", + "connector_guid": "CiscoAMP_Vulnerability[5]_computers[0]_connector_guid", + "hostname": "CiscoAMP_Vulnerability[5]_computers[0]_hostname", + "windows_processor_id": "CiscoAMP_Vulnerability[5]_computers[0]_windows_processor_id" + } + ], + "computers_total_count": "CiscoAMP_Vulnerability[5]_computers_total_count", + "cves": [ + { + "cvss": "CiscoAMP_Vulnerability[5]_cves[0]_cvss", + "id": "CiscoAMP_Vulnerability[5]_cves[0]_id", + "link": "CiscoAMP_Vulnerability[5]_cves[0]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[5]_cves[1]_cvss", + "id": "CiscoAMP_Vulnerability[5]_cves[1]_id", + "link": "CiscoAMP_Vulnerability[5]_cves[1]_link" + } + ], + "file": { + "filename": "CiscoAMP_Vulnerability[5]_file_filename", + "identity": { + "sha256": "CiscoAMP_Vulnerability[5]_file_identity_sha256" + } + }, + "groups": [ + { + "description": "CiscoAMP_Vulnerability[5]_groups[0]_description", + "guid": "CiscoAMP_Vulnerability[5]_groups[0]_guid", + "name": "CiscoAMP_Vulnerability[5]_groups[0]_name" + } + ], + "latest_date": "CiscoAMP_Vulnerability[5]_latest_date", + "latest_timestamp": "CiscoAMP_Vulnerability[5]_latest_timestamp", + "version": "CiscoAMP_Vulnerability[5]_version" + }, + { + "application": "CiscoAMP_Vulnerability[6]_application", + "computers": [ + { + "active": "CiscoAMP_Vulnerability[6]_computers[0]_active", + "connector_guid": "CiscoAMP_Vulnerability[6]_computers[0]_connector_guid", + "hostname": "CiscoAMP_Vulnerability[6]_computers[0]_hostname", + "windows_processor_id": "CiscoAMP_Vulnerability[6]_computers[0]_windows_processor_id" + } + ], + "computers_total_count": "CiscoAMP_Vulnerability[6]_computers_total_count", + "cves": [ + { + "cvss": "CiscoAMP_Vulnerability[6]_cves[0]_cvss", + "id": "CiscoAMP_Vulnerability[6]_cves[0]_id", + "link": "CiscoAMP_Vulnerability[6]_cves[0]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[6]_cves[1]_cvss", + "id": "CiscoAMP_Vulnerability[6]_cves[1]_id", + "link": "CiscoAMP_Vulnerability[6]_cves[1]_link" + } + ], + "file": { + "filename": "CiscoAMP_Vulnerability[6]_file_filename", + "identity": { + "sha256": "CiscoAMP_Vulnerability[6]_file_identity_sha256" + } + }, + "groups": [ + { + "description": "CiscoAMP_Vulnerability[6]_groups[0]_description", + "guid": "CiscoAMP_Vulnerability[6]_groups[0]_guid", + "name": "CiscoAMP_Vulnerability[6]_groups[0]_name" + } + ], + "latest_date": "CiscoAMP_Vulnerability[6]_latest_date", + "latest_timestamp": "CiscoAMP_Vulnerability[6]_latest_timestamp", + "version": "CiscoAMP_Vulnerability[6]_version" + }, + { + "application": "CiscoAMP_Vulnerability[7]_application", + "computers": [ + { + "active": "CiscoAMP_Vulnerability[7]_computers[0]_active", + "connector_guid": "CiscoAMP_Vulnerability[7]_computers[0]_connector_guid", + "hostname": "CiscoAMP_Vulnerability[7]_computers[0]_hostname", + "windows_processor_id": "CiscoAMP_Vulnerability[7]_computers[0]_windows_processor_id" + } + ], + "computers_total_count": "CiscoAMP_Vulnerability[7]_computers_total_count", + "cves": [ + { + "cvss": "CiscoAMP_Vulnerability[7]_cves[0]_cvss", + "id": "CiscoAMP_Vulnerability[7]_cves[0]_id", + "link": "CiscoAMP_Vulnerability[7]_cves[0]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[7]_cves[1]_cvss", + "id": "CiscoAMP_Vulnerability[7]_cves[1]_id", + "link": "CiscoAMP_Vulnerability[7]_cves[1]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[7]_cves[2]_cvss", + "id": "CiscoAMP_Vulnerability[7]_cves[2]_id", + "link": "CiscoAMP_Vulnerability[7]_cves[2]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[7]_cves[3]_cvss", + "id": "CiscoAMP_Vulnerability[7]_cves[3]_id", + "link": "CiscoAMP_Vulnerability[7]_cves[3]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[7]_cves[4]_cvss", + "id": "CiscoAMP_Vulnerability[7]_cves[4]_id", + "link": "CiscoAMP_Vulnerability[7]_cves[4]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[7]_cves[5]_cvss", + "id": "CiscoAMP_Vulnerability[7]_cves[5]_id", + "link": "CiscoAMP_Vulnerability[7]_cves[5]_link" + }, + { + "cvss": "CiscoAMP_Vulnerability[7]_cves[6]_cvss", + "id": "CiscoAMP_Vulnerability[7]_cves[6]_id", + "link": "CiscoAMP_Vulnerability[7]_cves[6]_link" + } + ], + "file": { + "filename": "CiscoAMP_Vulnerability[7]_file_filename", + "identity": { + "sha256": "CiscoAMP_Vulnerability[7]_file_identity_sha256" + } + }, + "groups": [ + { + "description": "CiscoAMP_Vulnerability[7]_groups[0]_description", + "guid": "CiscoAMP_Vulnerability[7]_groups[0]_guid", + "name": "CiscoAMP_Vulnerability[7]_groups[0]_name" + } + ], + "latest_date": "CiscoAMP_Vulnerability[7]_latest_date", + "latest_timestamp": "CiscoAMP_Vulnerability[7]_latest_timestamp", + "version": "CiscoAMP_Vulnerability[7]_version" + } + ] + } +} +``` + +#### Human Readable Output + +>### Results +>|Current Item Count|Index|Items Per Page|Total| +>|---|---|---|---| +>| 8 | 0 | 100 | 8 | +>### Vulnerabilities Information +>|Application|Version|Latest Date|File Name|SHA-256| +>|---|---|---|---|---| +>| Mozilla Firefox | 41.0 | 2022-10-25T12:20:00+00:00 | firefox.exe | 4312CDB2EAD8FD8D2DD6D8D716F3B6E9717B3D7167A2A0495E4391312102170F | +>| Adobe Flash Player | 11.5.502.146 | 2022-10-25T12:05:49+00:00 | FlashPlayerApp.exe | c1219f0799e60ff48a9705b63c14168684aed911610fec68548ea08f605cc42b | +>| Oracle Java(TM) Platform SE | 1.7.0:update_10 | 2022-10-25T12:05:05+00:00 | java.exe | 0b4eefc0d815ac0fdc20f22add8fd2d8113be99578a4e5189122b28b201ccbd9 | +>| Adobe Acrobat Reader | IP | 2022-10-25T12:02:34+00:00 | AcroRd32.exe | 825b7b20a913f26641c012f1cb61b81d29033f142ba6c6734425de06432e4f82 | +>| Microsoft Office | 2013 | 2022-10-23T12:37:33+00:00 | WINWORD.EXE | 3D46E95284F93BBB76B3B7E1BF0E1B2D51E8A9411C2B6E649112F22F92DE63C2 | +>| Microsoft Internet Explorer | 11 | 2022-10-04T07:02:27+00:00 | mshtml.dll | D1BEA74AC9D85B3DCD4ABC1AF42AF6C37B9349DEFC8E6577993611B773F56CA0 | +>| Microsoft Internet Explorer | 11 | 2022-10-04T07:02:26+00:00 | mshtml.dll | 1DC5D15A26A79BB46519952A60B15AA4ACB36F6CE3247EBF50DF9C157BC4FCF4 | +>| Microsoft Office | 2016 | 2022-10-04T06:32:53+00:00 | OUTLOOK.EXE | 465F398AE8E3C32395EB7C04BC8CD24595068E6A127E243BED3E9B4931556BFC | + + +### endpoint +*** +Returns information about an endpoint. + + +#### Base Command + +`endpoint` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| id | The endpoint ID. Takes priority over the IP and hostname arguments. | Optional | +| ip | The endpoint IP address. The IP argument has priority over the hostname argument. | Optional | +| hostname | The endpoint hostname. | Optional | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| Endpoint.Hostname | String | The hostname of the endpoint. | +| Endpoint.ID | String | The endpoint's identifier. | +| Endpoint.IPAddress | String | The endpoint's IP address. | +| Endpoint.OS | String | The endpoint's operating system. | +| Endpoint.OSVersion | String | The endpoint's operating system's version. | +| Endpoint.Status | String | The status of the endpoint \(online/offline\). | +| Endpoint.MACAddress | String | The endpoint's MAC address. | +| Endpoint.Vendor | String | The integration name of the endpoint vendor. | + +#### Command example +```!endpoint id=22d4a486-1732-4f8b-9a6f-18f172fe7af0``` +#### Context Example +```json +{ + "Endpoint": { + "Hostname": "Endpoint_Hostname", + "ID": "Endpoint_ID", + "IPAddress": "Endpoint_IPAddress", + "MACAddress": "Endpoint_MACAddress", + "OS": "Endpoint_OS", + "OSVersion": "Endpoint_OSVersion", + "Status": "Endpoint_Status", + "Vendor": "Endpoint_Vendor" + } +} +``` + +#### Human Readable Output + +>### CiscoAMP - Endpoint Demo_AMP +>|Hostname|ID|IPAddress|MACAddress|OS|OSVersion|Status|Vendor| +>|---|---|---|---|---|---|---|---| +>| Demo_AMP | 22d4a486-1732-4f8b-9a6f-18f172fe7af0 | IP | e6:80:50:1e:e5:20 | Windows 10 | 10.0.19044.1466 | Online | CiscoAMP Response | + + +### file +*** +Runs reputation on files. + + +#### Base Command + +`file` +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| file | Hash of the file to query. Supports MD5, SHA1, and SHA256. | Required | + + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| File.MD5 | String | The MD5 hash of the file. | +| File.SHA1 | String | The SHA1 hash of the file. | +| File.SHA256 | String | The SHA256 hash of the file. | +| File.Name | String | The full file name \(including file extension\). | +| File.Path | String | The path where the file is located. | +| File.Hostname | String | The name of the host where the file was found. | +| File.Malicious.Vendor | String | The vendor that reported the file as malicious. | +| File.Malicious.Description | String | A description of why the file was determined to be malicious. | +| DBotScore.Indicator | String | The indicator that was tested. | +| DBotScore.Type | String | The indicator type. | +| DBotScore.Vendor | String | The vendor used to calculate the score. | +| DBotScore.Reliability | String | Reliability of the source providing the intelligence data. | +| DBotScore.Score | Number | The actual score. | + +#### Command example +```!file file=ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad``` +#### Context Example +```json +{ + "DBotScore": [ + { + "Indicator": "DBotScore[0]_Indicator", + "Reliability": "DBotScore[0]_Reliability", + "Score": "DBotScore[0]_Score", + "Type": "DBotScore[0]_Type", + "Vendor": "DBotScore[0]_Vendor" + }, + { + "Indicator": "DBotScore[1]_Indicator", + "Reliability": "DBotScore[1]_Reliability", + "Score": "DBotScore[1]_Score", + "Type": "DBotScore[1]_Type", + "Vendor": "DBotScore[1]_Vendor" + }, + { + "Indicator": "DBotScore[2]_Indicator", + "Reliability": "DBotScore[2]_Reliability", + "Score": "DBotScore[2]_Score", + "Type": "DBotScore[2]_Type", + "Vendor": "DBotScore[2]_Vendor" + }, + { + "Indicator": "DBotScore[3]_Indicator", + "Reliability": "DBotScore[3]_Reliability", + "Score": "DBotScore[3]_Score", + "Type": "DBotScore[3]_Type", + "Vendor": "DBotScore[3]_Vendor" + }, + { + "Indicator": "DBotScore[4]_Indicator", + "Reliability": "DBotScore[4]_Reliability", + "Score": "DBotScore[4]_Score", + "Type": "DBotScore[4]_Type", + "Vendor": "DBotScore[4]_Vendor" + }, + { + "Indicator": "DBotScore[5]_Indicator", + "Reliability": "DBotScore[5]_Reliability", + "Score": "DBotScore[5]_Score", + "Type": "DBotScore[5]_Type", + "Vendor": "DBotScore[5]_Vendor" + }, + { + "Indicator": "DBotScore[6]_Indicator", + "Reliability": "DBotScore[6]_Reliability", + "Score": "DBotScore[6]_Score", + "Type": "DBotScore[6]_Type", + "Vendor": "DBotScore[6]_Vendor" + } + ], + "File": [ + { + "DetectionEngines": "File[0]_DetectionEngines", + "MD5": "File[0]_MD5", + "PositiveDetections": "File[0]_PositiveDetections", + "SHA1": "File[0]_SHA1", + "SHA256": "File[0]_SHA256", + "VirusTotal": { + "ScanID": "File[0]_VirusTotal_ScanID", + "vtLink": "File[0]_VirusTotal_vtLink" + } + }, + { + "Hashes": [ + { + "type": "File[1]_Hashes[0]_type", + "value": "File[1]_Hashes[0]_value" + } + ], + "Hostname": "File[1]_Hostname", + "Name": "File[1]_Name", + "SHA256": "File[1]_SHA256" + } + ] +} +``` + +#### Human Readable Output + +### Cisco AMP - Hash Reputation for: 4312CDB2EAD8FD8D2DD6D8D716F3B6E9717B3D7167A2A0495E4391312102170F +>|Hashes|Hostname|Name|SHA256| +>|---|---|---|---| +>| {'type': 'SHA256', 'value': '4312CDB2EAD8FD8D2DD6D8D716F3B6E9717B3D7167A2A0495E4391312102170F'} | Demo_AMP_Exploit_Prevention | firefox.exe | 4312CDB2EAD8FD8D2DD6D8D716F3B6E9717B3D7167A2A0495E4391312102170F | diff --git a/Packs/AMP/Integrations/AMPv2/test_data/app_trajectory_query_response.json b/Packs/AMP/Integrations/AMPv2/test_data/app_trajectory_query_response.json new file mode 100644 index 000000000000..86bcfcb5b20b --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/app_trajectory_query_response.json @@ -0,0 +1,2791 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": [ + { + "connector_guid": "data[0]_connector_guid", + "bundle_id": "data[0]_bundle_id", + "group_guids": [ + "data[0]_group_guids_0" + ], + "links": { + "computer": "data[0]_links_computer", + "trajectory": "data[0]_links_trajectory", + "group": "data[0]_links_group" + }, + "cdhash": "data[0]_cdhash", + "timestamp": "data[0]_timestamp", + "timestamp_nanoseconds": "data[0]_timestamp_nanoseconds", + "date": "data[0]_date", + "query_type": "data[0]_query_type", + "network_info": { + "dirty_url": "data[0]_network_info_dirty_url", + "remote_ip": "data[0]_network_info_remote_ip", + "remote_port": "data[0]_network_info_remote_port", + "local_ip": "data[0]_network_info_local_ip", + "local_port": "data[0]_network_info_local_port", + "direction": "data[0]_network_info_direction", + "protocol": "data[0]_network_info_protocol" + }, + "ver": "data[0]_ver" + }, + { + "connector_guid": "data[1]_connector_guid", + "bundle_id": "data[1]_bundle_id", + "group_guids": [ + "data[1]_group_guids_0" + ], + "links": { + "computer": "data[1]_links_computer", + "trajectory": "data[1]_links_trajectory", + "group": "data[1]_links_group" + }, + "cdhash": "data[1]_cdhash", + "timestamp": "data[1]_timestamp", + "timestamp_nanoseconds": "data[1]_timestamp_nanoseconds", + "date": "data[1]_date", + "query_type": "data[1]_query_type", + "network_info": { + "dirty_url": "data[1]_network_info_dirty_url", + "remote_ip": "data[1]_network_info_remote_ip", + "remote_port": "data[1]_network_info_remote_port", + "local_ip": "data[1]_network_info_local_ip", + "local_port": "data[1]_network_info_local_port", + "direction": "data[1]_network_info_direction", + "protocol": "data[1]_network_info_protocol" + }, + "ver": "data[1]_ver" + }, + { + "connector_guid": "data[2]_connector_guid", + "bundle_id": "data[2]_bundle_id", + "group_guids": [ + "data[2]_group_guids_0" + ], + "links": { + "computer": "data[2]_links_computer", + "trajectory": "data[2]_links_trajectory", + "group": "data[2]_links_group" + }, + "cdhash": "data[2]_cdhash", + "timestamp": "data[2]_timestamp", + "timestamp_nanoseconds": "data[2]_timestamp_nanoseconds", + "date": "data[2]_date", + "query_type": "data[2]_query_type", + "network_info": { + "dirty_url": "data[2]_network_info_dirty_url", + "remote_ip": "data[2]_network_info_remote_ip", + "remote_port": "data[2]_network_info_remote_port", + "local_ip": "data[2]_network_info_local_ip", + "local_port": "data[2]_network_info_local_port", + "direction": "data[2]_network_info_direction", + "protocol": "data[2]_network_info_protocol" + }, + "ver": "data[2]_ver" + }, + { + "connector_guid": "data[3]_connector_guid", + "bundle_id": "data[3]_bundle_id", + "group_guids": [ + "data[3]_group_guids_0" + ], + "links": { + "computer": "data[3]_links_computer", + "trajectory": "data[3]_links_trajectory", + "group": "data[3]_links_group" + }, + "cdhash": "data[3]_cdhash", + "timestamp": "data[3]_timestamp", + "timestamp_nanoseconds": "data[3]_timestamp_nanoseconds", + "date": "data[3]_date", + "query_type": "data[3]_query_type", + "network_info": { + "dirty_url": "data[3]_network_info_dirty_url", + "remote_ip": "data[3]_network_info_remote_ip", + "remote_port": "data[3]_network_info_remote_port", + "local_ip": "data[3]_network_info_local_ip", + "local_port": "data[3]_network_info_local_port", + "direction": "data[3]_network_info_direction", + "protocol": "data[3]_network_info_protocol" + }, + "ver": "data[3]_ver" + }, + { + "connector_guid": "data[4]_connector_guid", + "bundle_id": "data[4]_bundle_id", + "group_guids": [ + "data[4]_group_guids_0" + ], + "links": { + "computer": "data[4]_links_computer", + "trajectory": "data[4]_links_trajectory", + "group": "data[4]_links_group" + }, + "cdhash": "data[4]_cdhash", + "timestamp": "data[4]_timestamp", + "timestamp_nanoseconds": "data[4]_timestamp_nanoseconds", + "date": "data[4]_date", + "query_type": "data[4]_query_type", + "network_info": { + "dirty_url": "data[4]_network_info_dirty_url", + "remote_ip": "data[4]_network_info_remote_ip", + "remote_port": "data[4]_network_info_remote_port", + "local_ip": "data[4]_network_info_local_ip", + "local_port": "data[4]_network_info_local_port", + "direction": "data[4]_network_info_direction", + "protocol": "data[4]_network_info_protocol" + }, + "ver": "data[4]_ver" + }, + { + "connector_guid": "data[5]_connector_guid", + "bundle_id": "data[5]_bundle_id", + "group_guids": [ + "data[5]_group_guids_0" + ], + "links": { + "computer": "data[5]_links_computer", + "trajectory": "data[5]_links_trajectory", + "group": "data[5]_links_group" + }, + "cdhash": "data[5]_cdhash", + "timestamp": "data[5]_timestamp", + "timestamp_nanoseconds": "data[5]_timestamp_nanoseconds", + "date": "data[5]_date", + "query_type": "data[5]_query_type", + "network_info": { + "dirty_url": "data[5]_network_info_dirty_url", + "remote_ip": "data[5]_network_info_remote_ip", + "remote_port": "data[5]_network_info_remote_port", + "local_ip": "data[5]_network_info_local_ip", + "local_port": "data[5]_network_info_local_port", + "direction": "data[5]_network_info_direction", + "protocol": "data[5]_network_info_protocol" + }, + "ver": "data[5]_ver" + }, + { + "connector_guid": "data[6]_connector_guid", + "bundle_id": "data[6]_bundle_id", + "group_guids": [ + "data[6]_group_guids_0" + ], + "links": { + "computer": "data[6]_links_computer", + "trajectory": "data[6]_links_trajectory", + "group": "data[6]_links_group" + }, + "cdhash": "data[6]_cdhash", + "timestamp": "data[6]_timestamp", + "timestamp_nanoseconds": "data[6]_timestamp_nanoseconds", + "date": "data[6]_date", + "query_type": "data[6]_query_type", + "network_info": { + "dirty_url": "data[6]_network_info_dirty_url", + "remote_ip": "data[6]_network_info_remote_ip", + "remote_port": "data[6]_network_info_remote_port", + "local_ip": "data[6]_network_info_local_ip", + "local_port": "data[6]_network_info_local_port", + "direction": "data[6]_network_info_direction", + "protocol": "data[6]_network_info_protocol" + }, + "ver": "data[6]_ver" + }, + { + "connector_guid": "data[7]_connector_guid", + "bundle_id": "data[7]_bundle_id", + "group_guids": [ + "data[7]_group_guids_0" + ], + "links": { + "computer": "data[7]_links_computer", + "trajectory": "data[7]_links_trajectory", + "group": "data[7]_links_group" + }, + "cdhash": "data[7]_cdhash", + "timestamp": "data[7]_timestamp", + "timestamp_nanoseconds": "data[7]_timestamp_nanoseconds", + "date": "data[7]_date", + "query_type": "data[7]_query_type", + "network_info": { + "dirty_url": "data[7]_network_info_dirty_url", + "remote_ip": "data[7]_network_info_remote_ip", + "remote_port": "data[7]_network_info_remote_port", + "local_ip": "data[7]_network_info_local_ip", + "local_port": "data[7]_network_info_local_port", + "direction": "data[7]_network_info_direction", + "protocol": "data[7]_network_info_protocol" + }, + "ver": "data[7]_ver" + }, + { + "connector_guid": "data[8]_connector_guid", + "bundle_id": "data[8]_bundle_id", + "group_guids": [ + "data[8]_group_guids_0" + ], + "links": { + "computer": "data[8]_links_computer", + "trajectory": "data[8]_links_trajectory", + "group": "data[8]_links_group" + }, + "cdhash": "data[8]_cdhash", + "timestamp": "data[8]_timestamp", + "timestamp_nanoseconds": "data[8]_timestamp_nanoseconds", + "date": "data[8]_date", + "query_type": "data[8]_query_type", + "network_info": { + "dirty_url": "data[8]_network_info_dirty_url", + "remote_ip": "data[8]_network_info_remote_ip", + "remote_port": "data[8]_network_info_remote_port", + "local_ip": "data[8]_network_info_local_ip", + "local_port": "data[8]_network_info_local_port", + "direction": "data[8]_network_info_direction", + "protocol": "data[8]_network_info_protocol" + }, + "ver": "data[8]_ver" + }, + { + "connector_guid": "data[9]_connector_guid", + "bundle_id": "data[9]_bundle_id", + "group_guids": [ + "data[9]_group_guids_0" + ], + "links": { + "computer": "data[9]_links_computer", + "trajectory": "data[9]_links_trajectory", + "group": "data[9]_links_group" + }, + "cdhash": "data[9]_cdhash", + "timestamp": "data[9]_timestamp", + "timestamp_nanoseconds": "data[9]_timestamp_nanoseconds", + "date": "data[9]_date", + "query_type": "data[9]_query_type", + "network_info": { + "dirty_url": "data[9]_network_info_dirty_url", + "remote_ip": "data[9]_network_info_remote_ip", + "remote_port": "data[9]_network_info_remote_port", + "local_ip": "data[9]_network_info_local_ip", + "local_port": "data[9]_network_info_local_port", + "direction": "data[9]_network_info_direction", + "protocol": "data[9]_network_info_protocol" + }, + "ver": "data[9]_ver" + }, + { + "connector_guid": "data[10]_connector_guid", + "bundle_id": "data[10]_bundle_id", + "group_guids": [ + "data[10]_group_guids_0" + ], + "links": { + "computer": "data[10]_links_computer", + "trajectory": "data[10]_links_trajectory", + "group": "data[10]_links_group" + }, + "cdhash": "data[10]_cdhash", + "timestamp": "data[10]_timestamp", + "timestamp_nanoseconds": "data[10]_timestamp_nanoseconds", + "date": "data[10]_date", + "query_type": "data[10]_query_type", + "network_info": { + "dirty_url": "data[10]_network_info_dirty_url", + "remote_ip": "data[10]_network_info_remote_ip", + "remote_port": "data[10]_network_info_remote_port", + "local_ip": "data[10]_network_info_local_ip", + "local_port": "data[10]_network_info_local_port", + "direction": "data[10]_network_info_direction", + "protocol": "data[10]_network_info_protocol" + }, + "ver": "data[10]_ver" + }, + { + "connector_guid": "data[11]_connector_guid", + "bundle_id": "data[11]_bundle_id", + "group_guids": [ + "data[11]_group_guids_0" + ], + "links": { + "computer": "data[11]_links_computer", + "trajectory": "data[11]_links_trajectory", + "group": "data[11]_links_group" + }, + "cdhash": "data[11]_cdhash", + "timestamp": "data[11]_timestamp", + "timestamp_nanoseconds": "data[11]_timestamp_nanoseconds", + "date": "data[11]_date", + "query_type": "data[11]_query_type", + "network_info": { + "dirty_url": "data[11]_network_info_dirty_url", + "remote_ip": "data[11]_network_info_remote_ip", + "remote_port": "data[11]_network_info_remote_port", + "local_ip": "data[11]_network_info_local_ip", + "local_port": "data[11]_network_info_local_port", + "direction": "data[11]_network_info_direction", + "protocol": "data[11]_network_info_protocol" + }, + "ver": "data[11]_ver" + }, + { + "connector_guid": "data[12]_connector_guid", + "bundle_id": "data[12]_bundle_id", + "group_guids": [ + "data[12]_group_guids_0" + ], + "links": { + "computer": "data[12]_links_computer", + "trajectory": "data[12]_links_trajectory", + "group": "data[12]_links_group" + }, + "cdhash": "data[12]_cdhash", + "timestamp": "data[12]_timestamp", + "timestamp_nanoseconds": "data[12]_timestamp_nanoseconds", + "date": "data[12]_date", + "query_type": "data[12]_query_type", + "network_info": { + "dirty_url": "data[12]_network_info_dirty_url", + "remote_ip": "data[12]_network_info_remote_ip", + "remote_port": "data[12]_network_info_remote_port", + "local_ip": "data[12]_network_info_local_ip", + "local_port": "data[12]_network_info_local_port", + "direction": "data[12]_network_info_direction", + "protocol": "data[12]_network_info_protocol" + }, + "ver": "data[12]_ver" + }, + { + "connector_guid": "data[13]_connector_guid", + "bundle_id": "data[13]_bundle_id", + "group_guids": [ + "data[13]_group_guids_0" + ], + "links": { + "computer": "data[13]_links_computer", + "trajectory": "data[13]_links_trajectory", + "group": "data[13]_links_group" + }, + "cdhash": "data[13]_cdhash", + "timestamp": "data[13]_timestamp", + "timestamp_nanoseconds": "data[13]_timestamp_nanoseconds", + "date": "data[13]_date", + "query_type": "data[13]_query_type", + "network_info": { + "dirty_url": "data[13]_network_info_dirty_url", + "remote_ip": "data[13]_network_info_remote_ip", + "remote_port": "data[13]_network_info_remote_port", + "local_ip": "data[13]_network_info_local_ip", + "local_port": "data[13]_network_info_local_port", + "direction": "data[13]_network_info_direction", + "protocol": "data[13]_network_info_protocol" + }, + "ver": "data[13]_ver" + }, + { + "connector_guid": "data[14]_connector_guid", + "bundle_id": "data[14]_bundle_id", + "group_guids": [ + "data[14]_group_guids_0" + ], + "links": { + "computer": "data[14]_links_computer", + "trajectory": "data[14]_links_trajectory", + "group": "data[14]_links_group" + }, + "cdhash": "data[14]_cdhash", + "timestamp": "data[14]_timestamp", + "timestamp_nanoseconds": "data[14]_timestamp_nanoseconds", + "date": "data[14]_date", + "query_type": "data[14]_query_type", + "network_info": { + "dirty_url": "data[14]_network_info_dirty_url", + "remote_ip": "data[14]_network_info_remote_ip", + "remote_port": "data[14]_network_info_remote_port", + "local_ip": "data[14]_network_info_local_ip", + "local_port": "data[14]_network_info_local_port", + "direction": "data[14]_network_info_direction", + "protocol": "data[14]_network_info_protocol" + }, + "ver": "data[14]_ver" + }, + { + "connector_guid": "data[15]_connector_guid", + "bundle_id": "data[15]_bundle_id", + "group_guids": [ + "data[15]_group_guids_0" + ], + "links": { + "computer": "data[15]_links_computer", + "trajectory": "data[15]_links_trajectory", + "group": "data[15]_links_group" + }, + "cdhash": "data[15]_cdhash", + "timestamp": "data[15]_timestamp", + "timestamp_nanoseconds": "data[15]_timestamp_nanoseconds", + "date": "data[15]_date", + "query_type": "data[15]_query_type", + "network_info": { + "dirty_url": "data[15]_network_info_dirty_url", + "remote_ip": "data[15]_network_info_remote_ip", + "remote_port": "data[15]_network_info_remote_port", + "local_ip": "data[15]_network_info_local_ip", + "local_port": "data[15]_network_info_local_port", + "direction": "data[15]_network_info_direction", + "protocol": "data[15]_network_info_protocol" + }, + "ver": "data[15]_ver" + }, + { + "connector_guid": "data[16]_connector_guid", + "bundle_id": "data[16]_bundle_id", + "group_guids": [ + "data[16]_group_guids_0" + ], + "links": { + "computer": "data[16]_links_computer", + "trajectory": "data[16]_links_trajectory", + "group": "data[16]_links_group" + }, + "cdhash": "data[16]_cdhash", + "timestamp": "data[16]_timestamp", + "timestamp_nanoseconds": "data[16]_timestamp_nanoseconds", + "date": "data[16]_date", + "query_type": "data[16]_query_type", + "network_info": { + "dirty_url": "data[16]_network_info_dirty_url", + "remote_ip": "data[16]_network_info_remote_ip", + "remote_port": "data[16]_network_info_remote_port", + "local_ip": "data[16]_network_info_local_ip", + "local_port": "data[16]_network_info_local_port", + "direction": "data[16]_network_info_direction", + "protocol": "data[16]_network_info_protocol" + }, + "ver": "data[16]_ver" + }, + { + "connector_guid": "data[17]_connector_guid", + "bundle_id": "data[17]_bundle_id", + "group_guids": [ + "data[17]_group_guids_0" + ], + "links": { + "computer": "data[17]_links_computer", + "trajectory": "data[17]_links_trajectory", + "group": "data[17]_links_group" + }, + "cdhash": "data[17]_cdhash", + "timestamp": "data[17]_timestamp", + "timestamp_nanoseconds": "data[17]_timestamp_nanoseconds", + "date": "data[17]_date", + "query_type": "data[17]_query_type", + "network_info": { + "dirty_url": "data[17]_network_info_dirty_url", + "remote_ip": "data[17]_network_info_remote_ip", + "remote_port": "data[17]_network_info_remote_port", + "local_ip": "data[17]_network_info_local_ip", + "local_port": "data[17]_network_info_local_port", + "direction": "data[17]_network_info_direction", + "protocol": "data[17]_network_info_protocol" + }, + "ver": "data[17]_ver" + }, + { + "connector_guid": "data[18]_connector_guid", + "bundle_id": "data[18]_bundle_id", + "group_guids": [ + "data[18]_group_guids_0" + ], + "links": { + "computer": "data[18]_links_computer", + "trajectory": "data[18]_links_trajectory", + "group": "data[18]_links_group" + }, + "cdhash": "data[18]_cdhash", + "timestamp": "data[18]_timestamp", + "timestamp_nanoseconds": "data[18]_timestamp_nanoseconds", + "date": "data[18]_date", + "query_type": "data[18]_query_type", + "network_info": { + "dirty_url": "data[18]_network_info_dirty_url", + "remote_ip": "data[18]_network_info_remote_ip", + "remote_port": "data[18]_network_info_remote_port", + "local_ip": "data[18]_network_info_local_ip", + "local_port": "data[18]_network_info_local_port", + "direction": "data[18]_network_info_direction", + "protocol": "data[18]_network_info_protocol" + }, + "ver": "data[18]_ver" + }, + { + "connector_guid": "data[19]_connector_guid", + "bundle_id": "data[19]_bundle_id", + "group_guids": [ + "data[19]_group_guids_0" + ], + "links": { + "computer": "data[19]_links_computer", + "trajectory": "data[19]_links_trajectory", + "group": "data[19]_links_group" + }, + "cdhash": "data[19]_cdhash", + "timestamp": "data[19]_timestamp", + "timestamp_nanoseconds": "data[19]_timestamp_nanoseconds", + "date": "data[19]_date", + "query_type": "data[19]_query_type", + "network_info": { + "dirty_url": "data[19]_network_info_dirty_url", + "remote_ip": "data[19]_network_info_remote_ip", + "remote_port": "data[19]_network_info_remote_port", + "local_ip": "data[19]_network_info_local_ip", + "local_port": "data[19]_network_info_local_port", + "direction": "data[19]_network_info_direction", + "protocol": "data[19]_network_info_protocol" + }, + "ver": "data[19]_ver" + }, + { + "connector_guid": "data[20]_connector_guid", + "bundle_id": "data[20]_bundle_id", + "group_guids": [ + "data[20]_group_guids_0" + ], + "links": { + "computer": "data[20]_links_computer", + "trajectory": "data[20]_links_trajectory", + "group": "data[20]_links_group" + }, + "cdhash": "data[20]_cdhash", + "timestamp": "data[20]_timestamp", + "timestamp_nanoseconds": "data[20]_timestamp_nanoseconds", + "date": "data[20]_date", + "query_type": "data[20]_query_type", + "network_info": { + "dirty_url": "data[20]_network_info_dirty_url", + "remote_ip": "data[20]_network_info_remote_ip", + "remote_port": "data[20]_network_info_remote_port", + "local_ip": "data[20]_network_info_local_ip", + "local_port": "data[20]_network_info_local_port", + "direction": "data[20]_network_info_direction", + "protocol": "data[20]_network_info_protocol" + }, + "ver": "data[20]_ver" + }, + { + "connector_guid": "data[21]_connector_guid", + "bundle_id": "data[21]_bundle_id", + "group_guids": [ + "data[21]_group_guids_0" + ], + "links": { + "computer": "data[21]_links_computer", + "trajectory": "data[21]_links_trajectory", + "group": "data[21]_links_group" + }, + "cdhash": "data[21]_cdhash", + "timestamp": "data[21]_timestamp", + "timestamp_nanoseconds": "data[21]_timestamp_nanoseconds", + "date": "data[21]_date", + "query_type": "data[21]_query_type", + "network_info": { + "dirty_url": "data[21]_network_info_dirty_url", + "remote_ip": "data[21]_network_info_remote_ip", + "remote_port": "data[21]_network_info_remote_port", + "local_ip": "data[21]_network_info_local_ip", + "local_port": "data[21]_network_info_local_port", + "direction": "data[21]_network_info_direction", + "protocol": "data[21]_network_info_protocol" + }, + "ver": "data[21]_ver" + }, + { + "connector_guid": "data[22]_connector_guid", + "bundle_id": "data[22]_bundle_id", + "group_guids": [ + "data[22]_group_guids_0" + ], + "links": { + "computer": "data[22]_links_computer", + "trajectory": "data[22]_links_trajectory", + "group": "data[22]_links_group" + }, + "cdhash": "data[22]_cdhash", + "timestamp": "data[22]_timestamp", + "timestamp_nanoseconds": "data[22]_timestamp_nanoseconds", + "date": "data[22]_date", + "query_type": "data[22]_query_type", + "network_info": { + "dirty_url": "data[22]_network_info_dirty_url", + "remote_ip": "data[22]_network_info_remote_ip", + "remote_port": "data[22]_network_info_remote_port", + "local_ip": "data[22]_network_info_local_ip", + "local_port": "data[22]_network_info_local_port", + "direction": "data[22]_network_info_direction", + "protocol": "data[22]_network_info_protocol" + }, + "ver": "data[22]_ver" + }, + { + "connector_guid": "data[23]_connector_guid", + "bundle_id": "data[23]_bundle_id", + "group_guids": [ + "data[23]_group_guids_0" + ], + "links": { + "computer": "data[23]_links_computer", + "trajectory": "data[23]_links_trajectory", + "group": "data[23]_links_group" + }, + "cdhash": "data[23]_cdhash", + "timestamp": "data[23]_timestamp", + "timestamp_nanoseconds": "data[23]_timestamp_nanoseconds", + "date": "data[23]_date", + "query_type": "data[23]_query_type", + "network_info": { + "dirty_url": "data[23]_network_info_dirty_url", + "remote_ip": "data[23]_network_info_remote_ip", + "remote_port": "data[23]_network_info_remote_port", + "local_ip": "data[23]_network_info_local_ip", + "local_port": "data[23]_network_info_local_port", + "direction": "data[23]_network_info_direction", + "protocol": "data[23]_network_info_protocol" + }, + "ver": "data[23]_ver" + }, + { + "connector_guid": "data[24]_connector_guid", + "bundle_id": "data[24]_bundle_id", + "group_guids": [ + "data[24]_group_guids_0" + ], + "links": { + "computer": "data[24]_links_computer", + "trajectory": "data[24]_links_trajectory", + "group": "data[24]_links_group" + }, + "cdhash": "data[24]_cdhash", + "timestamp": "data[24]_timestamp", + "timestamp_nanoseconds": "data[24]_timestamp_nanoseconds", + "date": "data[24]_date", + "query_type": "data[24]_query_type", + "network_info": { + "dirty_url": "data[24]_network_info_dirty_url", + "remote_ip": "data[24]_network_info_remote_ip", + "remote_port": "data[24]_network_info_remote_port", + "local_ip": "data[24]_network_info_local_ip", + "local_port": "data[24]_network_info_local_port", + "direction": "data[24]_network_info_direction", + "protocol": "data[24]_network_info_protocol" + }, + "ver": "data[24]_ver" + }, + { + "connector_guid": "data[25]_connector_guid", + "bundle_id": "data[25]_bundle_id", + "group_guids": [ + "data[25]_group_guids_0" + ], + "links": { + "computer": "data[25]_links_computer", + "trajectory": "data[25]_links_trajectory", + "group": "data[25]_links_group" + }, + "cdhash": "data[25]_cdhash", + "timestamp": "data[25]_timestamp", + "timestamp_nanoseconds": "data[25]_timestamp_nanoseconds", + "date": "data[25]_date", + "query_type": "data[25]_query_type", + "network_info": { + "dirty_url": "data[25]_network_info_dirty_url", + "remote_ip": "data[25]_network_info_remote_ip", + "remote_port": "data[25]_network_info_remote_port", + "local_ip": "data[25]_network_info_local_ip", + "local_port": "data[25]_network_info_local_port", + "direction": "data[25]_network_info_direction", + "protocol": "data[25]_network_info_protocol" + }, + "ver": "data[25]_ver" + }, + { + "connector_guid": "data[26]_connector_guid", + "bundle_id": "data[26]_bundle_id", + "group_guids": [ + "data[26]_group_guids_0" + ], + "links": { + "computer": "data[26]_links_computer", + "trajectory": "data[26]_links_trajectory", + "group": "data[26]_links_group" + }, + "cdhash": "data[26]_cdhash", + "timestamp": "data[26]_timestamp", + "timestamp_nanoseconds": "data[26]_timestamp_nanoseconds", + "date": "data[26]_date", + "query_type": "data[26]_query_type", + "network_info": { + "dirty_url": "data[26]_network_info_dirty_url", + "remote_ip": "data[26]_network_info_remote_ip", + "remote_port": "data[26]_network_info_remote_port", + "local_ip": "data[26]_network_info_local_ip", + "local_port": "data[26]_network_info_local_port", + "direction": "data[26]_network_info_direction", + "protocol": "data[26]_network_info_protocol" + }, + "ver": "data[26]_ver" + }, + { + "connector_guid": "data[27]_connector_guid", + "bundle_id": "data[27]_bundle_id", + "group_guids": [ + "data[27]_group_guids_0" + ], + "links": { + "computer": "data[27]_links_computer", + "trajectory": "data[27]_links_trajectory", + "group": "data[27]_links_group" + }, + "cdhash": "data[27]_cdhash", + "timestamp": "data[27]_timestamp", + "timestamp_nanoseconds": "data[27]_timestamp_nanoseconds", + "date": "data[27]_date", + "query_type": "data[27]_query_type", + "network_info": { + "dirty_url": "data[27]_network_info_dirty_url", + "remote_ip": "data[27]_network_info_remote_ip", + "remote_port": "data[27]_network_info_remote_port", + "local_ip": "data[27]_network_info_local_ip", + "local_port": "data[27]_network_info_local_port", + "direction": "data[27]_network_info_direction", + "protocol": "data[27]_network_info_protocol" + }, + "ver": "data[27]_ver" + }, + { + "connector_guid": "data[28]_connector_guid", + "bundle_id": "data[28]_bundle_id", + "group_guids": [ + "data[28]_group_guids_0" + ], + "links": { + "computer": "data[28]_links_computer", + "trajectory": "data[28]_links_trajectory", + "group": "data[28]_links_group" + }, + "cdhash": "data[28]_cdhash", + "timestamp": "data[28]_timestamp", + "timestamp_nanoseconds": "data[28]_timestamp_nanoseconds", + "date": "data[28]_date", + "query_type": "data[28]_query_type", + "network_info": { + "dirty_url": "data[28]_network_info_dirty_url", + "remote_ip": "data[28]_network_info_remote_ip", + "remote_port": "data[28]_network_info_remote_port", + "local_ip": "data[28]_network_info_local_ip", + "local_port": "data[28]_network_info_local_port", + "direction": "data[28]_network_info_direction", + "protocol": "data[28]_network_info_protocol" + }, + "ver": "data[28]_ver" + }, + { + "connector_guid": "data[29]_connector_guid", + "bundle_id": "data[29]_bundle_id", + "group_guids": [ + "data[29]_group_guids_0" + ], + "links": { + "computer": "data[29]_links_computer", + "trajectory": "data[29]_links_trajectory", + "group": "data[29]_links_group" + }, + "cdhash": "data[29]_cdhash", + "timestamp": "data[29]_timestamp", + "timestamp_nanoseconds": "data[29]_timestamp_nanoseconds", + "date": "data[29]_date", + "query_type": "data[29]_query_type", + "network_info": { + "dirty_url": "data[29]_network_info_dirty_url", + "remote_ip": "data[29]_network_info_remote_ip", + "remote_port": "data[29]_network_info_remote_port", + "local_ip": "data[29]_network_info_local_ip", + "local_port": "data[29]_network_info_local_port", + "direction": "data[29]_network_info_direction", + "protocol": "data[29]_network_info_protocol" + }, + "ver": "data[29]_ver" + }, + { + "connector_guid": "data[30]_connector_guid", + "bundle_id": "data[30]_bundle_id", + "group_guids": [ + "data[30]_group_guids_0" + ], + "links": { + "computer": "data[30]_links_computer", + "trajectory": "data[30]_links_trajectory", + "group": "data[30]_links_group" + }, + "cdhash": "data[30]_cdhash", + "timestamp": "data[30]_timestamp", + "timestamp_nanoseconds": "data[30]_timestamp_nanoseconds", + "date": "data[30]_date", + "query_type": "data[30]_query_type", + "network_info": { + "dirty_url": "data[30]_network_info_dirty_url", + "remote_ip": "data[30]_network_info_remote_ip", + "remote_port": "data[30]_network_info_remote_port", + "local_ip": "data[30]_network_info_local_ip", + "local_port": "data[30]_network_info_local_port", + "direction": "data[30]_network_info_direction", + "protocol": "data[30]_network_info_protocol" + }, + "ver": "data[30]_ver" + }, + { + "connector_guid": "data[31]_connector_guid", + "bundle_id": "data[31]_bundle_id", + "group_guids": [ + "data[31]_group_guids_0" + ], + "links": { + "computer": "data[31]_links_computer", + "trajectory": "data[31]_links_trajectory", + "group": "data[31]_links_group" + }, + "cdhash": "data[31]_cdhash", + "timestamp": "data[31]_timestamp", + "timestamp_nanoseconds": "data[31]_timestamp_nanoseconds", + "date": "data[31]_date", + "query_type": "data[31]_query_type", + "network_info": { + "dirty_url": "data[31]_network_info_dirty_url", + "remote_ip": "data[31]_network_info_remote_ip", + "remote_port": "data[31]_network_info_remote_port", + "local_ip": "data[31]_network_info_local_ip", + "local_port": "data[31]_network_info_local_port", + "direction": "data[31]_network_info_direction", + "protocol": "data[31]_network_info_protocol" + }, + "ver": "data[31]_ver" + }, + { + "connector_guid": "data[32]_connector_guid", + "bundle_id": "data[32]_bundle_id", + "group_guids": [ + "data[32]_group_guids_0" + ], + "links": { + "computer": "data[32]_links_computer", + "trajectory": "data[32]_links_trajectory", + "group": "data[32]_links_group" + }, + "cdhash": "data[32]_cdhash", + "timestamp": "data[32]_timestamp", + "timestamp_nanoseconds": "data[32]_timestamp_nanoseconds", + "date": "data[32]_date", + "query_type": "data[32]_query_type", + "network_info": { + "dirty_url": "data[32]_network_info_dirty_url", + "remote_ip": "data[32]_network_info_remote_ip", + "remote_port": "data[32]_network_info_remote_port", + "local_ip": "data[32]_network_info_local_ip", + "local_port": "data[32]_network_info_local_port", + "direction": "data[32]_network_info_direction", + "protocol": "data[32]_network_info_protocol" + }, + "ver": "data[32]_ver" + }, + { + "connector_guid": "data[33]_connector_guid", + "bundle_id": "data[33]_bundle_id", + "group_guids": [ + "data[33]_group_guids_0" + ], + "links": { + "computer": "data[33]_links_computer", + "trajectory": "data[33]_links_trajectory", + "group": "data[33]_links_group" + }, + "cdhash": "data[33]_cdhash", + "timestamp": "data[33]_timestamp", + "timestamp_nanoseconds": "data[33]_timestamp_nanoseconds", + "date": "data[33]_date", + "query_type": "data[33]_query_type", + "network_info": { + "dirty_url": "data[33]_network_info_dirty_url", + "remote_ip": "data[33]_network_info_remote_ip", + "remote_port": "data[33]_network_info_remote_port", + "local_ip": "data[33]_network_info_local_ip", + "local_port": "data[33]_network_info_local_port", + "direction": "data[33]_network_info_direction", + "protocol": "data[33]_network_info_protocol" + }, + "ver": "data[33]_ver" + }, + { + "connector_guid": "data[34]_connector_guid", + "bundle_id": "data[34]_bundle_id", + "group_guids": [ + "data[34]_group_guids_0" + ], + "links": { + "computer": "data[34]_links_computer", + "trajectory": "data[34]_links_trajectory", + "group": "data[34]_links_group" + }, + "cdhash": "data[34]_cdhash", + "timestamp": "data[34]_timestamp", + "timestamp_nanoseconds": "data[34]_timestamp_nanoseconds", + "date": "data[34]_date", + "query_type": "data[34]_query_type", + "network_info": { + "dirty_url": "data[34]_network_info_dirty_url", + "remote_ip": "data[34]_network_info_remote_ip", + "remote_port": "data[34]_network_info_remote_port", + "local_ip": "data[34]_network_info_local_ip", + "local_port": "data[34]_network_info_local_port", + "direction": "data[34]_network_info_direction", + "protocol": "data[34]_network_info_protocol" + }, + "ver": "data[34]_ver" + }, + { + "connector_guid": "data[35]_connector_guid", + "bundle_id": "data[35]_bundle_id", + "group_guids": [ + "data[35]_group_guids_0" + ], + "links": { + "computer": "data[35]_links_computer", + "trajectory": "data[35]_links_trajectory", + "group": "data[35]_links_group" + }, + "cdhash": "data[35]_cdhash", + "timestamp": "data[35]_timestamp", + "timestamp_nanoseconds": "data[35]_timestamp_nanoseconds", + "date": "data[35]_date", + "query_type": "data[35]_query_type", + "network_info": { + "dirty_url": "data[35]_network_info_dirty_url", + "remote_ip": "data[35]_network_info_remote_ip", + "remote_port": "data[35]_network_info_remote_port", + "local_ip": "data[35]_network_info_local_ip", + "local_port": "data[35]_network_info_local_port", + "direction": "data[35]_network_info_direction", + "protocol": "data[35]_network_info_protocol" + }, + "ver": "data[35]_ver" + }, + { + "connector_guid": "data[36]_connector_guid", + "bundle_id": "data[36]_bundle_id", + "group_guids": [ + "data[36]_group_guids_0" + ], + "links": { + "computer": "data[36]_links_computer", + "trajectory": "data[36]_links_trajectory", + "group": "data[36]_links_group" + }, + "cdhash": "data[36]_cdhash", + "timestamp": "data[36]_timestamp", + "timestamp_nanoseconds": "data[36]_timestamp_nanoseconds", + "date": "data[36]_date", + "query_type": "data[36]_query_type", + "network_info": { + "dirty_url": "data[36]_network_info_dirty_url", + "remote_ip": "data[36]_network_info_remote_ip", + "remote_port": "data[36]_network_info_remote_port", + "local_ip": "data[36]_network_info_local_ip", + "local_port": "data[36]_network_info_local_port", + "direction": "data[36]_network_info_direction", + "protocol": "data[36]_network_info_protocol" + }, + "ver": "data[36]_ver" + }, + { + "connector_guid": "data[37]_connector_guid", + "bundle_id": "data[37]_bundle_id", + "group_guids": [ + "data[37]_group_guids_0" + ], + "links": { + "computer": "data[37]_links_computer", + "trajectory": "data[37]_links_trajectory", + "group": "data[37]_links_group" + }, + "cdhash": "data[37]_cdhash", + "timestamp": "data[37]_timestamp", + "timestamp_nanoseconds": "data[37]_timestamp_nanoseconds", + "date": "data[37]_date", + "query_type": "data[37]_query_type", + "network_info": { + "dirty_url": "data[37]_network_info_dirty_url", + "remote_ip": "data[37]_network_info_remote_ip", + "remote_port": "data[37]_network_info_remote_port", + "local_ip": "data[37]_network_info_local_ip", + "local_port": "data[37]_network_info_local_port", + "direction": "data[37]_network_info_direction", + "protocol": "data[37]_network_info_protocol" + }, + "ver": "data[37]_ver" + }, + { + "connector_guid": "data[38]_connector_guid", + "bundle_id": "data[38]_bundle_id", + "group_guids": [ + "data[38]_group_guids_0" + ], + "links": { + "computer": "data[38]_links_computer", + "trajectory": "data[38]_links_trajectory", + "group": "data[38]_links_group" + }, + "cdhash": "data[38]_cdhash", + "timestamp": "data[38]_timestamp", + "timestamp_nanoseconds": "data[38]_timestamp_nanoseconds", + "date": "data[38]_date", + "query_type": "data[38]_query_type", + "network_info": { + "dirty_url": "data[38]_network_info_dirty_url", + "remote_ip": "data[38]_network_info_remote_ip", + "remote_port": "data[38]_network_info_remote_port", + "local_ip": "data[38]_network_info_local_ip", + "local_port": "data[38]_network_info_local_port", + "direction": "data[38]_network_info_direction", + "protocol": "data[38]_network_info_protocol" + }, + "ver": "data[38]_ver" + }, + { + "connector_guid": "data[39]_connector_guid", + "bundle_id": "data[39]_bundle_id", + "group_guids": [ + "data[39]_group_guids_0" + ], + "links": { + "computer": "data[39]_links_computer", + "trajectory": "data[39]_links_trajectory", + "group": "data[39]_links_group" + }, + "cdhash": "data[39]_cdhash", + "timestamp": "data[39]_timestamp", + "timestamp_nanoseconds": "data[39]_timestamp_nanoseconds", + "date": "data[39]_date", + "query_type": "data[39]_query_type", + "network_info": { + "dirty_url": "data[39]_network_info_dirty_url", + "remote_ip": "data[39]_network_info_remote_ip", + "remote_port": "data[39]_network_info_remote_port", + "local_ip": "data[39]_network_info_local_ip", + "local_port": "data[39]_network_info_local_port", + "direction": "data[39]_network_info_direction", + "protocol": "data[39]_network_info_protocol" + }, + "ver": "data[39]_ver" + }, + { + "connector_guid": "data[40]_connector_guid", + "bundle_id": "data[40]_bundle_id", + "group_guids": [ + "data[40]_group_guids_0" + ], + "links": { + "computer": "data[40]_links_computer", + "trajectory": "data[40]_links_trajectory", + "group": "data[40]_links_group" + }, + "cdhash": "data[40]_cdhash", + "timestamp": "data[40]_timestamp", + "timestamp_nanoseconds": "data[40]_timestamp_nanoseconds", + "date": "data[40]_date", + "query_type": "data[40]_query_type", + "network_info": { + "dirty_url": "data[40]_network_info_dirty_url", + "remote_ip": "data[40]_network_info_remote_ip", + "remote_port": "data[40]_network_info_remote_port", + "local_ip": "data[40]_network_info_local_ip", + "local_port": "data[40]_network_info_local_port", + "direction": "data[40]_network_info_direction", + "protocol": "data[40]_network_info_protocol" + }, + "ver": "data[40]_ver" + }, + { + "connector_guid": "data[41]_connector_guid", + "bundle_id": "data[41]_bundle_id", + "group_guids": [ + "data[41]_group_guids_0" + ], + "links": { + "computer": "data[41]_links_computer", + "trajectory": "data[41]_links_trajectory", + "group": "data[41]_links_group" + }, + "cdhash": "data[41]_cdhash", + "timestamp": "data[41]_timestamp", + "timestamp_nanoseconds": "data[41]_timestamp_nanoseconds", + "date": "data[41]_date", + "query_type": "data[41]_query_type", + "network_info": { + "dirty_url": "data[41]_network_info_dirty_url", + "remote_ip": "data[41]_network_info_remote_ip", + "remote_port": "data[41]_network_info_remote_port", + "local_ip": "data[41]_network_info_local_ip", + "local_port": "data[41]_network_info_local_port", + "direction": "data[41]_network_info_direction", + "protocol": "data[41]_network_info_protocol" + }, + "ver": "data[41]_ver" + }, + { + "connector_guid": "data[42]_connector_guid", + "bundle_id": "data[42]_bundle_id", + "group_guids": [ + "data[42]_group_guids_0" + ], + "links": { + "computer": "data[42]_links_computer", + "trajectory": "data[42]_links_trajectory", + "group": "data[42]_links_group" + }, + "cdhash": "data[42]_cdhash", + "timestamp": "data[42]_timestamp", + "timestamp_nanoseconds": "data[42]_timestamp_nanoseconds", + "date": "data[42]_date", + "query_type": "data[42]_query_type", + "network_info": { + "dirty_url": "data[42]_network_info_dirty_url", + "remote_ip": "data[42]_network_info_remote_ip", + "remote_port": "data[42]_network_info_remote_port", + "local_ip": "data[42]_network_info_local_ip", + "local_port": "data[42]_network_info_local_port", + "direction": "data[42]_network_info_direction", + "protocol": "data[42]_network_info_protocol" + }, + "ver": "data[42]_ver" + }, + { + "connector_guid": "data[43]_connector_guid", + "bundle_id": "data[43]_bundle_id", + "group_guids": [ + "data[43]_group_guids_0" + ], + "links": { + "computer": "data[43]_links_computer", + "trajectory": "data[43]_links_trajectory", + "group": "data[43]_links_group" + }, + "cdhash": "data[43]_cdhash", + "timestamp": "data[43]_timestamp", + "timestamp_nanoseconds": "data[43]_timestamp_nanoseconds", + "date": "data[43]_date", + "query_type": "data[43]_query_type", + "network_info": { + "dirty_url": "data[43]_network_info_dirty_url", + "remote_ip": "data[43]_network_info_remote_ip", + "remote_port": "data[43]_network_info_remote_port", + "local_ip": "data[43]_network_info_local_ip", + "local_port": "data[43]_network_info_local_port", + "direction": "data[43]_network_info_direction", + "protocol": "data[43]_network_info_protocol" + }, + "ver": "data[43]_ver" + }, + { + "connector_guid": "data[44]_connector_guid", + "bundle_id": "data[44]_bundle_id", + "group_guids": [ + "data[44]_group_guids_0" + ], + "links": { + "computer": "data[44]_links_computer", + "trajectory": "data[44]_links_trajectory", + "group": "data[44]_links_group" + }, + "cdhash": "data[44]_cdhash", + "timestamp": "data[44]_timestamp", + "timestamp_nanoseconds": "data[44]_timestamp_nanoseconds", + "date": "data[44]_date", + "query_type": "data[44]_query_type", + "network_info": { + "dirty_url": "data[44]_network_info_dirty_url", + "remote_ip": "data[44]_network_info_remote_ip", + "remote_port": "data[44]_network_info_remote_port", + "local_ip": "data[44]_network_info_local_ip", + "local_port": "data[44]_network_info_local_port", + "direction": "data[44]_network_info_direction", + "protocol": "data[44]_network_info_protocol" + }, + "ver": "data[44]_ver" + }, + { + "connector_guid": "data[45]_connector_guid", + "bundle_id": "data[45]_bundle_id", + "group_guids": [ + "data[45]_group_guids_0" + ], + "links": { + "computer": "data[45]_links_computer", + "trajectory": "data[45]_links_trajectory", + "group": "data[45]_links_group" + }, + "cdhash": "data[45]_cdhash", + "timestamp": "data[45]_timestamp", + "timestamp_nanoseconds": "data[45]_timestamp_nanoseconds", + "date": "data[45]_date", + "query_type": "data[45]_query_type", + "network_info": { + "dirty_url": "data[45]_network_info_dirty_url", + "remote_ip": "data[45]_network_info_remote_ip", + "remote_port": "data[45]_network_info_remote_port", + "local_ip": "data[45]_network_info_local_ip", + "local_port": "data[45]_network_info_local_port", + "direction": "data[45]_network_info_direction", + "protocol": "data[45]_network_info_protocol" + }, + "ver": "data[45]_ver" + }, + { + "connector_guid": "data[46]_connector_guid", + "bundle_id": "data[46]_bundle_id", + "group_guids": [ + "data[46]_group_guids_0" + ], + "links": { + "computer": "data[46]_links_computer", + "trajectory": "data[46]_links_trajectory", + "group": "data[46]_links_group" + }, + "cdhash": "data[46]_cdhash", + "timestamp": "data[46]_timestamp", + "timestamp_nanoseconds": "data[46]_timestamp_nanoseconds", + "date": "data[46]_date", + "query_type": "data[46]_query_type", + "network_info": { + "dirty_url": "data[46]_network_info_dirty_url", + "remote_ip": "data[46]_network_info_remote_ip", + "remote_port": "data[46]_network_info_remote_port", + "local_ip": "data[46]_network_info_local_ip", + "local_port": "data[46]_network_info_local_port", + "direction": "data[46]_network_info_direction", + "protocol": "data[46]_network_info_protocol" + }, + "ver": "data[46]_ver" + }, + { + "connector_guid": "data[47]_connector_guid", + "bundle_id": "data[47]_bundle_id", + "group_guids": [ + "data[47]_group_guids_0" + ], + "links": { + "computer": "data[47]_links_computer", + "trajectory": "data[47]_links_trajectory", + "group": "data[47]_links_group" + }, + "cdhash": "data[47]_cdhash", + "timestamp": "data[47]_timestamp", + "timestamp_nanoseconds": "data[47]_timestamp_nanoseconds", + "date": "data[47]_date", + "query_type": "data[47]_query_type", + "network_info": { + "dirty_url": "data[47]_network_info_dirty_url", + "remote_ip": "data[47]_network_info_remote_ip", + "remote_port": "data[47]_network_info_remote_port", + "local_ip": "data[47]_network_info_local_ip", + "local_port": "data[47]_network_info_local_port", + "direction": "data[47]_network_info_direction", + "protocol": "data[47]_network_info_protocol" + }, + "ver": "data[47]_ver" + }, + { + "connector_guid": "data[48]_connector_guid", + "bundle_id": "data[48]_bundle_id", + "group_guids": [ + "data[48]_group_guids_0" + ], + "links": { + "computer": "data[48]_links_computer", + "trajectory": "data[48]_links_trajectory", + "group": "data[48]_links_group" + }, + "cdhash": "data[48]_cdhash", + "timestamp": "data[48]_timestamp", + "timestamp_nanoseconds": "data[48]_timestamp_nanoseconds", + "date": "data[48]_date", + "query_type": "data[48]_query_type", + "network_info": { + "dirty_url": "data[48]_network_info_dirty_url", + "remote_ip": "data[48]_network_info_remote_ip", + "remote_port": "data[48]_network_info_remote_port", + "local_ip": "data[48]_network_info_local_ip", + "local_port": "data[48]_network_info_local_port", + "direction": "data[48]_network_info_direction", + "protocol": "data[48]_network_info_protocol" + }, + "ver": "data[48]_ver" + }, + { + "connector_guid": "data[49]_connector_guid", + "bundle_id": "data[49]_bundle_id", + "group_guids": [ + "data[49]_group_guids_0" + ], + "links": { + "computer": "data[49]_links_computer", + "trajectory": "data[49]_links_trajectory", + "group": "data[49]_links_group" + }, + "cdhash": "data[49]_cdhash", + "timestamp": "data[49]_timestamp", + "timestamp_nanoseconds": "data[49]_timestamp_nanoseconds", + "date": "data[49]_date", + "query_type": "data[49]_query_type", + "network_info": { + "dirty_url": "data[49]_network_info_dirty_url", + "remote_ip": "data[49]_network_info_remote_ip", + "remote_port": "data[49]_network_info_remote_port", + "local_ip": "data[49]_network_info_local_ip", + "local_port": "data[49]_network_info_local_port", + "direction": "data[49]_network_info_direction", + "protocol": "data[49]_network_info_protocol" + }, + "ver": "data[49]_ver" + }, + { + "connector_guid": "data[50]_connector_guid", + "bundle_id": "data[50]_bundle_id", + "group_guids": [ + "data[50]_group_guids_0" + ], + "links": { + "computer": "data[50]_links_computer", + "trajectory": "data[50]_links_trajectory", + "group": "data[50]_links_group" + }, + "cdhash": "data[50]_cdhash", + "timestamp": "data[50]_timestamp", + "timestamp_nanoseconds": "data[50]_timestamp_nanoseconds", + "date": "data[50]_date", + "query_type": "data[50]_query_type", + "network_info": { + "dirty_url": "data[50]_network_info_dirty_url", + "remote_ip": "data[50]_network_info_remote_ip", + "remote_port": "data[50]_network_info_remote_port", + "local_ip": "data[50]_network_info_local_ip", + "local_port": "data[50]_network_info_local_port", + "direction": "data[50]_network_info_direction", + "protocol": "data[50]_network_info_protocol" + }, + "ver": "data[50]_ver" + }, + { + "connector_guid": "data[51]_connector_guid", + "bundle_id": "data[51]_bundle_id", + "group_guids": [ + "data[51]_group_guids_0" + ], + "links": { + "computer": "data[51]_links_computer", + "trajectory": "data[51]_links_trajectory", + "group": "data[51]_links_group" + }, + "cdhash": "data[51]_cdhash", + "timestamp": "data[51]_timestamp", + "timestamp_nanoseconds": "data[51]_timestamp_nanoseconds", + "date": "data[51]_date", + "query_type": "data[51]_query_type", + "network_info": { + "dirty_url": "data[51]_network_info_dirty_url", + "remote_ip": "data[51]_network_info_remote_ip", + "remote_port": "data[51]_network_info_remote_port", + "local_ip": "data[51]_network_info_local_ip", + "local_port": "data[51]_network_info_local_port", + "direction": "data[51]_network_info_direction", + "protocol": "data[51]_network_info_protocol" + }, + "ver": "data[51]_ver" + }, + { + "connector_guid": "data[52]_connector_guid", + "bundle_id": "data[52]_bundle_id", + "group_guids": [ + "data[52]_group_guids_0" + ], + "links": { + "computer": "data[52]_links_computer", + "trajectory": "data[52]_links_trajectory", + "group": "data[52]_links_group" + }, + "cdhash": "data[52]_cdhash", + "timestamp": "data[52]_timestamp", + "timestamp_nanoseconds": "data[52]_timestamp_nanoseconds", + "date": "data[52]_date", + "query_type": "data[52]_query_type", + "network_info": { + "dirty_url": "data[52]_network_info_dirty_url", + "remote_ip": "data[52]_network_info_remote_ip", + "remote_port": "data[52]_network_info_remote_port", + "local_ip": "data[52]_network_info_local_ip", + "local_port": "data[52]_network_info_local_port", + "direction": "data[52]_network_info_direction", + "protocol": "data[52]_network_info_protocol" + }, + "ver": "data[52]_ver" + }, + { + "connector_guid": "data[53]_connector_guid", + "bundle_id": "data[53]_bundle_id", + "group_guids": [ + "data[53]_group_guids_0" + ], + "links": { + "computer": "data[53]_links_computer", + "trajectory": "data[53]_links_trajectory", + "group": "data[53]_links_group" + }, + "cdhash": "data[53]_cdhash", + "timestamp": "data[53]_timestamp", + "timestamp_nanoseconds": "data[53]_timestamp_nanoseconds", + "date": "data[53]_date", + "query_type": "data[53]_query_type", + "network_info": { + "dirty_url": "data[53]_network_info_dirty_url", + "remote_ip": "data[53]_network_info_remote_ip", + "remote_port": "data[53]_network_info_remote_port", + "local_ip": "data[53]_network_info_local_ip", + "local_port": "data[53]_network_info_local_port", + "direction": "data[53]_network_info_direction", + "protocol": "data[53]_network_info_protocol" + }, + "ver": "data[53]_ver" + }, + { + "connector_guid": "data[54]_connector_guid", + "bundle_id": "data[54]_bundle_id", + "group_guids": [ + "data[54]_group_guids_0" + ], + "links": { + "computer": "data[54]_links_computer", + "trajectory": "data[54]_links_trajectory", + "group": "data[54]_links_group" + }, + "cdhash": "data[54]_cdhash", + "timestamp": "data[54]_timestamp", + "timestamp_nanoseconds": "data[54]_timestamp_nanoseconds", + "date": "data[54]_date", + "query_type": "data[54]_query_type", + "network_info": { + "dirty_url": "data[54]_network_info_dirty_url", + "remote_ip": "data[54]_network_info_remote_ip", + "remote_port": "data[54]_network_info_remote_port", + "local_ip": "data[54]_network_info_local_ip", + "local_port": "data[54]_network_info_local_port", + "direction": "data[54]_network_info_direction", + "protocol": "data[54]_network_info_protocol" + }, + "ver": "data[54]_ver" + }, + { + "connector_guid": "data[55]_connector_guid", + "bundle_id": "data[55]_bundle_id", + "group_guids": [ + "data[55]_group_guids_0" + ], + "links": { + "computer": "data[55]_links_computer", + "trajectory": "data[55]_links_trajectory", + "group": "data[55]_links_group" + }, + "cdhash": "data[55]_cdhash", + "timestamp": "data[55]_timestamp", + "timestamp_nanoseconds": "data[55]_timestamp_nanoseconds", + "date": "data[55]_date", + "query_type": "data[55]_query_type", + "network_info": { + "dirty_url": "data[55]_network_info_dirty_url", + "remote_ip": "data[55]_network_info_remote_ip", + "remote_port": "data[55]_network_info_remote_port", + "local_ip": "data[55]_network_info_local_ip", + "local_port": "data[55]_network_info_local_port", + "direction": "data[55]_network_info_direction", + "protocol": "data[55]_network_info_protocol" + }, + "ver": "data[55]_ver" + }, + { + "connector_guid": "data[56]_connector_guid", + "bundle_id": "data[56]_bundle_id", + "group_guids": [ + "data[56]_group_guids_0" + ], + "links": { + "computer": "data[56]_links_computer", + "trajectory": "data[56]_links_trajectory", + "group": "data[56]_links_group" + }, + "cdhash": "data[56]_cdhash", + "timestamp": "data[56]_timestamp", + "timestamp_nanoseconds": "data[56]_timestamp_nanoseconds", + "date": "data[56]_date", + "query_type": "data[56]_query_type", + "network_info": { + "dirty_url": "data[56]_network_info_dirty_url", + "remote_ip": "data[56]_network_info_remote_ip", + "remote_port": "data[56]_network_info_remote_port", + "local_ip": "data[56]_network_info_local_ip", + "local_port": "data[56]_network_info_local_port", + "direction": "data[56]_network_info_direction", + "protocol": "data[56]_network_info_protocol" + }, + "ver": "data[56]_ver" + }, + { + "connector_guid": "data[57]_connector_guid", + "bundle_id": "data[57]_bundle_id", + "group_guids": [ + "data[57]_group_guids_0" + ], + "links": { + "computer": "data[57]_links_computer", + "trajectory": "data[57]_links_trajectory", + "group": "data[57]_links_group" + }, + "cdhash": "data[57]_cdhash", + "timestamp": "data[57]_timestamp", + "timestamp_nanoseconds": "data[57]_timestamp_nanoseconds", + "date": "data[57]_date", + "query_type": "data[57]_query_type", + "network_info": { + "dirty_url": "data[57]_network_info_dirty_url", + "remote_ip": "data[57]_network_info_remote_ip", + "remote_port": "data[57]_network_info_remote_port", + "local_ip": "data[57]_network_info_local_ip", + "local_port": "data[57]_network_info_local_port", + "direction": "data[57]_network_info_direction", + "protocol": "data[57]_network_info_protocol" + }, + "ver": "data[57]_ver" + }, + { + "connector_guid": "data[58]_connector_guid", + "bundle_id": "data[58]_bundle_id", + "group_guids": [ + "data[58]_group_guids_0" + ], + "links": { + "computer": "data[58]_links_computer", + "trajectory": "data[58]_links_trajectory", + "group": "data[58]_links_group" + }, + "cdhash": "data[58]_cdhash", + "timestamp": "data[58]_timestamp", + "timestamp_nanoseconds": "data[58]_timestamp_nanoseconds", + "date": "data[58]_date", + "query_type": "data[58]_query_type", + "network_info": { + "dirty_url": "data[58]_network_info_dirty_url", + "remote_ip": "data[58]_network_info_remote_ip", + "remote_port": "data[58]_network_info_remote_port", + "local_ip": "data[58]_network_info_local_ip", + "local_port": "data[58]_network_info_local_port", + "direction": "data[58]_network_info_direction", + "protocol": "data[58]_network_info_protocol" + }, + "ver": "data[58]_ver" + }, + { + "connector_guid": "data[59]_connector_guid", + "bundle_id": "data[59]_bundle_id", + "group_guids": [ + "data[59]_group_guids_0" + ], + "links": { + "computer": "data[59]_links_computer", + "trajectory": "data[59]_links_trajectory", + "group": "data[59]_links_group" + }, + "cdhash": "data[59]_cdhash", + "timestamp": "data[59]_timestamp", + "timestamp_nanoseconds": "data[59]_timestamp_nanoseconds", + "date": "data[59]_date", + "query_type": "data[59]_query_type", + "network_info": { + "dirty_url": "data[59]_network_info_dirty_url", + "remote_ip": "data[59]_network_info_remote_ip", + "remote_port": "data[59]_network_info_remote_port", + "local_ip": "data[59]_network_info_local_ip", + "local_port": "data[59]_network_info_local_port", + "direction": "data[59]_network_info_direction", + "protocol": "data[59]_network_info_protocol" + }, + "ver": "data[59]_ver" + }, + { + "connector_guid": "data[60]_connector_guid", + "bundle_id": "data[60]_bundle_id", + "group_guids": [ + "data[60]_group_guids_0" + ], + "links": { + "computer": "data[60]_links_computer", + "trajectory": "data[60]_links_trajectory", + "group": "data[60]_links_group" + }, + "cdhash": "data[60]_cdhash", + "timestamp": "data[60]_timestamp", + "timestamp_nanoseconds": "data[60]_timestamp_nanoseconds", + "date": "data[60]_date", + "query_type": "data[60]_query_type", + "network_info": { + "dirty_url": "data[60]_network_info_dirty_url", + "remote_ip": "data[60]_network_info_remote_ip", + "remote_port": "data[60]_network_info_remote_port", + "local_ip": "data[60]_network_info_local_ip", + "local_port": "data[60]_network_info_local_port", + "direction": "data[60]_network_info_direction", + "protocol": "data[60]_network_info_protocol" + }, + "ver": "data[60]_ver" + }, + { + "connector_guid": "data[61]_connector_guid", + "bundle_id": "data[61]_bundle_id", + "group_guids": [ + "data[61]_group_guids_0" + ], + "links": { + "computer": "data[61]_links_computer", + "trajectory": "data[61]_links_trajectory", + "group": "data[61]_links_group" + }, + "cdhash": "data[61]_cdhash", + "timestamp": "data[61]_timestamp", + "timestamp_nanoseconds": "data[61]_timestamp_nanoseconds", + "date": "data[61]_date", + "query_type": "data[61]_query_type", + "network_info": { + "dirty_url": "data[61]_network_info_dirty_url", + "remote_ip": "data[61]_network_info_remote_ip", + "remote_port": "data[61]_network_info_remote_port", + "local_ip": "data[61]_network_info_local_ip", + "local_port": "data[61]_network_info_local_port", + "direction": "data[61]_network_info_direction", + "protocol": "data[61]_network_info_protocol" + }, + "ver": "data[61]_ver" + }, + { + "connector_guid": "data[62]_connector_guid", + "bundle_id": "data[62]_bundle_id", + "group_guids": [ + "data[62]_group_guids_0" + ], + "links": { + "computer": "data[62]_links_computer", + "trajectory": "data[62]_links_trajectory", + "group": "data[62]_links_group" + }, + "cdhash": "data[62]_cdhash", + "timestamp": "data[62]_timestamp", + "timestamp_nanoseconds": "data[62]_timestamp_nanoseconds", + "date": "data[62]_date", + "query_type": "data[62]_query_type", + "network_info": { + "dirty_url": "data[62]_network_info_dirty_url", + "remote_ip": "data[62]_network_info_remote_ip", + "remote_port": "data[62]_network_info_remote_port", + "local_ip": "data[62]_network_info_local_ip", + "local_port": "data[62]_network_info_local_port", + "direction": "data[62]_network_info_direction", + "protocol": "data[62]_network_info_protocol" + }, + "ver": "data[62]_ver" + }, + { + "connector_guid": "data[63]_connector_guid", + "bundle_id": "data[63]_bundle_id", + "group_guids": [ + "data[63]_group_guids_0" + ], + "links": { + "computer": "data[63]_links_computer", + "trajectory": "data[63]_links_trajectory", + "group": "data[63]_links_group" + }, + "cdhash": "data[63]_cdhash", + "timestamp": "data[63]_timestamp", + "timestamp_nanoseconds": "data[63]_timestamp_nanoseconds", + "date": "data[63]_date", + "query_type": "data[63]_query_type", + "network_info": { + "dirty_url": "data[63]_network_info_dirty_url", + "remote_ip": "data[63]_network_info_remote_ip", + "remote_port": "data[63]_network_info_remote_port", + "local_ip": "data[63]_network_info_local_ip", + "local_port": "data[63]_network_info_local_port", + "direction": "data[63]_network_info_direction", + "protocol": "data[63]_network_info_protocol" + }, + "ver": "data[63]_ver" + }, + { + "connector_guid": "data[64]_connector_guid", + "bundle_id": "data[64]_bundle_id", + "group_guids": [ + "data[64]_group_guids_0" + ], + "links": { + "computer": "data[64]_links_computer", + "trajectory": "data[64]_links_trajectory", + "group": "data[64]_links_group" + }, + "cdhash": "data[64]_cdhash", + "timestamp": "data[64]_timestamp", + "timestamp_nanoseconds": "data[64]_timestamp_nanoseconds", + "date": "data[64]_date", + "query_type": "data[64]_query_type", + "network_info": { + "dirty_url": "data[64]_network_info_dirty_url", + "remote_ip": "data[64]_network_info_remote_ip", + "remote_port": "data[64]_network_info_remote_port", + "local_ip": "data[64]_network_info_local_ip", + "local_port": "data[64]_network_info_local_port", + "direction": "data[64]_network_info_direction", + "protocol": "data[64]_network_info_protocol" + }, + "ver": "data[64]_ver" + }, + { + "connector_guid": "data[65]_connector_guid", + "bundle_id": "data[65]_bundle_id", + "group_guids": [ + "data[65]_group_guids_0" + ], + "links": { + "computer": "data[65]_links_computer", + "trajectory": "data[65]_links_trajectory", + "group": "data[65]_links_group" + }, + "cdhash": "data[65]_cdhash", + "timestamp": "data[65]_timestamp", + "timestamp_nanoseconds": "data[65]_timestamp_nanoseconds", + "date": "data[65]_date", + "query_type": "data[65]_query_type", + "network_info": { + "dirty_url": "data[65]_network_info_dirty_url", + "remote_ip": "data[65]_network_info_remote_ip", + "remote_port": "data[65]_network_info_remote_port", + "local_ip": "data[65]_network_info_local_ip", + "local_port": "data[65]_network_info_local_port", + "direction": "data[65]_network_info_direction", + "protocol": "data[65]_network_info_protocol" + }, + "ver": "data[65]_ver" + }, + { + "connector_guid": "data[66]_connector_guid", + "bundle_id": "data[66]_bundle_id", + "group_guids": [ + "data[66]_group_guids_0" + ], + "links": { + "computer": "data[66]_links_computer", + "trajectory": "data[66]_links_trajectory", + "group": "data[66]_links_group" + }, + "cdhash": "data[66]_cdhash", + "timestamp": "data[66]_timestamp", + "timestamp_nanoseconds": "data[66]_timestamp_nanoseconds", + "date": "data[66]_date", + "query_type": "data[66]_query_type", + "network_info": { + "dirty_url": "data[66]_network_info_dirty_url", + "remote_ip": "data[66]_network_info_remote_ip", + "remote_port": "data[66]_network_info_remote_port", + "local_ip": "data[66]_network_info_local_ip", + "local_port": "data[66]_network_info_local_port", + "direction": "data[66]_network_info_direction", + "protocol": "data[66]_network_info_protocol" + }, + "ver": "data[66]_ver" + }, + { + "connector_guid": "data[67]_connector_guid", + "bundle_id": "data[67]_bundle_id", + "group_guids": [ + "data[67]_group_guids_0" + ], + "links": { + "computer": "data[67]_links_computer", + "trajectory": "data[67]_links_trajectory", + "group": "data[67]_links_group" + }, + "cdhash": "data[67]_cdhash", + "timestamp": "data[67]_timestamp", + "timestamp_nanoseconds": "data[67]_timestamp_nanoseconds", + "date": "data[67]_date", + "query_type": "data[67]_query_type", + "network_info": { + "dirty_url": "data[67]_network_info_dirty_url", + "remote_ip": "data[67]_network_info_remote_ip", + "remote_port": "data[67]_network_info_remote_port", + "local_ip": "data[67]_network_info_local_ip", + "local_port": "data[67]_network_info_local_port", + "direction": "data[67]_network_info_direction", + "protocol": "data[67]_network_info_protocol" + }, + "ver": "data[67]_ver" + }, + { + "connector_guid": "data[68]_connector_guid", + "bundle_id": "data[68]_bundle_id", + "group_guids": [ + "data[68]_group_guids_0" + ], + "links": { + "computer": "data[68]_links_computer", + "trajectory": "data[68]_links_trajectory", + "group": "data[68]_links_group" + }, + "cdhash": "data[68]_cdhash", + "timestamp": "data[68]_timestamp", + "timestamp_nanoseconds": "data[68]_timestamp_nanoseconds", + "date": "data[68]_date", + "query_type": "data[68]_query_type", + "network_info": { + "dirty_url": "data[68]_network_info_dirty_url", + "remote_ip": "data[68]_network_info_remote_ip", + "remote_port": "data[68]_network_info_remote_port", + "local_ip": "data[68]_network_info_local_ip", + "local_port": "data[68]_network_info_local_port", + "direction": "data[68]_network_info_direction", + "protocol": "data[68]_network_info_protocol" + }, + "ver": "data[68]_ver" + }, + { + "connector_guid": "data[69]_connector_guid", + "bundle_id": "data[69]_bundle_id", + "group_guids": [ + "data[69]_group_guids_0" + ], + "links": { + "computer": "data[69]_links_computer", + "trajectory": "data[69]_links_trajectory", + "group": "data[69]_links_group" + }, + "cdhash": "data[69]_cdhash", + "timestamp": "data[69]_timestamp", + "timestamp_nanoseconds": "data[69]_timestamp_nanoseconds", + "date": "data[69]_date", + "query_type": "data[69]_query_type", + "network_info": { + "dirty_url": "data[69]_network_info_dirty_url", + "remote_ip": "data[69]_network_info_remote_ip", + "remote_port": "data[69]_network_info_remote_port", + "local_ip": "data[69]_network_info_local_ip", + "local_port": "data[69]_network_info_local_port", + "direction": "data[69]_network_info_direction", + "protocol": "data[69]_network_info_protocol" + }, + "ver": "data[69]_ver" + }, + { + "connector_guid": "data[70]_connector_guid", + "bundle_id": "data[70]_bundle_id", + "group_guids": [ + "data[70]_group_guids_0" + ], + "links": { + "computer": "data[70]_links_computer", + "trajectory": "data[70]_links_trajectory", + "group": "data[70]_links_group" + }, + "cdhash": "data[70]_cdhash", + "timestamp": "data[70]_timestamp", + "timestamp_nanoseconds": "data[70]_timestamp_nanoseconds", + "date": "data[70]_date", + "query_type": "data[70]_query_type", + "network_info": { + "dirty_url": "data[70]_network_info_dirty_url", + "remote_ip": "data[70]_network_info_remote_ip", + "remote_port": "data[70]_network_info_remote_port", + "local_ip": "data[70]_network_info_local_ip", + "local_port": "data[70]_network_info_local_port", + "direction": "data[70]_network_info_direction", + "protocol": "data[70]_network_info_protocol" + }, + "ver": "data[70]_ver" + }, + { + "connector_guid": "data[71]_connector_guid", + "bundle_id": "data[71]_bundle_id", + "group_guids": [ + "data[71]_group_guids_0" + ], + "links": { + "computer": "data[71]_links_computer", + "trajectory": "data[71]_links_trajectory", + "group": "data[71]_links_group" + }, + "cdhash": "data[71]_cdhash", + "timestamp": "data[71]_timestamp", + "timestamp_nanoseconds": "data[71]_timestamp_nanoseconds", + "date": "data[71]_date", + "query_type": "data[71]_query_type", + "network_info": { + "dirty_url": "data[71]_network_info_dirty_url", + "remote_ip": "data[71]_network_info_remote_ip", + "remote_port": "data[71]_network_info_remote_port", + "local_ip": "data[71]_network_info_local_ip", + "local_port": "data[71]_network_info_local_port", + "direction": "data[71]_network_info_direction", + "protocol": "data[71]_network_info_protocol" + }, + "ver": "data[71]_ver" + }, + { + "connector_guid": "data[72]_connector_guid", + "bundle_id": "data[72]_bundle_id", + "group_guids": [ + "data[72]_group_guids_0" + ], + "links": { + "computer": "data[72]_links_computer", + "trajectory": "data[72]_links_trajectory", + "group": "data[72]_links_group" + }, + "cdhash": "data[72]_cdhash", + "timestamp": "data[72]_timestamp", + "timestamp_nanoseconds": "data[72]_timestamp_nanoseconds", + "date": "data[72]_date", + "query_type": "data[72]_query_type", + "network_info": { + "dirty_url": "data[72]_network_info_dirty_url", + "remote_ip": "data[72]_network_info_remote_ip", + "remote_port": "data[72]_network_info_remote_port", + "local_ip": "data[72]_network_info_local_ip", + "local_port": "data[72]_network_info_local_port", + "direction": "data[72]_network_info_direction", + "protocol": "data[72]_network_info_protocol" + }, + "ver": "data[72]_ver" + }, + { + "connector_guid": "data[73]_connector_guid", + "bundle_id": "data[73]_bundle_id", + "group_guids": [ + "data[73]_group_guids_0" + ], + "links": { + "computer": "data[73]_links_computer", + "trajectory": "data[73]_links_trajectory", + "group": "data[73]_links_group" + }, + "cdhash": "data[73]_cdhash", + "timestamp": "data[73]_timestamp", + "timestamp_nanoseconds": "data[73]_timestamp_nanoseconds", + "date": "data[73]_date", + "query_type": "data[73]_query_type", + "network_info": { + "dirty_url": "data[73]_network_info_dirty_url", + "remote_ip": "data[73]_network_info_remote_ip", + "remote_port": "data[73]_network_info_remote_port", + "local_ip": "data[73]_network_info_local_ip", + "local_port": "data[73]_network_info_local_port", + "direction": "data[73]_network_info_direction", + "protocol": "data[73]_network_info_protocol" + }, + "ver": "data[73]_ver" + }, + { + "connector_guid": "data[74]_connector_guid", + "bundle_id": "data[74]_bundle_id", + "group_guids": [ + "data[74]_group_guids_0" + ], + "links": { + "computer": "data[74]_links_computer", + "trajectory": "data[74]_links_trajectory", + "group": "data[74]_links_group" + }, + "cdhash": "data[74]_cdhash", + "timestamp": "data[74]_timestamp", + "timestamp_nanoseconds": "data[74]_timestamp_nanoseconds", + "date": "data[74]_date", + "query_type": "data[74]_query_type", + "network_info": { + "dirty_url": "data[74]_network_info_dirty_url", + "remote_ip": "data[74]_network_info_remote_ip", + "remote_port": "data[74]_network_info_remote_port", + "local_ip": "data[74]_network_info_local_ip", + "local_port": "data[74]_network_info_local_port", + "direction": "data[74]_network_info_direction", + "protocol": "data[74]_network_info_protocol" + }, + "ver": "data[74]_ver" + }, + { + "connector_guid": "data[75]_connector_guid", + "bundle_id": "data[75]_bundle_id", + "group_guids": [ + "data[75]_group_guids_0" + ], + "links": { + "computer": "data[75]_links_computer", + "trajectory": "data[75]_links_trajectory", + "group": "data[75]_links_group" + }, + "cdhash": "data[75]_cdhash", + "timestamp": "data[75]_timestamp", + "timestamp_nanoseconds": "data[75]_timestamp_nanoseconds", + "date": "data[75]_date", + "query_type": "data[75]_query_type", + "network_info": { + "dirty_url": "data[75]_network_info_dirty_url", + "remote_ip": "data[75]_network_info_remote_ip", + "remote_port": "data[75]_network_info_remote_port", + "local_ip": "data[75]_network_info_local_ip", + "local_port": "data[75]_network_info_local_port", + "direction": "data[75]_network_info_direction", + "protocol": "data[75]_network_info_protocol" + }, + "ver": "data[75]_ver" + }, + { + "connector_guid": "data[76]_connector_guid", + "bundle_id": "data[76]_bundle_id", + "group_guids": [ + "data[76]_group_guids_0" + ], + "links": { + "computer": "data[76]_links_computer", + "trajectory": "data[76]_links_trajectory", + "group": "data[76]_links_group" + }, + "cdhash": "data[76]_cdhash", + "timestamp": "data[76]_timestamp", + "timestamp_nanoseconds": "data[76]_timestamp_nanoseconds", + "date": "data[76]_date", + "query_type": "data[76]_query_type", + "network_info": { + "dirty_url": "data[76]_network_info_dirty_url", + "remote_ip": "data[76]_network_info_remote_ip", + "remote_port": "data[76]_network_info_remote_port", + "local_ip": "data[76]_network_info_local_ip", + "local_port": "data[76]_network_info_local_port", + "direction": "data[76]_network_info_direction", + "protocol": "data[76]_network_info_protocol" + }, + "ver": "data[76]_ver" + }, + { + "connector_guid": "data[77]_connector_guid", + "bundle_id": "data[77]_bundle_id", + "group_guids": [ + "data[77]_group_guids_0" + ], + "links": { + "computer": "data[77]_links_computer", + "trajectory": "data[77]_links_trajectory", + "group": "data[77]_links_group" + }, + "cdhash": "data[77]_cdhash", + "timestamp": "data[77]_timestamp", + "timestamp_nanoseconds": "data[77]_timestamp_nanoseconds", + "date": "data[77]_date", + "query_type": "data[77]_query_type", + "network_info": { + "dirty_url": "data[77]_network_info_dirty_url", + "remote_ip": "data[77]_network_info_remote_ip", + "remote_port": "data[77]_network_info_remote_port", + "local_ip": "data[77]_network_info_local_ip", + "local_port": "data[77]_network_info_local_port", + "direction": "data[77]_network_info_direction", + "protocol": "data[77]_network_info_protocol" + }, + "ver": "data[77]_ver" + }, + { + "connector_guid": "data[78]_connector_guid", + "bundle_id": "data[78]_bundle_id", + "group_guids": [ + "data[78]_group_guids_0" + ], + "links": { + "computer": "data[78]_links_computer", + "trajectory": "data[78]_links_trajectory", + "group": "data[78]_links_group" + }, + "cdhash": "data[78]_cdhash", + "timestamp": "data[78]_timestamp", + "timestamp_nanoseconds": "data[78]_timestamp_nanoseconds", + "date": "data[78]_date", + "query_type": "data[78]_query_type", + "network_info": { + "dirty_url": "data[78]_network_info_dirty_url", + "remote_ip": "data[78]_network_info_remote_ip", + "remote_port": "data[78]_network_info_remote_port", + "local_ip": "data[78]_network_info_local_ip", + "local_port": "data[78]_network_info_local_port", + "direction": "data[78]_network_info_direction", + "protocol": "data[78]_network_info_protocol" + }, + "ver": "data[78]_ver" + }, + { + "connector_guid": "data[79]_connector_guid", + "bundle_id": "data[79]_bundle_id", + "group_guids": [ + "data[79]_group_guids_0" + ], + "links": { + "computer": "data[79]_links_computer", + "trajectory": "data[79]_links_trajectory", + "group": "data[79]_links_group" + }, + "cdhash": "data[79]_cdhash", + "timestamp": "data[79]_timestamp", + "timestamp_nanoseconds": "data[79]_timestamp_nanoseconds", + "date": "data[79]_date", + "query_type": "data[79]_query_type", + "network_info": { + "dirty_url": "data[79]_network_info_dirty_url", + "remote_ip": "data[79]_network_info_remote_ip", + "remote_port": "data[79]_network_info_remote_port", + "local_ip": "data[79]_network_info_local_ip", + "local_port": "data[79]_network_info_local_port", + "direction": "data[79]_network_info_direction", + "protocol": "data[79]_network_info_protocol" + }, + "ver": "data[79]_ver" + }, + { + "connector_guid": "data[80]_connector_guid", + "bundle_id": "data[80]_bundle_id", + "group_guids": [ + "data[80]_group_guids_0" + ], + "links": { + "computer": "data[80]_links_computer", + "trajectory": "data[80]_links_trajectory", + "group": "data[80]_links_group" + }, + "cdhash": "data[80]_cdhash", + "timestamp": "data[80]_timestamp", + "timestamp_nanoseconds": "data[80]_timestamp_nanoseconds", + "date": "data[80]_date", + "query_type": "data[80]_query_type", + "network_info": { + "dirty_url": "data[80]_network_info_dirty_url", + "remote_ip": "data[80]_network_info_remote_ip", + "remote_port": "data[80]_network_info_remote_port", + "local_ip": "data[80]_network_info_local_ip", + "local_port": "data[80]_network_info_local_port", + "direction": "data[80]_network_info_direction", + "protocol": "data[80]_network_info_protocol" + }, + "ver": "data[80]_ver" + }, + { + "connector_guid": "data[81]_connector_guid", + "bundle_id": "data[81]_bundle_id", + "group_guids": [ + "data[81]_group_guids_0" + ], + "links": { + "computer": "data[81]_links_computer", + "trajectory": "data[81]_links_trajectory", + "group": "data[81]_links_group" + }, + "cdhash": "data[81]_cdhash", + "timestamp": "data[81]_timestamp", + "timestamp_nanoseconds": "data[81]_timestamp_nanoseconds", + "date": "data[81]_date", + "query_type": "data[81]_query_type", + "network_info": { + "dirty_url": "data[81]_network_info_dirty_url", + "remote_ip": "data[81]_network_info_remote_ip", + "remote_port": "data[81]_network_info_remote_port", + "local_ip": "data[81]_network_info_local_ip", + "local_port": "data[81]_network_info_local_port", + "direction": "data[81]_network_info_direction", + "protocol": "data[81]_network_info_protocol" + }, + "ver": "data[81]_ver" + }, + { + "connector_guid": "data[82]_connector_guid", + "bundle_id": "data[82]_bundle_id", + "group_guids": [ + "data[82]_group_guids_0" + ], + "links": { + "computer": "data[82]_links_computer", + "trajectory": "data[82]_links_trajectory", + "group": "data[82]_links_group" + }, + "cdhash": "data[82]_cdhash", + "timestamp": "data[82]_timestamp", + "timestamp_nanoseconds": "data[82]_timestamp_nanoseconds", + "date": "data[82]_date", + "query_type": "data[82]_query_type", + "network_info": { + "dirty_url": "data[82]_network_info_dirty_url", + "remote_ip": "data[82]_network_info_remote_ip", + "remote_port": "data[82]_network_info_remote_port", + "local_ip": "data[82]_network_info_local_ip", + "local_port": "data[82]_network_info_local_port", + "direction": "data[82]_network_info_direction", + "protocol": "data[82]_network_info_protocol" + }, + "ver": "data[82]_ver" + }, + { + "connector_guid": "data[83]_connector_guid", + "bundle_id": "data[83]_bundle_id", + "group_guids": [ + "data[83]_group_guids_0" + ], + "links": { + "computer": "data[83]_links_computer", + "trajectory": "data[83]_links_trajectory", + "group": "data[83]_links_group" + }, + "cdhash": "data[83]_cdhash", + "timestamp": "data[83]_timestamp", + "timestamp_nanoseconds": "data[83]_timestamp_nanoseconds", + "date": "data[83]_date", + "query_type": "data[83]_query_type", + "network_info": { + "dirty_url": "data[83]_network_info_dirty_url", + "remote_ip": "data[83]_network_info_remote_ip", + "remote_port": "data[83]_network_info_remote_port", + "local_ip": "data[83]_network_info_local_ip", + "local_port": "data[83]_network_info_local_port", + "direction": "data[83]_network_info_direction", + "protocol": "data[83]_network_info_protocol" + }, + "ver": "data[83]_ver" + }, + { + "connector_guid": "data[84]_connector_guid", + "bundle_id": "data[84]_bundle_id", + "group_guids": [ + "data[84]_group_guids_0" + ], + "links": { + "computer": "data[84]_links_computer", + "trajectory": "data[84]_links_trajectory", + "group": "data[84]_links_group" + }, + "cdhash": "data[84]_cdhash", + "timestamp": "data[84]_timestamp", + "timestamp_nanoseconds": "data[84]_timestamp_nanoseconds", + "date": "data[84]_date", + "query_type": "data[84]_query_type", + "network_info": { + "dirty_url": "data[84]_network_info_dirty_url", + "remote_ip": "data[84]_network_info_remote_ip", + "remote_port": "data[84]_network_info_remote_port", + "local_ip": "data[84]_network_info_local_ip", + "local_port": "data[84]_network_info_local_port", + "direction": "data[84]_network_info_direction", + "protocol": "data[84]_network_info_protocol" + }, + "ver": "data[84]_ver" + }, + { + "connector_guid": "data[85]_connector_guid", + "bundle_id": "data[85]_bundle_id", + "group_guids": [ + "data[85]_group_guids_0" + ], + "links": { + "computer": "data[85]_links_computer", + "trajectory": "data[85]_links_trajectory", + "group": "data[85]_links_group" + }, + "cdhash": "data[85]_cdhash", + "timestamp": "data[85]_timestamp", + "timestamp_nanoseconds": "data[85]_timestamp_nanoseconds", + "date": "data[85]_date", + "query_type": "data[85]_query_type", + "network_info": { + "dirty_url": "data[85]_network_info_dirty_url", + "remote_ip": "data[85]_network_info_remote_ip", + "remote_port": "data[85]_network_info_remote_port", + "local_ip": "data[85]_network_info_local_ip", + "local_port": "data[85]_network_info_local_port", + "direction": "data[85]_network_info_direction", + "protocol": "data[85]_network_info_protocol" + }, + "ver": "data[85]_ver" + }, + { + "connector_guid": "data[86]_connector_guid", + "bundle_id": "data[86]_bundle_id", + "group_guids": [ + "data[86]_group_guids_0" + ], + "links": { + "computer": "data[86]_links_computer", + "trajectory": "data[86]_links_trajectory", + "group": "data[86]_links_group" + }, + "cdhash": "data[86]_cdhash", + "timestamp": "data[86]_timestamp", + "timestamp_nanoseconds": "data[86]_timestamp_nanoseconds", + "date": "data[86]_date", + "query_type": "data[86]_query_type", + "network_info": { + "dirty_url": "data[86]_network_info_dirty_url", + "remote_ip": "data[86]_network_info_remote_ip", + "remote_port": "data[86]_network_info_remote_port", + "local_ip": "data[86]_network_info_local_ip", + "local_port": "data[86]_network_info_local_port", + "direction": "data[86]_network_info_direction", + "protocol": "data[86]_network_info_protocol" + }, + "ver": "data[86]_ver" + }, + { + "connector_guid": "data[87]_connector_guid", + "bundle_id": "data[87]_bundle_id", + "group_guids": [ + "data[87]_group_guids_0" + ], + "links": { + "computer": "data[87]_links_computer", + "trajectory": "data[87]_links_trajectory", + "group": "data[87]_links_group" + }, + "cdhash": "data[87]_cdhash", + "timestamp": "data[87]_timestamp", + "timestamp_nanoseconds": "data[87]_timestamp_nanoseconds", + "date": "data[87]_date", + "query_type": "data[87]_query_type", + "network_info": { + "dirty_url": "data[87]_network_info_dirty_url", + "remote_ip": "data[87]_network_info_remote_ip", + "remote_port": "data[87]_network_info_remote_port", + "local_ip": "data[87]_network_info_local_ip", + "local_port": "data[87]_network_info_local_port", + "direction": "data[87]_network_info_direction", + "protocol": "data[87]_network_info_protocol" + }, + "ver": "data[87]_ver" + }, + { + "connector_guid": "data[88]_connector_guid", + "bundle_id": "data[88]_bundle_id", + "group_guids": [ + "data[88]_group_guids_0" + ], + "links": { + "computer": "data[88]_links_computer", + "trajectory": "data[88]_links_trajectory", + "group": "data[88]_links_group" + }, + "cdhash": "data[88]_cdhash", + "timestamp": "data[88]_timestamp", + "timestamp_nanoseconds": "data[88]_timestamp_nanoseconds", + "date": "data[88]_date", + "query_type": "data[88]_query_type", + "network_info": { + "dirty_url": "data[88]_network_info_dirty_url", + "remote_ip": "data[88]_network_info_remote_ip", + "remote_port": "data[88]_network_info_remote_port", + "local_ip": "data[88]_network_info_local_ip", + "local_port": "data[88]_network_info_local_port", + "direction": "data[88]_network_info_direction", + "protocol": "data[88]_network_info_protocol" + }, + "ver": "data[88]_ver" + }, + { + "connector_guid": "data[89]_connector_guid", + "bundle_id": "data[89]_bundle_id", + "group_guids": [ + "data[89]_group_guids_0" + ], + "links": { + "computer": "data[89]_links_computer", + "trajectory": "data[89]_links_trajectory", + "group": "data[89]_links_group" + }, + "cdhash": "data[89]_cdhash", + "timestamp": "data[89]_timestamp", + "timestamp_nanoseconds": "data[89]_timestamp_nanoseconds", + "date": "data[89]_date", + "query_type": "data[89]_query_type", + "network_info": { + "dirty_url": "data[89]_network_info_dirty_url", + "remote_ip": "data[89]_network_info_remote_ip", + "remote_port": "data[89]_network_info_remote_port", + "local_ip": "data[89]_network_info_local_ip", + "local_port": "data[89]_network_info_local_port", + "direction": "data[89]_network_info_direction", + "protocol": "data[89]_network_info_protocol" + }, + "ver": "data[89]_ver" + }, + { + "connector_guid": "data[90]_connector_guid", + "bundle_id": "data[90]_bundle_id", + "group_guids": [ + "data[90]_group_guids_0" + ], + "links": { + "computer": "data[90]_links_computer", + "trajectory": "data[90]_links_trajectory", + "group": "data[90]_links_group" + }, + "cdhash": "data[90]_cdhash", + "timestamp": "data[90]_timestamp", + "timestamp_nanoseconds": "data[90]_timestamp_nanoseconds", + "date": "data[90]_date", + "query_type": "data[90]_query_type", + "network_info": { + "dirty_url": "data[90]_network_info_dirty_url", + "remote_ip": "data[90]_network_info_remote_ip", + "remote_port": "data[90]_network_info_remote_port", + "local_ip": "data[90]_network_info_local_ip", + "local_port": "data[90]_network_info_local_port", + "direction": "data[90]_network_info_direction", + "protocol": "data[90]_network_info_protocol" + }, + "ver": "data[90]_ver" + }, + { + "connector_guid": "data[91]_connector_guid", + "bundle_id": "data[91]_bundle_id", + "group_guids": [ + "data[91]_group_guids_0" + ], + "links": { + "computer": "data[91]_links_computer", + "trajectory": "data[91]_links_trajectory", + "group": "data[91]_links_group" + }, + "cdhash": "data[91]_cdhash", + "timestamp": "data[91]_timestamp", + "timestamp_nanoseconds": "data[91]_timestamp_nanoseconds", + "date": "data[91]_date", + "query_type": "data[91]_query_type", + "network_info": { + "dirty_url": "data[91]_network_info_dirty_url", + "remote_ip": "data[91]_network_info_remote_ip", + "remote_port": "data[91]_network_info_remote_port", + "local_ip": "data[91]_network_info_local_ip", + "local_port": "data[91]_network_info_local_port", + "direction": "data[91]_network_info_direction", + "protocol": "data[91]_network_info_protocol" + }, + "ver": "data[91]_ver" + }, + { + "connector_guid": "data[92]_connector_guid", + "bundle_id": "data[92]_bundle_id", + "group_guids": [ + "data[92]_group_guids_0" + ], + "links": { + "computer": "data[92]_links_computer", + "trajectory": "data[92]_links_trajectory", + "group": "data[92]_links_group" + }, + "cdhash": "data[92]_cdhash", + "timestamp": "data[92]_timestamp", + "timestamp_nanoseconds": "data[92]_timestamp_nanoseconds", + "date": "data[92]_date", + "query_type": "data[92]_query_type", + "network_info": { + "dirty_url": "data[92]_network_info_dirty_url", + "remote_ip": "data[92]_network_info_remote_ip", + "remote_port": "data[92]_network_info_remote_port", + "local_ip": "data[92]_network_info_local_ip", + "local_port": "data[92]_network_info_local_port", + "direction": "data[92]_network_info_direction", + "protocol": "data[92]_network_info_protocol" + }, + "ver": "data[92]_ver" + }, + { + "connector_guid": "data[93]_connector_guid", + "bundle_id": "data[93]_bundle_id", + "group_guids": [ + "data[93]_group_guids_0" + ], + "links": { + "computer": "data[93]_links_computer", + "trajectory": "data[93]_links_trajectory", + "group": "data[93]_links_group" + }, + "cdhash": "data[93]_cdhash", + "timestamp": "data[93]_timestamp", + "timestamp_nanoseconds": "data[93]_timestamp_nanoseconds", + "date": "data[93]_date", + "query_type": "data[93]_query_type", + "network_info": { + "dirty_url": "data[93]_network_info_dirty_url", + "remote_ip": "data[93]_network_info_remote_ip", + "remote_port": "data[93]_network_info_remote_port", + "local_ip": "data[93]_network_info_local_ip", + "local_port": "data[93]_network_info_local_port", + "direction": "data[93]_network_info_direction", + "protocol": "data[93]_network_info_protocol" + }, + "ver": "data[93]_ver" + }, + { + "connector_guid": "data[94]_connector_guid", + "bundle_id": "data[94]_bundle_id", + "group_guids": [ + "data[94]_group_guids_0" + ], + "links": { + "computer": "data[94]_links_computer", + "trajectory": "data[94]_links_trajectory", + "group": "data[94]_links_group" + }, + "cdhash": "data[94]_cdhash", + "timestamp": "data[94]_timestamp", + "timestamp_nanoseconds": "data[94]_timestamp_nanoseconds", + "date": "data[94]_date", + "query_type": "data[94]_query_type", + "network_info": { + "dirty_url": "data[94]_network_info_dirty_url", + "remote_ip": "data[94]_network_info_remote_ip", + "remote_port": "data[94]_network_info_remote_port", + "local_ip": "data[94]_network_info_local_ip", + "local_port": "data[94]_network_info_local_port", + "direction": "data[94]_network_info_direction", + "protocol": "data[94]_network_info_protocol" + }, + "ver": "data[94]_ver" + }, + { + "connector_guid": "data[95]_connector_guid", + "bundle_id": "data[95]_bundle_id", + "group_guids": [ + "data[95]_group_guids_0" + ], + "links": { + "computer": "data[95]_links_computer", + "trajectory": "data[95]_links_trajectory", + "group": "data[95]_links_group" + }, + "cdhash": "data[95]_cdhash", + "timestamp": "data[95]_timestamp", + "timestamp_nanoseconds": "data[95]_timestamp_nanoseconds", + "date": "data[95]_date", + "query_type": "data[95]_query_type", + "network_info": { + "dirty_url": "data[95]_network_info_dirty_url", + "remote_ip": "data[95]_network_info_remote_ip", + "remote_port": "data[95]_network_info_remote_port", + "local_ip": "data[95]_network_info_local_ip", + "local_port": "data[95]_network_info_local_port", + "direction": "data[95]_network_info_direction", + "protocol": "data[95]_network_info_protocol" + }, + "ver": "data[95]_ver" + }, + { + "connector_guid": "data[96]_connector_guid", + "bundle_id": "data[96]_bundle_id", + "group_guids": [ + "data[96]_group_guids_0" + ], + "links": { + "computer": "data[96]_links_computer", + "trajectory": "data[96]_links_trajectory", + "group": "data[96]_links_group" + }, + "cdhash": "data[96]_cdhash", + "timestamp": "data[96]_timestamp", + "timestamp_nanoseconds": "data[96]_timestamp_nanoseconds", + "date": "data[96]_date", + "query_type": "data[96]_query_type", + "network_info": { + "dirty_url": "data[96]_network_info_dirty_url", + "remote_ip": "data[96]_network_info_remote_ip", + "remote_port": "data[96]_network_info_remote_port", + "local_ip": "data[96]_network_info_local_ip", + "local_port": "data[96]_network_info_local_port", + "direction": "data[96]_network_info_direction", + "protocol": "data[96]_network_info_protocol" + }, + "ver": "data[96]_ver" + }, + { + "connector_guid": "data[97]_connector_guid", + "bundle_id": "data[97]_bundle_id", + "group_guids": [ + "data[97]_group_guids_0" + ], + "links": { + "computer": "data[97]_links_computer", + "trajectory": "data[97]_links_trajectory", + "group": "data[97]_links_group" + }, + "cdhash": "data[97]_cdhash", + "timestamp": "data[97]_timestamp", + "timestamp_nanoseconds": "data[97]_timestamp_nanoseconds", + "date": "data[97]_date", + "query_type": "data[97]_query_type", + "network_info": { + "dirty_url": "data[97]_network_info_dirty_url", + "remote_ip": "data[97]_network_info_remote_ip", + "remote_port": "data[97]_network_info_remote_port", + "local_ip": "data[97]_network_info_local_ip", + "local_port": "data[97]_network_info_local_port", + "direction": "data[97]_network_info_direction", + "protocol": "data[97]_network_info_protocol" + }, + "ver": "data[97]_ver" + }, + { + "connector_guid": "data[98]_connector_guid", + "bundle_id": "data[98]_bundle_id", + "group_guids": [ + "data[98]_group_guids_0" + ], + "links": { + "computer": "data[98]_links_computer", + "trajectory": "data[98]_links_trajectory", + "group": "data[98]_links_group" + }, + "cdhash": "data[98]_cdhash", + "timestamp": "data[98]_timestamp", + "timestamp_nanoseconds": "data[98]_timestamp_nanoseconds", + "date": "data[98]_date", + "query_type": "data[98]_query_type", + "network_info": { + "dirty_url": "data[98]_network_info_dirty_url", + "remote_ip": "data[98]_network_info_remote_ip", + "remote_port": "data[98]_network_info_remote_port", + "local_ip": "data[98]_network_info_local_ip", + "local_port": "data[98]_network_info_local_port", + "direction": "data[98]_network_info_direction", + "protocol": "data[98]_network_info_protocol" + }, + "ver": "data[98]_ver" + }, + { + "connector_guid": "data[99]_connector_guid", + "bundle_id": "data[99]_bundle_id", + "group_guids": [ + "data[99]_group_guids_0" + ], + "links": { + "computer": "data[99]_links_computer", + "trajectory": "data[99]_links_trajectory", + "group": "data[99]_links_group" + }, + "cdhash": "data[99]_cdhash", + "timestamp": "data[99]_timestamp", + "timestamp_nanoseconds": "data[99]_timestamp_nanoseconds", + "date": "data[99]_date", + "query_type": "data[99]_query_type", + "network_info": { + "dirty_url": "data[99]_network_info_dirty_url", + "remote_ip": "data[99]_network_info_remote_ip", + "remote_port": "data[99]_network_info_remote_port", + "local_ip": "data[99]_network_info_local_ip", + "local_port": "data[99]_network_info_local_port", + "direction": "data[99]_network_info_direction", + "protocol": "data[99]_network_info_protocol" + }, + "ver": "data[99]_ver" + }, + { + "connector_guid": "data[100]_connector_guid", + "bundle_id": "data[100]_bundle_id", + "group_guids": [ + "data[100]_group_guids_0" + ], + "links": { + "computer": "data[100]_links_computer", + "trajectory": "data[100]_links_trajectory", + "group": "data[100]_links_group" + }, + "cdhash": "data[100]_cdhash", + "timestamp": "data[100]_timestamp", + "timestamp_nanoseconds": "data[100]_timestamp_nanoseconds", + "date": "data[100]_date", + "query_type": "data[100]_query_type", + "network_info": { + "dirty_url": "data[100]_network_info_dirty_url", + "remote_ip": "data[100]_network_info_remote_ip", + "remote_port": "data[100]_network_info_remote_port", + "local_ip": "data[100]_network_info_local_ip", + "local_port": "data[100]_network_info_local_port", + "direction": "data[100]_network_info_direction", + "protocol": "data[100]_network_info_protocol" + }, + "ver": "data[100]_ver" + }, + { + "connector_guid": "data[101]_connector_guid", + "bundle_id": "data[101]_bundle_id", + "group_guids": [ + "data[101]_group_guids_0" + ], + "links": { + "computer": "data[101]_links_computer", + "trajectory": "data[101]_links_trajectory", + "group": "data[101]_links_group" + }, + "cdhash": "data[101]_cdhash", + "timestamp": "data[101]_timestamp", + "timestamp_nanoseconds": "data[101]_timestamp_nanoseconds", + "date": "data[101]_date", + "query_type": "data[101]_query_type", + "network_info": { + "dirty_url": "data[101]_network_info_dirty_url", + "remote_ip": "data[101]_network_info_remote_ip", + "remote_port": "data[101]_network_info_remote_port", + "local_ip": "data[101]_network_info_local_ip", + "local_port": "data[101]_network_info_local_port", + "direction": "data[101]_network_info_direction", + "protocol": "data[101]_network_info_protocol" + }, + "ver": "data[101]_ver" + }, + { + "connector_guid": "data[102]_connector_guid", + "bundle_id": "data[102]_bundle_id", + "group_guids": [ + "data[102]_group_guids_0" + ], + "links": { + "computer": "data[102]_links_computer", + "trajectory": "data[102]_links_trajectory", + "group": "data[102]_links_group" + }, + "cdhash": "data[102]_cdhash", + "timestamp": "data[102]_timestamp", + "timestamp_nanoseconds": "data[102]_timestamp_nanoseconds", + "date": "data[102]_date", + "query_type": "data[102]_query_type", + "network_info": { + "dirty_url": "data[102]_network_info_dirty_url", + "remote_ip": "data[102]_network_info_remote_ip", + "remote_port": "data[102]_network_info_remote_port", + "local_ip": "data[102]_network_info_local_ip", + "local_port": "data[102]_network_info_local_port", + "direction": "data[102]_network_info_direction", + "protocol": "data[102]_network_info_protocol" + }, + "ver": "data[102]_ver" + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/computer_activity_response.json b/Packs/AMP/Integrations/AMPv2/test_data/computer_activity_response.json new file mode 100644 index 000000000000..4622d4fbf5d0 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/computer_activity_response.json @@ -0,0 +1,177 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": [ + { + "connector_guid": "data[0]_connector_guid", + "hostname": "data[0]_hostname", + "windows_processor_id": "data[0]_windows_processor_id", + "active": "data[0]_active", + "links": { + "computer": "data[0]_links_computer", + "trajectory": "data[0]_links_trajectory", + "group": "data[0]_links_group" + } + }, + { + "connector_guid": "data[1]_connector_guid", + "hostname": "data[1]_hostname", + "windows_processor_id": "data[1]_windows_processor_id", + "active": "data[1]_active", + "links": { + "computer": "data[1]_links_computer", + "trajectory": "data[1]_links_trajectory", + "group": "data[1]_links_group" + } + }, + { + "connector_guid": "data[2]_connector_guid", + "hostname": "data[2]_hostname", + "windows_processor_id": "data[2]_windows_processor_id", + "active": "data[2]_active", + "links": { + "group": "data[2]_links_group" + } + }, + { + "connector_guid": "data[3]_connector_guid", + "hostname": "data[3]_hostname", + "windows_processor_id": "data[3]_windows_processor_id", + "active": "data[3]_active", + "links": { + "computer": "data[3]_links_computer", + "trajectory": "data[3]_links_trajectory", + "group": "data[3]_links_group" + } + }, + { + "connector_guid": "data[4]_connector_guid", + "hostname": "data[4]_hostname", + "windows_processor_id": "data[4]_windows_processor_id", + "active": "data[4]_active", + "links": { + "computer": "data[4]_links_computer", + "trajectory": "data[4]_links_trajectory", + "group": "data[4]_links_group" + } + }, + { + "connector_guid": "data[5]_connector_guid", + "hostname": "data[5]_hostname", + "windows_processor_id": "data[5]_windows_processor_id", + "active": "data[5]_active", + "links": { + "computer": "data[5]_links_computer", + "trajectory": "data[5]_links_trajectory", + "group": "data[5]_links_group" + } + }, + { + "connector_guid": "data[6]_connector_guid", + "hostname": "data[6]_hostname", + "windows_processor_id": "data[6]_windows_processor_id", + "active": "data[6]_active", + "links": { + "computer": "data[6]_links_computer", + "trajectory": "data[6]_links_trajectory", + "group": "data[6]_links_group" + } + }, + { + "connector_guid": "data[7]_connector_guid", + "hostname": "data[7]_hostname", + "windows_processor_id": "data[7]_windows_processor_id", + "active": "data[7]_active", + "links": { + "group": "data[7]_links_group" + } + }, + { + "connector_guid": "data[8]_connector_guid", + "hostname": "data[8]_hostname", + "windows_processor_id": "data[8]_windows_processor_id", + "active": "data[8]_active", + "links": { + "computer": "data[8]_links_computer", + "trajectory": "data[8]_links_trajectory", + "group": "data[8]_links_group" + } + }, + { + "connector_guid": "data[9]_connector_guid", + "hostname": "data[9]_hostname", + "windows_processor_id": "data[9]_windows_processor_id", + "active": "data[9]_active", + "links": { + "computer": "data[9]_links_computer", + "trajectory": "data[9]_links_trajectory", + "group": "data[9]_links_group" + } + }, + { + "connector_guid": "data[10]_connector_guid", + "hostname": "data[10]_hostname", + "windows_processor_id": "data[10]_windows_processor_id", + "active": "data[10]_active", + "links": { + "computer": "data[10]_links_computer", + "trajectory": "data[10]_links_trajectory", + "group": "data[10]_links_group" + } + }, + { + "connector_guid": "data[11]_connector_guid", + "hostname": "data[11]_hostname", + "windows_processor_id": "data[11]_windows_processor_id", + "active": "data[11]_active", + "links": { + "computer": "data[11]_links_computer", + "trajectory": "data[11]_links_trajectory", + "group": "data[11]_links_group" + } + }, + { + "connector_guid": "data[12]_connector_guid", + "hostname": "data[12]_hostname", + "windows_processor_id": "data[12]_windows_processor_id", + "active": "data[12]_active", + "links": { + "computer": "data[12]_links_computer", + "trajectory": "data[12]_links_trajectory", + "group": "data[12]_links_group" + } + }, + { + "connector_guid": "data[13]_connector_guid", + "hostname": "data[13]_hostname", + "windows_processor_id": "data[13]_windows_processor_id", + "active": "data[13]_active", + "links": { + "computer": "data[13]_links_computer", + "trajectory": "data[13]_links_trajectory", + "group": "data[13]_links_group" + } + }, + { + "connector_guid": "data[14]_connector_guid", + "hostname": "data[14]_hostname", + "windows_processor_id": "data[14]_windows_processor_id", + "active": "data[14]_active", + "links": { + "computer": "data[14]_links_computer", + "trajectory": "data[14]_links_trajectory", + "group": "data[14]_links_group" + } + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/computer_delete_fail_response.json b/Packs/AMP/Integrations/AMPv2/test_data/computer_delete_fail_response.json new file mode 100644 index 000000000000..26bd2c7ac937 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/computer_delete_fail_response.json @@ -0,0 +1,12 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "deleted": false, + "connector_guid": "data_connector_guid" + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/computer_delete_response.json b/Packs/AMP/Integrations/AMPv2/test_data/computer_delete_response.json new file mode 100644 index 000000000000..8dfe9ab096a8 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/computer_delete_response.json @@ -0,0 +1,12 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "deleted": true, + "connector_guid": "data_connector_guid" + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/computer_get_response.json b/Packs/AMP/Integrations/AMPv2/test_data/computer_get_response.json new file mode 100644 index 000000000000..5f2b8bf831ae --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/computer_get_response.json @@ -0,0 +1,55 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "connector_guid": "data_connector_guid", + "hostname": "data_hostname", + "windows_processor_id": "data_windows_processor_id", + "active": "data_active", + "links": { + "computer": "data_links_computer", + "trajectory": "data_links_trajectory", + "group": "data_links_group" + }, + "connector_version": "data_connector_version", + "operating_system": "data_operating_system", + "os_version": "data_os_version", + "internal_ips": [ + "data_internal_ips_0" + ], + "external_ip": "data_external_ip", + "group_guid": "data_group_guid", + "install_date": "data_install_date", + "is_compromised": "data_is_compromised", + "demo": "data_demo", + "network_addresses": [ + { + "mac": "data_network_addresses[0]_mac", + "ip": "data_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data_policy_guid", + "name": "data_policy_name" + }, + "groups": [ + { + "guid": "data_groups[0]_guid", + "name": "data_groups[0]_name" + } + ], + "last_seen": "data_last_seen", + "faults": [], + "isolation": { + "available": "data_isolation_available", + "status": "data_isolation_status" + }, + "orbital": { + "status": "data_orbital_status" + } + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/computer_list_response.json b/Packs/AMP/Integrations/AMPv2/test_data/computer_list_response.json new file mode 100644 index 000000000000..06a533655cdd --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/computer_list_response.json @@ -0,0 +1,1617 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": [ + { + "connector_guid": "data[0]_connector_guid", + "hostname": "data[0]_hostname", + "windows_processor_id": "data[0]_windows_processor_id", + "active": "data[0]_active", + "links": { + "computer": "data[0]_links_computer", + "trajectory": "data[0]_links_trajectory", + "group": "data[0]_links_group" + }, + "connector_version": "data[0]_connector_version", + "operating_system": "data[0]_operating_system", + "os_version": "data[0]_os_version", + "internal_ips": [ + "data[0]_internal_ips_0" + ], + "external_ip": "data[0]_external_ip", + "group_guid": "data[0]_group_guid", + "install_date": "data[0]_install_date", + "is_compromised": "data[0]_is_compromised", + "demo": "data[0]_demo", + "network_addresses": [ + { + "mac": "data[0]_network_addresses[0]_mac", + "ip": "data[0]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[0]_policy_guid", + "name": "data[0]_policy_name" + }, + "groups": [ + { + "guid": "data[0]_groups[0]_guid", + "name": "data[0]_groups[0]_name" + } + ], + "last_seen": "data[0]_last_seen", + "faults": [], + "isolation": { + "available": "data[0]_isolation_available", + "status": "data[0]_isolation_status" + }, + "orbital": { + "status": "data[0]_orbital_status" + } + }, + { + "connector_guid": "data[1]_connector_guid", + "hostname": "data[1]_hostname", + "windows_processor_id": "data[1]_windows_processor_id", + "active": "data[1]_active", + "links": { + "computer": "data[1]_links_computer", + "trajectory": "data[1]_links_trajectory", + "group": "data[1]_links_group" + }, + "connector_version": "data[1]_connector_version", + "operating_system": "data[1]_operating_system", + "os_version": "data[1]_os_version", + "internal_ips": [ + "data[1]_internal_ips_0" + ], + "external_ip": "data[1]_external_ip", + "group_guid": "data[1]_group_guid", + "install_date": "data[1]_install_date", + "is_compromised": "data[1]_is_compromised", + "demo": "data[1]_demo", + "network_addresses": [ + { + "mac": "data[1]_network_addresses[0]_mac", + "ip": "data[1]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[1]_policy_guid", + "name": "data[1]_policy_name" + }, + "groups": [ + { + "guid": "data[1]_groups[0]_guid", + "name": "data[1]_groups[0]_name" + } + ], + "last_seen": "data[1]_last_seen", + "faults": [], + "isolation": { + "available": "data[1]_isolation_available", + "status": "data[1]_isolation_status" + }, + "orbital": { + "status": "data[1]_orbital_status" + } + }, + { + "connector_guid": "data[2]_connector_guid", + "hostname": "data[2]_hostname", + "windows_processor_id": "data[2]_windows_processor_id", + "active": "data[2]_active", + "links": { + "computer": "data[2]_links_computer", + "trajectory": "data[2]_links_trajectory", + "group": "data[2]_links_group" + }, + "connector_version": "data[2]_connector_version", + "operating_system": "data[2]_operating_system", + "os_version": "data[2]_os_version", + "internal_ips": [ + "data[2]_internal_ips_0" + ], + "external_ip": "data[2]_external_ip", + "group_guid": "data[2]_group_guid", + "install_date": "data[2]_install_date", + "is_compromised": "data[2]_is_compromised", + "demo": "data[2]_demo", + "network_addresses": [ + { + "mac": "data[2]_network_addresses[0]_mac", + "ip": "data[2]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[2]_policy_guid", + "name": "data[2]_policy_name" + }, + "groups": [ + { + "guid": "data[2]_groups[0]_guid", + "name": "data[2]_groups[0]_name" + } + ], + "last_seen": "data[2]_last_seen", + "faults": [], + "isolation": { + "available": "data[2]_isolation_available", + "status": "data[2]_isolation_status" + }, + "orbital": { + "status": "data[2]_orbital_status" + } + }, + { + "connector_guid": "data[3]_connector_guid", + "hostname": "data[3]_hostname", + "windows_processor_id": "data[3]_windows_processor_id", + "active": "data[3]_active", + "links": { + "computer": "data[3]_links_computer", + "trajectory": "data[3]_links_trajectory", + "group": "data[3]_links_group" + }, + "connector_version": "data[3]_connector_version", + "operating_system": "data[3]_operating_system", + "os_version": "data[3]_os_version", + "internal_ips": [ + "data[3]_internal_ips_0" + ], + "external_ip": "data[3]_external_ip", + "group_guid": "data[3]_group_guid", + "install_date": "data[3]_install_date", + "is_compromised": "data[3]_is_compromised", + "demo": "data[3]_demo", + "network_addresses": [ + { + "mac": "data[3]_network_addresses[0]_mac", + "ip": "data[3]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[3]_policy_guid", + "name": "data[3]_policy_name" + }, + "groups": [ + { + "guid": "data[3]_groups[0]_guid", + "name": "data[3]_groups[0]_name" + } + ], + "last_seen": "data[3]_last_seen", + "faults": [], + "isolation": { + "available": "data[3]_isolation_available", + "status": "data[3]_isolation_status" + }, + "orbital": { + "status": "data[3]_orbital_status" + } + }, + { + "connector_guid": "data[4]_connector_guid", + "hostname": "data[4]_hostname", + "windows_processor_id": "data[4]_windows_processor_id", + "active": "data[4]_active", + "links": { + "computer": "data[4]_links_computer", + "trajectory": "data[4]_links_trajectory", + "group": "data[4]_links_group" + }, + "connector_version": "data[4]_connector_version", + "operating_system": "data[4]_operating_system", + "os_version": "data[4]_os_version", + "internal_ips": [ + "data[4]_internal_ips_0" + ], + "external_ip": "data[4]_external_ip", + "group_guid": "data[4]_group_guid", + "install_date": "data[4]_install_date", + "is_compromised": "data[4]_is_compromised", + "demo": "data[4]_demo", + "network_addresses": [ + { + "mac": "data[4]_network_addresses[0]_mac", + "ip": "data[4]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[4]_policy_guid", + "name": "data[4]_policy_name" + }, + "groups": [ + { + "guid": "data[4]_groups[0]_guid", + "name": "data[4]_groups[0]_name" + } + ], + "last_seen": "data[4]_last_seen", + "faults": [], + "isolation": { + "available": "data[4]_isolation_available", + "status": "data[4]_isolation_status" + }, + "orbital": { + "status": "data[4]_orbital_status" + } + }, + { + "connector_guid": "data[5]_connector_guid", + "hostname": "data[5]_hostname", + "windows_processor_id": "data[5]_windows_processor_id", + "active": "data[5]_active", + "links": { + "computer": "data[5]_links_computer", + "trajectory": "data[5]_links_trajectory", + "group": "data[5]_links_group" + }, + "connector_version": "data[5]_connector_version", + "operating_system": "data[5]_operating_system", + "os_version": "data[5]_os_version", + "internal_ips": [ + "data[5]_internal_ips_0" + ], + "external_ip": "data[5]_external_ip", + "group_guid": "data[5]_group_guid", + "install_date": "data[5]_install_date", + "is_compromised": "data[5]_is_compromised", + "demo": "data[5]_demo", + "network_addresses": [ + { + "mac": "data[5]_network_addresses[0]_mac", + "ip": "data[5]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[5]_policy_guid", + "name": "data[5]_policy_name" + }, + "groups": [ + { + "guid": "data[5]_groups[0]_guid", + "name": "data[5]_groups[0]_name" + } + ], + "last_seen": "data[5]_last_seen", + "faults": [], + "isolation": { + "available": "data[5]_isolation_available", + "status": "data[5]_isolation_status" + }, + "orbital": { + "status": "data[5]_orbital_status" + } + }, + { + "connector_guid": "data[6]_connector_guid", + "hostname": "data[6]_hostname", + "windows_processor_id": "data[6]_windows_processor_id", + "active": "data[6]_active", + "links": { + "computer": "data[6]_links_computer", + "trajectory": "data[6]_links_trajectory", + "group": "data[6]_links_group" + }, + "connector_version": "data[6]_connector_version", + "operating_system": "data[6]_operating_system", + "os_version": "data[6]_os_version", + "internal_ips": [ + "data[6]_internal_ips_0" + ], + "external_ip": "data[6]_external_ip", + "group_guid": "data[6]_group_guid", + "install_date": "data[6]_install_date", + "is_compromised": "data[6]_is_compromised", + "demo": "data[6]_demo", + "network_addresses": [ + { + "mac": "data[6]_network_addresses[0]_mac", + "ip": "data[6]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[6]_policy_guid", + "name": "data[6]_policy_name" + }, + "groups": [ + { + "guid": "data[6]_groups[0]_guid", + "name": "data[6]_groups[0]_name" + } + ], + "last_seen": "data[6]_last_seen", + "faults": [], + "isolation": { + "available": "data[6]_isolation_available", + "status": "data[6]_isolation_status" + }, + "orbital": { + "status": "data[6]_orbital_status" + } + }, + { + "connector_guid": "data[7]_connector_guid", + "hostname": "data[7]_hostname", + "windows_processor_id": "data[7]_windows_processor_id", + "active": "data[7]_active", + "links": { + "computer": "data[7]_links_computer", + "trajectory": "data[7]_links_trajectory", + "group": "data[7]_links_group" + }, + "connector_version": "data[7]_connector_version", + "operating_system": "data[7]_operating_system", + "os_version": "data[7]_os_version", + "internal_ips": [ + "data[7]_internal_ips_0" + ], + "external_ip": "data[7]_external_ip", + "group_guid": "data[7]_group_guid", + "install_date": "data[7]_install_date", + "is_compromised": "data[7]_is_compromised", + "demo": "data[7]_demo", + "network_addresses": [ + { + "mac": "data[7]_network_addresses[0]_mac", + "ip": "data[7]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[7]_policy_guid", + "name": "data[7]_policy_name" + }, + "groups": [ + { + "guid": "data[7]_groups[0]_guid", + "name": "data[7]_groups[0]_name" + } + ], + "last_seen": "data[7]_last_seen", + "faults": [], + "isolation": { + "available": "data[7]_isolation_available", + "status": "data[7]_isolation_status" + }, + "orbital": { + "status": "data[7]_orbital_status" + } + }, + { + "connector_guid": "data[8]_connector_guid", + "hostname": "data[8]_hostname", + "windows_processor_id": "data[8]_windows_processor_id", + "active": "data[8]_active", + "links": { + "computer": "data[8]_links_computer", + "trajectory": "data[8]_links_trajectory", + "group": "data[8]_links_group" + }, + "connector_version": "data[8]_connector_version", + "operating_system": "data[8]_operating_system", + "os_version": "data[8]_os_version", + "internal_ips": [ + "data[8]_internal_ips_0" + ], + "external_ip": "data[8]_external_ip", + "group_guid": "data[8]_group_guid", + "install_date": "data[8]_install_date", + "is_compromised": "data[8]_is_compromised", + "demo": "data[8]_demo", + "network_addresses": [ + { + "mac": "data[8]_network_addresses[0]_mac", + "ip": "data[8]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[8]_policy_guid", + "name": "data[8]_policy_name" + }, + "groups": [ + { + "guid": "data[8]_groups[0]_guid", + "name": "data[8]_groups[0]_name" + } + ], + "last_seen": "data[8]_last_seen", + "faults": [], + "isolation": { + "available": "data[8]_isolation_available", + "status": "data[8]_isolation_status" + }, + "orbital": { + "status": "data[8]_orbital_status" + } + }, + { + "connector_guid": "data[9]_connector_guid", + "hostname": "data[9]_hostname", + "windows_processor_id": "data[9]_windows_processor_id", + "active": "data[9]_active", + "links": { + "computer": "data[9]_links_computer", + "trajectory": "data[9]_links_trajectory", + "group": "data[9]_links_group" + }, + "connector_version": "data[9]_connector_version", + "operating_system": "data[9]_operating_system", + "os_version": "data[9]_os_version", + "internal_ips": [ + "data[9]_internal_ips_0" + ], + "external_ip": "data[9]_external_ip", + "group_guid": "data[9]_group_guid", + "install_date": "data[9]_install_date", + "is_compromised": "data[9]_is_compromised", + "demo": "data[9]_demo", + "network_addresses": [ + { + "mac": "data[9]_network_addresses[0]_mac", + "ip": "data[9]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[9]_policy_guid", + "name": "data[9]_policy_name" + }, + "groups": [ + { + "guid": "data[9]_groups[0]_guid", + "name": "data[9]_groups[0]_name" + } + ], + "last_seen": "data[9]_last_seen", + "faults": [], + "isolation": { + "available": "data[9]_isolation_available", + "status": "data[9]_isolation_status" + }, + "orbital": { + "status": "data[9]_orbital_status" + } + }, + { + "connector_guid": "data[10]_connector_guid", + "hostname": "data[10]_hostname", + "windows_processor_id": "data[10]_windows_processor_id", + "active": "data[10]_active", + "links": { + "computer": "data[10]_links_computer", + "trajectory": "data[10]_links_trajectory", + "group": "data[10]_links_group" + }, + "connector_version": "data[10]_connector_version", + "operating_system": "data[10]_operating_system", + "os_version": "data[10]_os_version", + "internal_ips": [ + "data[10]_internal_ips_0" + ], + "external_ip": "data[10]_external_ip", + "group_guid": "data[10]_group_guid", + "install_date": "data[10]_install_date", + "is_compromised": "data[10]_is_compromised", + "demo": "data[10]_demo", + "network_addresses": [ + { + "mac": "data[10]_network_addresses[0]_mac", + "ip": "data[10]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[10]_policy_guid", + "name": "data[10]_policy_name" + }, + "groups": [ + { + "guid": "data[10]_groups[0]_guid", + "name": "data[10]_groups[0]_name" + } + ], + "last_seen": "data[10]_last_seen", + "faults": [], + "isolation": { + "available": "data[10]_isolation_available", + "status": "data[10]_isolation_status" + }, + "orbital": { + "status": "data[10]_orbital_status" + } + }, + { + "connector_guid": "data[11]_connector_guid", + "hostname": "data[11]_hostname", + "windows_processor_id": "data[11]_windows_processor_id", + "active": "data[11]_active", + "links": { + "computer": "data[11]_links_computer", + "trajectory": "data[11]_links_trajectory", + "group": "data[11]_links_group" + }, + "connector_version": "data[11]_connector_version", + "operating_system": "data[11]_operating_system", + "os_version": "data[11]_os_version", + "internal_ips": [ + "data[11]_internal_ips_0" + ], + "external_ip": "data[11]_external_ip", + "group_guid": "data[11]_group_guid", + "install_date": "data[11]_install_date", + "is_compromised": "data[11]_is_compromised", + "demo": "data[11]_demo", + "network_addresses": [ + { + "mac": "data[11]_network_addresses[0]_mac", + "ip": "data[11]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[11]_policy_guid", + "name": "data[11]_policy_name" + }, + "groups": [ + { + "guid": "data[11]_groups[0]_guid", + "name": "data[11]_groups[0]_name" + } + ], + "last_seen": "data[11]_last_seen", + "faults": [], + "isolation": { + "available": "data[11]_isolation_available", + "status": "data[11]_isolation_status" + }, + "orbital": { + "status": "data[11]_orbital_status" + } + }, + { + "connector_guid": "data[12]_connector_guid", + "hostname": "data[12]_hostname", + "windows_processor_id": "data[12]_windows_processor_id", + "active": "data[12]_active", + "links": { + "computer": "data[12]_links_computer", + "trajectory": "data[12]_links_trajectory", + "group": "data[12]_links_group" + }, + "connector_version": "data[12]_connector_version", + "operating_system": "data[12]_operating_system", + "os_version": "data[12]_os_version", + "internal_ips": [ + "data[12]_internal_ips_0" + ], + "external_ip": "data[12]_external_ip", + "group_guid": "data[12]_group_guid", + "install_date": "data[12]_install_date", + "is_compromised": "data[12]_is_compromised", + "demo": "data[12]_demo", + "network_addresses": [ + { + "mac": "data[12]_network_addresses[0]_mac", + "ip": "data[12]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[12]_policy_guid", + "name": "data[12]_policy_name" + }, + "groups": [ + { + "guid": "data[12]_groups[0]_guid", + "name": "data[12]_groups[0]_name" + } + ], + "last_seen": "data[12]_last_seen", + "faults": [], + "isolation": { + "available": "data[12]_isolation_available", + "status": "data[12]_isolation_status" + }, + "orbital": { + "status": "data[12]_orbital_status" + } + }, + { + "connector_guid": "data[13]_connector_guid", + "hostname": "data[13]_hostname", + "windows_processor_id": "data[13]_windows_processor_id", + "active": "data[13]_active", + "links": { + "computer": "data[13]_links_computer", + "trajectory": "data[13]_links_trajectory", + "group": "data[13]_links_group" + }, + "connector_version": "data[13]_connector_version", + "operating_system": "data[13]_operating_system", + "os_version": "data[13]_os_version", + "internal_ips": [ + "data[13]_internal_ips_0" + ], + "external_ip": "data[13]_external_ip", + "group_guid": "data[13]_group_guid", + "install_date": "data[13]_install_date", + "is_compromised": "data[13]_is_compromised", + "demo": "data[13]_demo", + "network_addresses": [ + { + "mac": "data[13]_network_addresses[0]_mac", + "ip": "data[13]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[13]_policy_guid", + "name": "data[13]_policy_name" + }, + "groups": [ + { + "guid": "data[13]_groups[0]_guid", + "name": "data[13]_groups[0]_name" + } + ], + "last_seen": "data[13]_last_seen", + "faults": [], + "isolation": { + "available": "data[13]_isolation_available", + "status": "data[13]_isolation_status" + }, + "orbital": { + "status": "data[13]_orbital_status" + } + }, + { + "connector_guid": "data[14]_connector_guid", + "hostname": "data[14]_hostname", + "active": "data[14]_active", + "links": { + "computer": "data[14]_links_computer", + "trajectory": "data[14]_links_trajectory", + "group": "data[14]_links_group" + }, + "connector_version": "data[14]_connector_version", + "operating_system": "data[14]_operating_system", + "os_version": "data[14]_os_version", + "internal_ips": [ + "data[14]_internal_ips_0" + ], + "external_ip": "data[14]_external_ip", + "group_guid": "data[14]_group_guid", + "install_date": "data[14]_install_date", + "is_compromised": "data[14]_is_compromised", + "demo": "data[14]_demo", + "network_addresses": [ + { + "mac": "data[14]_network_addresses[0]_mac", + "ip": "data[14]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[14]_policy_guid", + "name": "data[14]_policy_name" + }, + "groups": [ + { + "guid": "data[14]_groups[0]_guid", + "name": "data[14]_groups[0]_name" + } + ], + "last_seen": "data[14]_last_seen", + "faults": [], + "isolation": { + "available": "data[14]_isolation_available", + "status": "data[14]_isolation_status" + }, + "orbital": { + "status": "data[14]_orbital_status" + } + }, + { + "connector_guid": "data[15]_connector_guid", + "hostname": "data[15]_hostname", + "active": "data[15]_active", + "links": { + "computer": "data[15]_links_computer", + "trajectory": "data[15]_links_trajectory", + "group": "data[15]_links_group" + }, + "connector_version": "data[15]_connector_version", + "operating_system": "data[15]_operating_system", + "os_version": "data[15]_os_version", + "internal_ips": [ + "data[15]_internal_ips_0" + ], + "external_ip": "data[15]_external_ip", + "group_guid": "data[15]_group_guid", + "install_date": "data[15]_install_date", + "is_compromised": "data[15]_is_compromised", + "demo": "data[15]_demo", + "network_addresses": [ + { + "mac": "data[15]_network_addresses[0]_mac", + "ip": "data[15]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[15]_policy_guid", + "name": "data[15]_policy_name" + }, + "groups": [ + { + "guid": "data[15]_groups[0]_guid", + "name": "data[15]_groups[0]_name" + } + ], + "last_seen": "data[15]_last_seen", + "faults": [], + "isolation": { + "available": "data[15]_isolation_available", + "status": "data[15]_isolation_status" + }, + "orbital": { + "status": "data[15]_orbital_status" + } + }, + { + "connector_guid": "data[16]_connector_guid", + "hostname": "data[16]_hostname", + "active": "data[16]_active", + "links": { + "computer": "data[16]_links_computer", + "trajectory": "data[16]_links_trajectory", + "group": "data[16]_links_group" + }, + "connector_version": "data[16]_connector_version", + "operating_system": "data[16]_operating_system", + "os_version": "data[16]_os_version", + "internal_ips": [ + "data[16]_internal_ips_0" + ], + "external_ip": "data[16]_external_ip", + "group_guid": "data[16]_group_guid", + "install_date": "data[16]_install_date", + "is_compromised": "data[16]_is_compromised", + "demo": "data[16]_demo", + "network_addresses": [ + { + "mac": "data[16]_network_addresses[0]_mac", + "ip": "data[16]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[16]_policy_guid", + "name": "data[16]_policy_name" + }, + "groups": [ + { + "guid": "data[16]_groups[0]_guid", + "name": "data[16]_groups[0]_name" + } + ], + "last_seen": "data[16]_last_seen", + "faults": [], + "isolation": { + "available": "data[16]_isolation_available", + "status": "data[16]_isolation_status" + }, + "orbital": { + "status": "data[16]_orbital_status" + } + }, + { + "connector_guid": "data[17]_connector_guid", + "hostname": "data[17]_hostname", + "active": "data[17]_active", + "links": { + "computer": "data[17]_links_computer", + "trajectory": "data[17]_links_trajectory", + "group": "data[17]_links_group" + }, + "connector_version": "data[17]_connector_version", + "operating_system": "data[17]_operating_system", + "os_version": "data[17]_os_version", + "internal_ips": [ + "data[17]_internal_ips_0" + ], + "external_ip": "data[17]_external_ip", + "group_guid": "data[17]_group_guid", + "install_date": "data[17]_install_date", + "is_compromised": "data[17]_is_compromised", + "demo": "data[17]_demo", + "network_addresses": [ + { + "mac": "data[17]_network_addresses[0]_mac", + "ip": "data[17]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[17]_policy_guid", + "name": "data[17]_policy_name" + }, + "groups": [ + { + "guid": "data[17]_groups[0]_guid", + "name": "data[17]_groups[0]_name" + } + ], + "last_seen": "data[17]_last_seen", + "faults": [], + "isolation": { + "available": "data[17]_isolation_available", + "status": "data[17]_isolation_status" + }, + "orbital": { + "status": "data[17]_orbital_status" + } + }, + { + "connector_guid": "data[18]_connector_guid", + "hostname": "data[18]_hostname", + "windows_processor_id": "data[18]_windows_processor_id", + "active": "data[18]_active", + "links": { + "computer": "data[18]_links_computer", + "trajectory": "data[18]_links_trajectory", + "group": "data[18]_links_group" + }, + "connector_version": "data[18]_connector_version", + "operating_system": "data[18]_operating_system", + "os_version": "data[18]_os_version", + "internal_ips": [ + "data[18]_internal_ips_0" + ], + "external_ip": "data[18]_external_ip", + "group_guid": "data[18]_group_guid", + "install_date": "data[18]_install_date", + "is_compromised": "data[18]_is_compromised", + "demo": "data[18]_demo", + "network_addresses": [ + { + "mac": "data[18]_network_addresses[0]_mac", + "ip": "data[18]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[18]_policy_guid", + "name": "data[18]_policy_name" + }, + "groups": [ + { + "guid": "data[18]_groups[0]_guid", + "name": "data[18]_groups[0]_name" + } + ], + "last_seen": "data[18]_last_seen", + "faults": [], + "isolation": { + "available": "data[18]_isolation_available", + "status": "data[18]_isolation_status" + }, + "orbital": { + "status": "data[18]_orbital_status" + } + }, + { + "connector_guid": "data[19]_connector_guid", + "hostname": "data[19]_hostname", + "windows_processor_id": "data[19]_windows_processor_id", + "active": "data[19]_active", + "links": { + "computer": "data[19]_links_computer", + "trajectory": "data[19]_links_trajectory", + "group": "data[19]_links_group" + }, + "connector_version": "data[19]_connector_version", + "operating_system": "data[19]_operating_system", + "os_version": "data[19]_os_version", + "internal_ips": [ + "data[19]_internal_ips_0" + ], + "external_ip": "data[19]_external_ip", + "group_guid": "data[19]_group_guid", + "install_date": "data[19]_install_date", + "is_compromised": "data[19]_is_compromised", + "demo": "data[19]_demo", + "network_addresses": [ + { + "mac": "data[19]_network_addresses[0]_mac", + "ip": "data[19]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[19]_policy_guid", + "name": "data[19]_policy_name" + }, + "groups": [ + { + "guid": "data[19]_groups[0]_guid", + "name": "data[19]_groups[0]_name" + } + ], + "last_seen": "data[19]_last_seen", + "faults": [], + "isolation": { + "available": "data[19]_isolation_available", + "status": "data[19]_isolation_status" + }, + "orbital": { + "status": "data[19]_orbital_status" + } + }, + { + "connector_guid": "data[20]_connector_guid", + "hostname": "data[20]_hostname", + "windows_processor_id": "data[20]_windows_processor_id", + "active": "data[20]_active", + "links": { + "computer": "data[20]_links_computer", + "trajectory": "data[20]_links_trajectory", + "group": "data[20]_links_group" + }, + "connector_version": "data[20]_connector_version", + "operating_system": "data[20]_operating_system", + "os_version": "data[20]_os_version", + "internal_ips": [ + "data[20]_internal_ips_0" + ], + "external_ip": "data[20]_external_ip", + "group_guid": "data[20]_group_guid", + "install_date": "data[20]_install_date", + "is_compromised": "data[20]_is_compromised", + "demo": "data[20]_demo", + "network_addresses": [ + { + "mac": "data[20]_network_addresses[0]_mac", + "ip": "data[20]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[20]_policy_guid", + "name": "data[20]_policy_name" + }, + "groups": [ + { + "guid": "data[20]_groups[0]_guid", + "name": "data[20]_groups[0]_name" + } + ], + "last_seen": "data[20]_last_seen", + "faults": [], + "isolation": { + "available": "data[20]_isolation_available", + "status": "data[20]_isolation_status" + }, + "orbital": { + "status": "data[20]_orbital_status" + } + }, + { + "connector_guid": "data[21]_connector_guid", + "hostname": "data[21]_hostname", + "windows_processor_id": "data[21]_windows_processor_id", + "active": "data[21]_active", + "links": { + "computer": "data[21]_links_computer", + "trajectory": "data[21]_links_trajectory", + "group": "data[21]_links_group" + }, + "connector_version": "data[21]_connector_version", + "operating_system": "data[21]_operating_system", + "os_version": "data[21]_os_version", + "internal_ips": [ + "data[21]_internal_ips_0" + ], + "external_ip": "data[21]_external_ip", + "group_guid": "data[21]_group_guid", + "install_date": "data[21]_install_date", + "is_compromised": "data[21]_is_compromised", + "demo": "data[21]_demo", + "network_addresses": [ + { + "mac": "data[21]_network_addresses[0]_mac", + "ip": "data[21]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[21]_policy_guid", + "name": "data[21]_policy_name" + }, + "groups": [ + { + "guid": "data[21]_groups[0]_guid", + "name": "data[21]_groups[0]_name" + } + ], + "last_seen": "data[21]_last_seen", + "faults": [], + "isolation": { + "available": "data[21]_isolation_available", + "status": "data[21]_isolation_status" + }, + "orbital": { + "status": "data[21]_orbital_status" + } + }, + { + "connector_guid": "data[22]_connector_guid", + "hostname": "data[22]_hostname", + "windows_processor_id": "data[22]_windows_processor_id", + "active": "data[22]_active", + "links": { + "computer": "data[22]_links_computer", + "trajectory": "data[22]_links_trajectory", + "group": "data[22]_links_group" + }, + "connector_version": "data[22]_connector_version", + "operating_system": "data[22]_operating_system", + "os_version": "data[22]_os_version", + "internal_ips": [ + "data[22]_internal_ips_0" + ], + "external_ip": "data[22]_external_ip", + "group_guid": "data[22]_group_guid", + "install_date": "data[22]_install_date", + "is_compromised": "data[22]_is_compromised", + "demo": "data[22]_demo", + "network_addresses": [ + { + "mac": "data[22]_network_addresses[0]_mac", + "ip": "data[22]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[22]_policy_guid", + "name": "data[22]_policy_name" + }, + "groups": [ + { + "guid": "data[22]_groups[0]_guid", + "name": "data[22]_groups[0]_name" + } + ], + "last_seen": "data[22]_last_seen", + "faults": [], + "isolation": { + "available": "data[22]_isolation_available", + "status": "data[22]_isolation_status" + }, + "orbital": { + "status": "data[22]_orbital_status" + } + }, + { + "connector_guid": "data[23]_connector_guid", + "hostname": "data[23]_hostname", + "windows_processor_id": "data[23]_windows_processor_id", + "active": "data[23]_active", + "links": { + "computer": "data[23]_links_computer", + "trajectory": "data[23]_links_trajectory", + "group": "data[23]_links_group" + }, + "connector_version": "data[23]_connector_version", + "operating_system": "data[23]_operating_system", + "os_version": "data[23]_os_version", + "internal_ips": [ + "data[23]_internal_ips_0" + ], + "external_ip": "data[23]_external_ip", + "group_guid": "data[23]_group_guid", + "install_date": "data[23]_install_date", + "is_compromised": "data[23]_is_compromised", + "demo": "data[23]_demo", + "network_addresses": [ + { + "mac": "data[23]_network_addresses[0]_mac", + "ip": "data[23]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[23]_policy_guid", + "name": "data[23]_policy_name" + }, + "groups": [ + { + "guid": "data[23]_groups[0]_guid", + "name": "data[23]_groups[0]_name" + } + ], + "last_seen": "data[23]_last_seen", + "faults": [], + "isolation": { + "available": "data[23]_isolation_available", + "status": "data[23]_isolation_status" + }, + "orbital": { + "status": "data[23]_orbital_status" + } + }, + { + "connector_guid": "data[24]_connector_guid", + "hostname": "data[24]_hostname", + "windows_processor_id": "data[24]_windows_processor_id", + "active": "data[24]_active", + "links": { + "computer": "data[24]_links_computer", + "trajectory": "data[24]_links_trajectory", + "group": "data[24]_links_group" + }, + "connector_version": "data[24]_connector_version", + "operating_system": "data[24]_operating_system", + "os_version": "data[24]_os_version", + "internal_ips": [ + "data[24]_internal_ips_0" + ], + "external_ip": "data[24]_external_ip", + "group_guid": "data[24]_group_guid", + "install_date": "data[24]_install_date", + "is_compromised": "data[24]_is_compromised", + "demo": "data[24]_demo", + "network_addresses": [ + { + "mac": "data[24]_network_addresses[0]_mac", + "ip": "data[24]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[24]_policy_guid", + "name": "data[24]_policy_name" + }, + "groups": [ + { + "guid": "data[24]_groups[0]_guid", + "name": "data[24]_groups[0]_name" + } + ], + "last_seen": "data[24]_last_seen", + "faults": [], + "isolation": { + "available": "data[24]_isolation_available", + "status": "data[24]_isolation_status" + }, + "orbital": { + "status": "data[24]_orbital_status" + } + }, + { + "connector_guid": "data[25]_connector_guid", + "hostname": "data[25]_hostname", + "windows_processor_id": "data[25]_windows_processor_id", + "active": "data[25]_active", + "links": { + "computer": "data[25]_links_computer", + "trajectory": "data[25]_links_trajectory", + "group": "data[25]_links_group" + }, + "connector_version": "data[25]_connector_version", + "operating_system": "data[25]_operating_system", + "os_version": "data[25]_os_version", + "internal_ips": [ + "data[25]_internal_ips_0" + ], + "external_ip": "data[25]_external_ip", + "group_guid": "data[25]_group_guid", + "install_date": "data[25]_install_date", + "is_compromised": "data[25]_is_compromised", + "demo": "data[25]_demo", + "network_addresses": [ + { + "mac": "data[25]_network_addresses[0]_mac", + "ip": "data[25]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[25]_policy_guid", + "name": "data[25]_policy_name" + }, + "groups": [ + { + "guid": "data[25]_groups[0]_guid", + "name": "data[25]_groups[0]_name" + } + ], + "last_seen": "data[25]_last_seen", + "faults": [], + "isolation": { + "available": "data[25]_isolation_available", + "status": "data[25]_isolation_status" + }, + "orbital": { + "status": "data[25]_orbital_status" + } + }, + { + "connector_guid": "data[26]_connector_guid", + "hostname": "data[26]_hostname", + "windows_processor_id": "data[26]_windows_processor_id", + "active": "data[26]_active", + "links": { + "computer": "data[26]_links_computer", + "trajectory": "data[26]_links_trajectory", + "group": "data[26]_links_group" + }, + "connector_version": "data[26]_connector_version", + "operating_system": "data[26]_operating_system", + "os_version": "data[26]_os_version", + "internal_ips": [ + "data[26]_internal_ips_0" + ], + "external_ip": "data[26]_external_ip", + "group_guid": "data[26]_group_guid", + "install_date": "data[26]_install_date", + "is_compromised": "data[26]_is_compromised", + "demo": "data[26]_demo", + "network_addresses": [ + { + "mac": "data[26]_network_addresses[0]_mac", + "ip": "data[26]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[26]_policy_guid", + "name": "data[26]_policy_name" + }, + "groups": [ + { + "guid": "data[26]_groups[0]_guid", + "name": "data[26]_groups[0]_name" + } + ], + "last_seen": "data[26]_last_seen", + "faults": [], + "isolation": { + "available": "data[26]_isolation_available", + "status": "data[26]_isolation_status" + }, + "orbital": { + "status": "data[26]_orbital_status" + } + }, + { + "connector_guid": "data[27]_connector_guid", + "hostname": "data[27]_hostname", + "windows_processor_id": "data[27]_windows_processor_id", + "active": "data[27]_active", + "links": { + "computer": "data[27]_links_computer", + "trajectory": "data[27]_links_trajectory", + "group": "data[27]_links_group" + }, + "connector_version": "data[27]_connector_version", + "operating_system": "data[27]_operating_system", + "os_version": "data[27]_os_version", + "internal_ips": [ + "data[27]_internal_ips_0" + ], + "external_ip": "data[27]_external_ip", + "group_guid": "data[27]_group_guid", + "install_date": "data[27]_install_date", + "is_compromised": "data[27]_is_compromised", + "demo": "data[27]_demo", + "network_addresses": [ + { + "mac": "data[27]_network_addresses[0]_mac", + "ip": "data[27]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[27]_policy_guid", + "name": "data[27]_policy_name" + }, + "groups": [ + { + "guid": "data[27]_groups[0]_guid", + "name": "data[27]_groups[0]_name" + } + ], + "last_seen": "data[27]_last_seen", + "faults": [], + "isolation": { + "available": "data[27]_isolation_available", + "status": "data[27]_isolation_status" + }, + "orbital": { + "status": "data[27]_orbital_status" + } + }, + { + "connector_guid": "data[28]_connector_guid", + "hostname": "data[28]_hostname", + "windows_processor_id": "data[28]_windows_processor_id", + "active": "data[28]_active", + "links": { + "computer": "data[28]_links_computer", + "trajectory": "data[28]_links_trajectory", + "group": "data[28]_links_group" + }, + "connector_version": "data[28]_connector_version", + "operating_system": "data[28]_operating_system", + "os_version": "data[28]_os_version", + "internal_ips": [ + "data[28]_internal_ips_0" + ], + "external_ip": "data[28]_external_ip", + "group_guid": "data[28]_group_guid", + "install_date": "data[28]_install_date", + "is_compromised": "data[28]_is_compromised", + "demo": "data[28]_demo", + "network_addresses": [ + { + "mac": "data[28]_network_addresses[0]_mac", + "ip": "data[28]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[28]_policy_guid", + "name": "data[28]_policy_name" + }, + "groups": [ + { + "guid": "data[28]_groups[0]_guid", + "name": "data[28]_groups[0]_name" + } + ], + "last_seen": "data[28]_last_seen", + "faults": [], + "isolation": { + "available": "data[28]_isolation_available", + "status": "data[28]_isolation_status" + }, + "orbital": { + "status": "data[28]_orbital_status" + } + }, + { + "connector_guid": "data[29]_connector_guid", + "hostname": "data[29]_hostname", + "windows_processor_id": "data[29]_windows_processor_id", + "active": "data[29]_active", + "links": { + "computer": "data[29]_links_computer", + "trajectory": "data[29]_links_trajectory", + "group": "data[29]_links_group" + }, + "connector_version": "data[29]_connector_version", + "operating_system": "data[29]_operating_system", + "os_version": "data[29]_os_version", + "internal_ips": [ + "data[29]_internal_ips_0" + ], + "external_ip": "data[29]_external_ip", + "group_guid": "data[29]_group_guid", + "install_date": "data[29]_install_date", + "is_compromised": "data[29]_is_compromised", + "demo": "data[29]_demo", + "network_addresses": [ + { + "mac": "data[29]_network_addresses[0]_mac", + "ip": "data[29]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[29]_policy_guid", + "name": "data[29]_policy_name" + }, + "groups": [ + { + "guid": "data[29]_groups[0]_guid", + "name": "data[29]_groups[0]_name" + } + ], + "last_seen": "data[29]_last_seen", + "faults": [], + "isolation": { + "available": "data[29]_isolation_available", + "status": "data[29]_isolation_status" + }, + "orbital": { + "status": "data[29]_orbital_status" + } + }, + { + "connector_guid": "data[30]_connector_guid", + "hostname": "data[30]_hostname", + "windows_processor_id": "data[30]_windows_processor_id", + "active": "data[30]_active", + "links": { + "computer": "data[30]_links_computer", + "trajectory": "data[30]_links_trajectory", + "group": "data[30]_links_group" + }, + "connector_version": "data[30]_connector_version", + "operating_system": "data[30]_operating_system", + "os_version": "data[30]_os_version", + "internal_ips": [ + "data[30]_internal_ips_0" + ], + "external_ip": "data[30]_external_ip", + "group_guid": "data[30]_group_guid", + "install_date": "data[30]_install_date", + "is_compromised": "data[30]_is_compromised", + "demo": "data[30]_demo", + "network_addresses": [ + { + "mac": "data[30]_network_addresses[0]_mac", + "ip": "data[30]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[30]_policy_guid", + "name": "data[30]_policy_name" + }, + "groups": [ + { + "guid": "data[30]_groups[0]_guid", + "name": "data[30]_groups[0]_name" + } + ], + "last_seen": "data[30]_last_seen", + "faults": [], + "isolation": { + "available": "data[30]_isolation_available", + "status": "data[30]_isolation_status" + }, + "orbital": { + "status": "data[30]_orbital_status" + } + }, + { + "connector_guid": "data[31]_connector_guid", + "hostname": "data[31]_hostname", + "windows_processor_id": "data[31]_windows_processor_id", + "active": "data[31]_active", + "links": { + "computer": "data[31]_links_computer", + "trajectory": "data[31]_links_trajectory", + "group": "data[31]_links_group" + }, + "connector_version": "data[31]_connector_version", + "operating_system": "data[31]_operating_system", + "os_version": "data[31]_os_version", + "internal_ips": [ + "data[31]_internal_ips_0" + ], + "external_ip": "data[31]_external_ip", + "group_guid": "data[31]_group_guid", + "install_date": "data[31]_install_date", + "is_compromised": "data[31]_is_compromised", + "demo": "data[31]_demo", + "network_addresses": [ + { + "mac": "data[31]_network_addresses[0]_mac", + "ip": "data[31]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[31]_policy_guid", + "name": "data[31]_policy_name" + }, + "groups": [ + { + "guid": "data[31]_groups[0]_guid", + "name": "data[31]_groups[0]_name" + } + ], + "last_seen": "data[31]_last_seen", + "faults": [], + "isolation": { + "available": "data[31]_isolation_available", + "status": "data[31]_isolation_status" + }, + "orbital": { + "status": "data[31]_orbital_status" + } + }, + { + "connector_guid": "data[32]_connector_guid", + "hostname": "data[32]_hostname", + "windows_processor_id": "data[32]_windows_processor_id", + "active": "data[32]_active", + "links": { + "computer": "data[32]_links_computer", + "trajectory": "data[32]_links_trajectory", + "group": "data[32]_links_group" + }, + "connector_version": "data[32]_connector_version", + "operating_system": "data[32]_operating_system", + "os_version": "data[32]_os_version", + "internal_ips": [ + "data[32]_internal_ips_0" + ], + "external_ip": "data[32]_external_ip", + "group_guid": "data[32]_group_guid", + "install_date": "data[32]_install_date", + "is_compromised": "data[32]_is_compromised", + "demo": "data[32]_demo", + "network_addresses": [ + { + "mac": "data[32]_network_addresses[0]_mac", + "ip": "data[32]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[32]_policy_guid", + "name": "data[32]_policy_name" + }, + "groups": [ + { + "guid": "data[32]_groups[0]_guid", + "name": "data[32]_groups[0]_name" + } + ], + "last_seen": "data[32]_last_seen", + "faults": [], + "isolation": { + "available": "data[32]_isolation_available", + "status": "data[32]_isolation_status" + }, + "orbital": { + "status": "data[32]_orbital_status" + } + }, + { + "connector_guid": "data[33]_connector_guid", + "hostname": "data[33]_hostname", + "windows_processor_id": "data[33]_windows_processor_id", + "active": "data[33]_active", + "links": { + "computer": "data[33]_links_computer", + "trajectory": "data[33]_links_trajectory", + "group": "data[33]_links_group" + }, + "connector_version": "data[33]_connector_version", + "operating_system": "data[33]_operating_system", + "os_version": "data[33]_os_version", + "internal_ips": [ + "data[33]_internal_ips_0" + ], + "external_ip": "data[33]_external_ip", + "group_guid": "data[33]_group_guid", + "install_date": "data[33]_install_date", + "is_compromised": "data[33]_is_compromised", + "demo": "data[33]_demo", + "windows_machine_guid": "data[33]_windows_machine_guid", + "network_addresses": [ + { + "mac": "data[33]_network_addresses[0]_mac", + "ip": "data[33]_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data[33]_policy_guid", + "name": "data[33]_policy_name" + }, + "groups": [ + { + "guid": "data[33]_groups[0]_guid", + "name": "data[33]_groups[0]_name" + } + ], + "last_seen": "data[33]_last_seen", + "av_update_definitions": { + "status": "data[33]_av_update_definitions_status", + "detection_engine": "data[33]_av_update_definitions_detection_engine", + "version": "data[33]_av_update_definitions_version", + "updated_at": "data[33]_av_update_definitions_updated_at" + }, + "faults": [], + "isolation": { + "available": "data[33]_isolation_available", + "status": "data[33]_isolation_status" + }, + "orbital": { + "status": "data[33]_orbital_status" + } + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/computer_move_response.json b/Packs/AMP/Integrations/AMPv2/test_data/computer_move_response.json new file mode 100644 index 000000000000..ec3638e15b9f --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/computer_move_response.json @@ -0,0 +1,54 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "connector_guid": "data_connector_guid", + "hostname": "data_hostname", + "windows_processor_id": "data_windows_processor_id", + "active": "data_active", + "links": { + "computer": "data_links_computer", + "trajectory": "data_links_trajectory", + "group": "data_links_group" + }, + "connector_version": "data_connector_version", + "operating_system": "data_operating_system", + "os_version": "data_os_version", + "internal_ips": [ + "data_internal_ips_0" + ], + "external_ip": "data_external_ip", + "group_guid": "data_group_guid", + "install_date": "data_install_date", + "is_compromised": "data_is_compromised", + "demo": "data_demo", + "network_addresses": [ + { + "mac": "data_network_addresses[0]_mac", + "ip": "data_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data_policy_guid", + "name": "data_policy_name" + }, + "groups": [ + { + "guid": "data_groups[0]_guid", + "name": "data_groups[0]_name" + } + ], + "faults": [], + "isolation": { + "available": "data_isolation_available", + "status": "data_isolation_status" + }, + "orbital": { + "status": "data_orbital_status" + } + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/computer_trajectory_response.json b/Packs/AMP/Integrations/AMPv2/test_data/computer_trajectory_response.json new file mode 100644 index 000000000000..8d84fc50131a --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/computer_trajectory_response.json @@ -0,0 +1,2135 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "computer": { + "connector_guid": "data_computer_connector_guid", + "hostname": "data_computer_hostname", + "windows_processor_id": "data_computer_windows_processor_id", + "active": "data_computer_active", + "links": { + "computer": "data_computer_links_computer", + "trajectory": "data_computer_links_trajectory", + "group": "data_computer_links_group" + }, + "connector_version": "data_computer_connector_version", + "operating_system": "data_computer_operating_system", + "os_version": "data_computer_os_version", + "internal_ips": [ + "data_computer_internal_ips_0" + ], + "external_ip": "data_computer_external_ip", + "group_guid": "data_computer_group_guid", + "install_date": "data_computer_install_date", + "is_compromised": "data_computer_is_compromised", + "demo": "data_computer_demo", + "network_addresses": [ + { + "mac": "data_computer_network_addresses[0]_mac", + "ip": "data_computer_network_addresses[0]_ip" + } + ], + "policy": { + "guid": "data_computer_policy_guid", + "name": "data_computer_policy_name" + }, + "groups": [ + { + "guid": "data_computer_groups[0]_guid", + "name": "data_computer_groups[0]_name" + } + ], + "faults": [], + "isolation": { + "available": "data_computer_isolation_available", + "status": "data_computer_isolation_status" + }, + "orbital": { + "status": "data_computer_orbital_status" + } + }, + "events": [ + { + "id": "data_events[0]_id", + "timestamp": "data_events[0]_timestamp", + "timestamp_nanoseconds": "data_events[0]_timestamp_nanoseconds", + "date": "data_events[0]_date", + "event_type": "data_events[0]_event_type", + "event_type_id": "data_events[0]_event_type_id", + "group_guids": [ + "data_events[0]_group_guids_0" + ], + "severity": "data_events[0]_severity", + "start_timestamp": "data_events[0]_start_timestamp", + "start_date": "data_events[0]_start_date", + "file": { + "disposition": "data_events[0]_file_disposition", + "file_name": "data_events[0]_file_file_name", + "identity": { + "sha256": "data_events[0]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[0]_file_parent_disposition", + "identity": { + "sha256": "data_events[0]_file_parent_identity_sha256" + } + } + }, + "vulnerabilities": [ + { + "name": "data_events[0]_vulnerabilities[0]_name", + "version": "data_events[0]_vulnerabilities[0]_version", + "cve": "data_events[0]_vulnerabilities[0]_cve", + "score": "data_events[0]_vulnerabilities[0]_score", + "url": "data_events[0]_vulnerabilities[0]_url" + } + ] + }, + { + "id": "data_events[1]_id", + "timestamp": "data_events[1]_timestamp", + "timestamp_nanoseconds": "data_events[1]_timestamp_nanoseconds", + "date": "data_events[1]_date", + "event_type": "data_events[1]_event_type", + "event_type_id": "data_events[1]_event_type_id", + "group_guids": [ + "data_events[1]_group_guids_0" + ] + }, + { + "timestamp": "data_events[2]_timestamp", + "timestamp_nanoseconds": "data_events[2]_timestamp_nanoseconds", + "date": "data_events[2]_date", + "event_type": "data_events[2]_event_type", + "group_guids": [ + "data_events[2]_group_guids_0" + ], + "file": { + "disposition": "data_events[2]_file_disposition", + "file_name": "data_events[2]_file_file_name", + "file_path": "data_events[2]_file_file_path", + "file_type": "data_events[2]_file_file_type", + "identity": { + "sha256": "data_events[2]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[2]_file_parent_disposition", + "identity": { + "sha256": "data_events[2]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[3]_timestamp", + "timestamp_nanoseconds": "data_events[3]_timestamp_nanoseconds", + "date": "data_events[3]_date", + "event_type": "data_events[3]_event_type", + "group_guids": [ + "data_events[3]_group_guids_0" + ], + "file": { + "disposition": "data_events[3]_file_disposition", + "file_name": "data_events[3]_file_file_name", + "file_path": "data_events[3]_file_file_path", + "file_type": "data_events[3]_file_file_type", + "identity": { + "sha256": "data_events[3]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[3]_file_parent_disposition", + "identity": { + "sha256": "data_events[3]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[4]_timestamp", + "timestamp_nanoseconds": "data_events[4]_timestamp_nanoseconds", + "date": "data_events[4]_date", + "event_type": "data_events[4]_event_type", + "group_guids": [ + "data_events[4]_group_guids_0" + ], + "file": { + "disposition": "data_events[4]_file_disposition", + "file_name": "data_events[4]_file_file_name", + "file_path": "data_events[4]_file_file_path", + "file_type": "data_events[4]_file_file_type", + "identity": { + "sha256": "data_events[4]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[4]_file_parent_disposition", + "identity": { + "sha256": "data_events[4]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[5]_timestamp", + "timestamp_nanoseconds": "data_events[5]_timestamp_nanoseconds", + "date": "data_events[5]_date", + "event_type": "data_events[5]_event_type", + "group_guids": [ + "data_events[5]_group_guids_0" + ], + "file": { + "disposition": "data_events[5]_file_disposition", + "file_name": "data_events[5]_file_file_name", + "file_path": "data_events[5]_file_file_path", + "file_type": "data_events[5]_file_file_type", + "identity": { + "sha256": "data_events[5]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[5]_file_parent_disposition", + "identity": { + "sha256": "data_events[5]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[6]_timestamp", + "timestamp_nanoseconds": "data_events[6]_timestamp_nanoseconds", + "date": "data_events[6]_date", + "event_type": "data_events[6]_event_type", + "group_guids": [ + "data_events[6]_group_guids_0" + ], + "file": { + "disposition": "data_events[6]_file_disposition", + "file_name": "data_events[6]_file_file_name", + "file_path": "data_events[6]_file_file_path", + "file_type": "data_events[6]_file_file_type", + "identity": { + "sha256": "data_events[6]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[6]_file_parent_disposition", + "identity": { + "sha256": "data_events[6]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[7]_timestamp", + "timestamp_nanoseconds": "data_events[7]_timestamp_nanoseconds", + "date": "data_events[7]_date", + "event_type": "data_events[7]_event_type", + "group_guids": [ + "data_events[7]_group_guids_0" + ], + "file": { + "disposition": "data_events[7]_file_disposition", + "file_name": "data_events[7]_file_file_name", + "file_path": "data_events[7]_file_file_path", + "file_type": "data_events[7]_file_file_type", + "identity": { + "sha256": "data_events[7]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[7]_file_parent_disposition", + "identity": { + "sha256": "data_events[7]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[8]_timestamp", + "timestamp_nanoseconds": "data_events[8]_timestamp_nanoseconds", + "date": "data_events[8]_date", + "event_type": "data_events[8]_event_type", + "group_guids": [ + "data_events[8]_group_guids_0" + ], + "file": { + "disposition": "data_events[8]_file_disposition", + "file_name": "data_events[8]_file_file_name", + "file_path": "data_events[8]_file_file_path", + "file_type": "data_events[8]_file_file_type", + "identity": { + "sha256": "data_events[8]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[8]_file_parent_disposition", + "identity": { + "sha256": "data_events[8]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[9]_timestamp", + "timestamp_nanoseconds": "data_events[9]_timestamp_nanoseconds", + "date": "data_events[9]_date", + "event_type": "data_events[9]_event_type", + "group_guids": [ + "data_events[9]_group_guids_0" + ], + "file": { + "disposition": "data_events[9]_file_disposition", + "file_name": "data_events[9]_file_file_name", + "file_path": "data_events[9]_file_file_path", + "file_type": "data_events[9]_file_file_type", + "identity": { + "sha256": "data_events[9]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[9]_file_parent_disposition", + "identity": { + "sha256": "data_events[9]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[10]_timestamp", + "timestamp_nanoseconds": "data_events[10]_timestamp_nanoseconds", + "date": "data_events[10]_date", + "event_type": "data_events[10]_event_type", + "group_guids": [ + "data_events[10]_group_guids_0" + ], + "file": { + "disposition": "data_events[10]_file_disposition", + "file_name": "data_events[10]_file_file_name", + "file_path": "data_events[10]_file_file_path", + "file_type": "data_events[10]_file_file_type", + "identity": { + "sha256": "data_events[10]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[10]_file_parent_disposition", + "identity": { + "sha256": "data_events[10]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[11]_timestamp", + "timestamp_nanoseconds": "data_events[11]_timestamp_nanoseconds", + "date": "data_events[11]_date", + "event_type": "data_events[11]_event_type", + "group_guids": [ + "data_events[11]_group_guids_0" + ], + "file": { + "disposition": "data_events[11]_file_disposition", + "file_name": "data_events[11]_file_file_name", + "file_path": "data_events[11]_file_file_path", + "file_type": "data_events[11]_file_file_type", + "identity": { + "sha256": "data_events[11]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[11]_file_parent_disposition", + "identity": { + "sha256": "data_events[11]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[12]_timestamp", + "timestamp_nanoseconds": "data_events[12]_timestamp_nanoseconds", + "date": "data_events[12]_date", + "event_type": "data_events[12]_event_type", + "group_guids": [ + "data_events[12]_group_guids_0" + ], + "file": { + "disposition": "data_events[12]_file_disposition", + "file_name": "data_events[12]_file_file_name", + "file_path": "data_events[12]_file_file_path", + "file_type": "data_events[12]_file_file_type", + "identity": { + "sha256": "data_events[12]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[12]_file_parent_disposition", + "identity": { + "sha256": "data_events[12]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[13]_timestamp", + "timestamp_nanoseconds": "data_events[13]_timestamp_nanoseconds", + "date": "data_events[13]_date", + "event_type": "data_events[13]_event_type", + "group_guids": [ + "data_events[13]_group_guids_0" + ], + "file": { + "disposition": "data_events[13]_file_disposition", + "file_name": "data_events[13]_file_file_name", + "file_path": "data_events[13]_file_file_path", + "file_type": "data_events[13]_file_file_type", + "identity": { + "sha256": "data_events[13]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[13]_file_parent_disposition", + "identity": { + "sha256": "data_events[13]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[14]_timestamp", + "timestamp_nanoseconds": "data_events[14]_timestamp_nanoseconds", + "date": "data_events[14]_date", + "event_type": "data_events[14]_event_type", + "group_guids": [ + "data_events[14]_group_guids_0" + ], + "file": { + "disposition": "data_events[14]_file_disposition", + "file_name": "data_events[14]_file_file_name", + "file_path": "data_events[14]_file_file_path", + "file_type": "data_events[14]_file_file_type", + "identity": { + "sha256": "data_events[14]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[14]_file_parent_disposition", + "identity": { + "sha256": "data_events[14]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[15]_timestamp", + "timestamp_nanoseconds": "data_events[15]_timestamp_nanoseconds", + "date": "data_events[15]_date", + "event_type": "data_events[15]_event_type", + "group_guids": [ + "data_events[15]_group_guids_0" + ], + "file": { + "disposition": "data_events[15]_file_disposition", + "file_name": "data_events[15]_file_file_name", + "file_path": "data_events[15]_file_file_path", + "file_type": "data_events[15]_file_file_type", + "identity": { + "sha256": "data_events[15]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[15]_file_parent_disposition", + "identity": { + "sha256": "data_events[15]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[16]_timestamp", + "timestamp_nanoseconds": "data_events[16]_timestamp_nanoseconds", + "date": "data_events[16]_date", + "event_type": "data_events[16]_event_type", + "group_guids": [ + "data_events[16]_group_guids_0" + ], + "file": { + "disposition": "data_events[16]_file_disposition", + "file_name": "data_events[16]_file_file_name", + "file_path": "data_events[16]_file_file_path", + "file_type": "data_events[16]_file_file_type", + "identity": { + "sha256": "data_events[16]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[16]_file_parent_disposition", + "identity": { + "sha256": "data_events[16]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[17]_timestamp", + "timestamp_nanoseconds": "data_events[17]_timestamp_nanoseconds", + "date": "data_events[17]_date", + "event_type": "data_events[17]_event_type", + "group_guids": [ + "data_events[17]_group_guids_0" + ], + "file": { + "disposition": "data_events[17]_file_disposition", + "file_name": "data_events[17]_file_file_name", + "file_path": "data_events[17]_file_file_path", + "file_type": "data_events[17]_file_file_type", + "identity": { + "sha256": "data_events[17]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[17]_file_parent_disposition", + "identity": { + "sha256": "data_events[17]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[18]_timestamp", + "timestamp_nanoseconds": "data_events[18]_timestamp_nanoseconds", + "date": "data_events[18]_date", + "event_type": "data_events[18]_event_type", + "group_guids": [ + "data_events[18]_group_guids_0" + ], + "file": { + "disposition": "data_events[18]_file_disposition", + "file_name": "data_events[18]_file_file_name", + "file_path": "data_events[18]_file_file_path", + "file_type": "data_events[18]_file_file_type", + "identity": { + "sha256": "data_events[18]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[18]_file_parent_disposition", + "identity": { + "sha256": "data_events[18]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[19]_timestamp", + "timestamp_nanoseconds": "data_events[19]_timestamp_nanoseconds", + "date": "data_events[19]_date", + "event_type": "data_events[19]_event_type", + "group_guids": [ + "data_events[19]_group_guids_0" + ], + "file": { + "disposition": "data_events[19]_file_disposition", + "file_name": "data_events[19]_file_file_name", + "file_path": "data_events[19]_file_file_path", + "file_type": "data_events[19]_file_file_type", + "identity": { + "sha256": "data_events[19]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[19]_file_parent_disposition", + "identity": { + "sha256": "data_events[19]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[20]_timestamp", + "timestamp_nanoseconds": "data_events[20]_timestamp_nanoseconds", + "date": "data_events[20]_date", + "event_type": "data_events[20]_event_type", + "group_guids": [ + "data_events[20]_group_guids_0" + ], + "file": { + "disposition": "data_events[20]_file_disposition", + "file_name": "data_events[20]_file_file_name", + "file_path": "data_events[20]_file_file_path", + "file_type": "data_events[20]_file_file_type", + "identity": { + "sha256": "data_events[20]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[20]_file_parent_disposition", + "identity": { + "sha256": "data_events[20]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[21]_timestamp", + "timestamp_nanoseconds": "data_events[21]_timestamp_nanoseconds", + "date": "data_events[21]_date", + "event_type": "data_events[21]_event_type", + "group_guids": [ + "data_events[21]_group_guids_0" + ], + "file": { + "disposition": "data_events[21]_file_disposition", + "file_name": "data_events[21]_file_file_name", + "file_path": "data_events[21]_file_file_path", + "file_type": "data_events[21]_file_file_type", + "identity": { + "sha256": "data_events[21]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[21]_file_parent_disposition", + "identity": { + "sha256": "data_events[21]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[22]_timestamp", + "timestamp_nanoseconds": "data_events[22]_timestamp_nanoseconds", + "date": "data_events[22]_date", + "event_type": "data_events[22]_event_type", + "group_guids": [ + "data_events[22]_group_guids_0" + ], + "file": { + "disposition": "data_events[22]_file_disposition", + "file_name": "data_events[22]_file_file_name", + "file_path": "data_events[22]_file_file_path", + "file_type": "data_events[22]_file_file_type", + "identity": { + "sha256": "data_events[22]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[22]_file_parent_disposition", + "identity": { + "sha256": "data_events[22]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[23]_timestamp", + "timestamp_nanoseconds": "data_events[23]_timestamp_nanoseconds", + "date": "data_events[23]_date", + "event_type": "data_events[23]_event_type", + "group_guids": [ + "data_events[23]_group_guids_0" + ], + "file": { + "disposition": "data_events[23]_file_disposition", + "file_type": "data_events[23]_file_file_type", + "identity": { + "sha256": "data_events[23]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[23]_file_parent_disposition", + "identity": { + "sha256": "data_events[23]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[24]_timestamp", + "timestamp_nanoseconds": "data_events[24]_timestamp_nanoseconds", + "date": "data_events[24]_date", + "event_type": "data_events[24]_event_type", + "group_guids": [ + "data_events[24]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[24]_network_info_dirty_url", + "remote_ip": "data_events[24]_network_info_remote_ip", + "remote_port": "data_events[24]_network_info_remote_port", + "local_ip": "data_events[24]_network_info_local_ip", + "local_port": "data_events[24]_network_info_local_port", + "nfm": { + "direction": "data_events[24]_network_info_nfm_direction", + "protocol": "data_events[24]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[24]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[24]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[25]_timestamp", + "timestamp_nanoseconds": "data_events[25]_timestamp_nanoseconds", + "date": "data_events[25]_date", + "event_type": "data_events[25]_event_type", + "group_guids": [ + "data_events[25]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[25]_network_info_dirty_url", + "remote_ip": "data_events[25]_network_info_remote_ip", + "remote_port": "data_events[25]_network_info_remote_port", + "local_ip": "data_events[25]_network_info_local_ip", + "local_port": "data_events[25]_network_info_local_port", + "nfm": { + "direction": "data_events[25]_network_info_nfm_direction", + "protocol": "data_events[25]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[25]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[25]_network_info_parent_identity_sha256" + } + } + } + }, + { + "id": "data_events[26]_id", + "timestamp": "data_events[26]_timestamp", + "timestamp_nanoseconds": "data_events[26]_timestamp_nanoseconds", + "date": "data_events[26]_date", + "event_type": "data_events[26]_event_type", + "event_type_id": "data_events[26]_event_type_id", + "detection_id": "data_events[26]_detection_id", + "group_guids": [ + "data_events[26]_group_guids_0" + ], + "severity": "data_events[26]_severity", + "file": { + "disposition": "data_events[26]_file_disposition", + "file_name": "data_events[26]_file_file_name", + "file_path": "data_events[26]_file_file_path", + "identity": { + "sha256": "data_events[26]_file_identity_sha256", + "sha1": "data_events[26]_file_identity_sha1", + "md5": "data_events[26]_file_identity_md5" + }, + "attack_details": { + "application": "data_events[26]_file_attack_details_application", + "attacked_module": "data_events[26]_file_attack_details_attacked_module", + "base_address": "data_events[26]_file_attack_details_base_address", + "suspicious_files": [ + "data_events[26]_file_attack_details_suspicious_files_0" + ], + "indicators": [ + { + "tactics": [ + "data_events[26]_file_attack_details_indicators[0]_tactics_0" + ], + "severity": "data_events[26]_file_attack_details_indicators[0]_severity", + "description": "data_events[26]_file_attack_details_indicators[0]_description", + "short_description": "data_events[26]_file_attack_details_indicators[0]_short_description", + "id": "data_events[26]_file_attack_details_indicators[0]_id", + "techniques": [ + "data_events[26]_file_attack_details_indicators[0]_techniques_0" + ] + } + ] + } + }, + "tactics": [ + "data_events[26]_tactics_0" + ], + "techniques": [ + "data_events[26]_techniques_0" + ] + }, + { + "timestamp": "data_events[27]_timestamp", + "timestamp_nanoseconds": "data_events[27]_timestamp_nanoseconds", + "date": "data_events[27]_date", + "event_type": "data_events[27]_event_type", + "group_guids": [ + "data_events[27]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[27]_network_info_dirty_url", + "remote_ip": "data_events[27]_network_info_remote_ip", + "remote_port": "data_events[27]_network_info_remote_port", + "local_ip": "data_events[27]_network_info_local_ip", + "local_port": "data_events[27]_network_info_local_port", + "nfm": { + "direction": "data_events[27]_network_info_nfm_direction", + "protocol": "data_events[27]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[27]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[27]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[28]_timestamp", + "timestamp_nanoseconds": "data_events[28]_timestamp_nanoseconds", + "date": "data_events[28]_date", + "event_type": "data_events[28]_event_type", + "group_guids": [ + "data_events[28]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[28]_network_info_remote_ip", + "remote_port": "data_events[28]_network_info_remote_port", + "local_ip": "data_events[28]_network_info_local_ip", + "local_port": "data_events[28]_network_info_local_port", + "nfm": { + "direction": "data_events[28]_network_info_nfm_direction", + "protocol": "data_events[28]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[28]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[28]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[29]_timestamp", + "timestamp_nanoseconds": "data_events[29]_timestamp_nanoseconds", + "date": "data_events[29]_date", + "event_type": "data_events[29]_event_type", + "group_guids": [ + "data_events[29]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[29]_network_info_remote_ip", + "remote_port": "data_events[29]_network_info_remote_port", + "local_ip": "data_events[29]_network_info_local_ip", + "local_port": "data_events[29]_network_info_local_port", + "nfm": { + "direction": "data_events[29]_network_info_nfm_direction", + "protocol": "data_events[29]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[29]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[29]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[30]_timestamp", + "timestamp_nanoseconds": "data_events[30]_timestamp_nanoseconds", + "date": "data_events[30]_date", + "event_type": "data_events[30]_event_type", + "group_guids": [ + "data_events[30]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[30]_network_info_dirty_url", + "remote_ip": "data_events[30]_network_info_remote_ip", + "remote_port": "data_events[30]_network_info_remote_port", + "local_ip": "data_events[30]_network_info_local_ip", + "local_port": "data_events[30]_network_info_local_port", + "nfm": { + "direction": "data_events[30]_network_info_nfm_direction", + "protocol": "data_events[30]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[30]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[30]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[31]_timestamp", + "timestamp_nanoseconds": "data_events[31]_timestamp_nanoseconds", + "date": "data_events[31]_date", + "event_type": "data_events[31]_event_type", + "group_guids": [ + "data_events[31]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[31]_network_info_dirty_url", + "remote_ip": "data_events[31]_network_info_remote_ip", + "remote_port": "data_events[31]_network_info_remote_port", + "local_ip": "data_events[31]_network_info_local_ip", + "local_port": "data_events[31]_network_info_local_port", + "nfm": { + "direction": "data_events[31]_network_info_nfm_direction", + "protocol": "data_events[31]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[31]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[31]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[32]_timestamp", + "timestamp_nanoseconds": "data_events[32]_timestamp_nanoseconds", + "date": "data_events[32]_date", + "event_type": "data_events[32]_event_type", + "group_guids": [ + "data_events[32]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[32]_network_info_remote_ip", + "remote_port": "data_events[32]_network_info_remote_port", + "local_ip": "data_events[32]_network_info_local_ip", + "local_port": "data_events[32]_network_info_local_port", + "nfm": { + "direction": "data_events[32]_network_info_nfm_direction", + "protocol": "data_events[32]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[32]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[32]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[33]_timestamp", + "timestamp_nanoseconds": "data_events[33]_timestamp_nanoseconds", + "date": "data_events[33]_date", + "event_type": "data_events[33]_event_type", + "group_guids": [ + "data_events[33]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[33]_network_info_dirty_url", + "remote_ip": "data_events[33]_network_info_remote_ip", + "remote_port": "data_events[33]_network_info_remote_port", + "local_ip": "data_events[33]_network_info_local_ip", + "local_port": "data_events[33]_network_info_local_port", + "nfm": { + "direction": "data_events[33]_network_info_nfm_direction", + "protocol": "data_events[33]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[33]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[33]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[34]_timestamp", + "timestamp_nanoseconds": "data_events[34]_timestamp_nanoseconds", + "date": "data_events[34]_date", + "event_type": "data_events[34]_event_type", + "group_guids": [ + "data_events[34]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[34]_network_info_remote_ip", + "remote_port": "data_events[34]_network_info_remote_port", + "local_ip": "data_events[34]_network_info_local_ip", + "local_port": "data_events[34]_network_info_local_port", + "nfm": { + "direction": "data_events[34]_network_info_nfm_direction", + "protocol": "data_events[34]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[34]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[34]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[35]_timestamp", + "timestamp_nanoseconds": "data_events[35]_timestamp_nanoseconds", + "date": "data_events[35]_date", + "event_type": "data_events[35]_event_type", + "group_guids": [ + "data_events[35]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[35]_network_info_remote_ip", + "remote_port": "data_events[35]_network_info_remote_port", + "local_ip": "data_events[35]_network_info_local_ip", + "local_port": "data_events[35]_network_info_local_port", + "nfm": { + "direction": "data_events[35]_network_info_nfm_direction", + "protocol": "data_events[35]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[35]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[35]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[36]_timestamp", + "timestamp_nanoseconds": "data_events[36]_timestamp_nanoseconds", + "date": "data_events[36]_date", + "event_type": "data_events[36]_event_type", + "group_guids": [ + "data_events[36]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[36]_network_info_remote_ip", + "remote_port": "data_events[36]_network_info_remote_port", + "local_ip": "data_events[36]_network_info_local_ip", + "local_port": "data_events[36]_network_info_local_port", + "nfm": { + "direction": "data_events[36]_network_info_nfm_direction", + "protocol": "data_events[36]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[36]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[36]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[37]_timestamp", + "timestamp_nanoseconds": "data_events[37]_timestamp_nanoseconds", + "date": "data_events[37]_date", + "event_type": "data_events[37]_event_type", + "group_guids": [ + "data_events[37]_group_guids_0" + ], + "file": { + "disposition": "data_events[37]_file_disposition", + "file_name": "data_events[37]_file_file_name", + "file_path": "data_events[37]_file_file_path", + "file_type": "data_events[37]_file_file_type", + "identity": { + "sha256": "data_events[37]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[37]_file_parent_disposition", + "identity": { + "sha256": "data_events[37]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[38]_timestamp", + "timestamp_nanoseconds": "data_events[38]_timestamp_nanoseconds", + "date": "data_events[38]_date", + "event_type": "data_events[38]_event_type", + "group_guids": [ + "data_events[38]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[38]_network_info_remote_ip", + "remote_port": "data_events[38]_network_info_remote_port", + "local_ip": "data_events[38]_network_info_local_ip", + "local_port": "data_events[38]_network_info_local_port", + "nfm": { + "direction": "data_events[38]_network_info_nfm_direction", + "protocol": "data_events[38]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[38]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[38]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[39]_timestamp", + "timestamp_nanoseconds": "data_events[39]_timestamp_nanoseconds", + "date": "data_events[39]_date", + "event_type": "data_events[39]_event_type", + "group_guids": [ + "data_events[39]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[39]_network_info_dirty_url", + "remote_ip": "data_events[39]_network_info_remote_ip", + "remote_port": "data_events[39]_network_info_remote_port", + "local_ip": "data_events[39]_network_info_local_ip", + "local_port": "data_events[39]_network_info_local_port", + "nfm": { + "direction": "data_events[39]_network_info_nfm_direction", + "protocol": "data_events[39]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[39]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[39]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[40]_timestamp", + "timestamp_nanoseconds": "data_events[40]_timestamp_nanoseconds", + "date": "data_events[40]_date", + "event_type": "data_events[40]_event_type", + "group_guids": [ + "data_events[40]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[40]_network_info_remote_ip", + "remote_port": "data_events[40]_network_info_remote_port", + "local_ip": "data_events[40]_network_info_local_ip", + "local_port": "data_events[40]_network_info_local_port", + "nfm": { + "direction": "data_events[40]_network_info_nfm_direction", + "protocol": "data_events[40]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[40]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[40]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[41]_timestamp", + "timestamp_nanoseconds": "data_events[41]_timestamp_nanoseconds", + "date": "data_events[41]_date", + "event_type": "data_events[41]_event_type", + "group_guids": [ + "data_events[41]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[41]_network_info_remote_ip", + "remote_port": "data_events[41]_network_info_remote_port", + "local_ip": "data_events[41]_network_info_local_ip", + "local_port": "data_events[41]_network_info_local_port", + "nfm": { + "direction": "data_events[41]_network_info_nfm_direction", + "protocol": "data_events[41]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[41]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[41]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[42]_timestamp", + "timestamp_nanoseconds": "data_events[42]_timestamp_nanoseconds", + "date": "data_events[42]_date", + "event_type": "data_events[42]_event_type", + "group_guids": [ + "data_events[42]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[42]_network_info_dirty_url", + "remote_ip": "data_events[42]_network_info_remote_ip", + "remote_port": "data_events[42]_network_info_remote_port", + "local_ip": "data_events[42]_network_info_local_ip", + "local_port": "data_events[42]_network_info_local_port", + "nfm": { + "direction": "data_events[42]_network_info_nfm_direction", + "protocol": "data_events[42]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[42]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[42]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[43]_timestamp", + "timestamp_nanoseconds": "data_events[43]_timestamp_nanoseconds", + "date": "data_events[43]_date", + "event_type": "data_events[43]_event_type", + "group_guids": [ + "data_events[43]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[43]_network_info_dirty_url", + "remote_ip": "data_events[43]_network_info_remote_ip", + "remote_port": "data_events[43]_network_info_remote_port", + "local_ip": "data_events[43]_network_info_local_ip", + "local_port": "data_events[43]_network_info_local_port", + "nfm": { + "direction": "data_events[43]_network_info_nfm_direction", + "protocol": "data_events[43]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[43]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[43]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[44]_timestamp", + "timestamp_nanoseconds": "data_events[44]_timestamp_nanoseconds", + "date": "data_events[44]_date", + "event_type": "data_events[44]_event_type", + "group_guids": [ + "data_events[44]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[44]_network_info_remote_ip", + "remote_port": "data_events[44]_network_info_remote_port", + "local_ip": "data_events[44]_network_info_local_ip", + "local_port": "data_events[44]_network_info_local_port", + "nfm": { + "direction": "data_events[44]_network_info_nfm_direction", + "protocol": "data_events[44]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[44]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[44]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[45]_timestamp", + "timestamp_nanoseconds": "data_events[45]_timestamp_nanoseconds", + "date": "data_events[45]_date", + "event_type": "data_events[45]_event_type", + "group_guids": [ + "data_events[45]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[45]_network_info_remote_ip", + "remote_port": "data_events[45]_network_info_remote_port", + "local_ip": "data_events[45]_network_info_local_ip", + "local_port": "data_events[45]_network_info_local_port", + "nfm": { + "direction": "data_events[45]_network_info_nfm_direction", + "protocol": "data_events[45]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[45]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[45]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[46]_timestamp", + "timestamp_nanoseconds": "data_events[46]_timestamp_nanoseconds", + "date": "data_events[46]_date", + "event_type": "data_events[46]_event_type", + "group_guids": [ + "data_events[46]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[46]_network_info_remote_ip", + "remote_port": "data_events[46]_network_info_remote_port", + "local_ip": "data_events[46]_network_info_local_ip", + "local_port": "data_events[46]_network_info_local_port", + "nfm": { + "direction": "data_events[46]_network_info_nfm_direction", + "protocol": "data_events[46]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[46]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[46]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[47]_timestamp", + "timestamp_nanoseconds": "data_events[47]_timestamp_nanoseconds", + "date": "data_events[47]_date", + "event_type": "data_events[47]_event_type", + "group_guids": [ + "data_events[47]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[47]_network_info_remote_ip", + "remote_port": "data_events[47]_network_info_remote_port", + "local_ip": "data_events[47]_network_info_local_ip", + "local_port": "data_events[47]_network_info_local_port", + "nfm": { + "direction": "data_events[47]_network_info_nfm_direction", + "protocol": "data_events[47]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[47]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[47]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[48]_timestamp", + "timestamp_nanoseconds": "data_events[48]_timestamp_nanoseconds", + "date": "data_events[48]_date", + "event_type": "data_events[48]_event_type", + "group_guids": [ + "data_events[48]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[48]_network_info_remote_ip", + "remote_port": "data_events[48]_network_info_remote_port", + "local_ip": "data_events[48]_network_info_local_ip", + "local_port": "data_events[48]_network_info_local_port", + "nfm": { + "direction": "data_events[48]_network_info_nfm_direction", + "protocol": "data_events[48]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[48]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[48]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[49]_timestamp", + "timestamp_nanoseconds": "data_events[49]_timestamp_nanoseconds", + "date": "data_events[49]_date", + "event_type": "data_events[49]_event_type", + "group_guids": [ + "data_events[49]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[49]_network_info_remote_ip", + "remote_port": "data_events[49]_network_info_remote_port", + "local_ip": "data_events[49]_network_info_local_ip", + "local_port": "data_events[49]_network_info_local_port", + "nfm": { + "direction": "data_events[49]_network_info_nfm_direction", + "protocol": "data_events[49]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[49]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[49]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[50]_timestamp", + "timestamp_nanoseconds": "data_events[50]_timestamp_nanoseconds", + "date": "data_events[50]_date", + "event_type": "data_events[50]_event_type", + "group_guids": [ + "data_events[50]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[50]_network_info_remote_ip", + "remote_port": "data_events[50]_network_info_remote_port", + "local_ip": "data_events[50]_network_info_local_ip", + "local_port": "data_events[50]_network_info_local_port", + "nfm": { + "direction": "data_events[50]_network_info_nfm_direction", + "protocol": "data_events[50]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[50]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[50]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[51]_timestamp", + "timestamp_nanoseconds": "data_events[51]_timestamp_nanoseconds", + "date": "data_events[51]_date", + "event_type": "data_events[51]_event_type", + "group_guids": [ + "data_events[51]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[51]_network_info_remote_ip", + "remote_port": "data_events[51]_network_info_remote_port", + "local_ip": "data_events[51]_network_info_local_ip", + "local_port": "data_events[51]_network_info_local_port", + "nfm": { + "direction": "data_events[51]_network_info_nfm_direction", + "protocol": "data_events[51]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[51]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[51]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[52]_timestamp", + "timestamp_nanoseconds": "data_events[52]_timestamp_nanoseconds", + "date": "data_events[52]_date", + "event_type": "data_events[52]_event_type", + "group_guids": [ + "data_events[52]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[52]_network_info_dirty_url", + "remote_ip": "data_events[52]_network_info_remote_ip", + "remote_port": "data_events[52]_network_info_remote_port", + "local_ip": "data_events[52]_network_info_local_ip", + "local_port": "data_events[52]_network_info_local_port", + "nfm": { + "direction": "data_events[52]_network_info_nfm_direction", + "protocol": "data_events[52]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[52]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[52]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[53]_timestamp", + "timestamp_nanoseconds": "data_events[53]_timestamp_nanoseconds", + "date": "data_events[53]_date", + "event_type": "data_events[53]_event_type", + "group_guids": [ + "data_events[53]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[53]_network_info_remote_ip", + "remote_port": "data_events[53]_network_info_remote_port", + "local_ip": "data_events[53]_network_info_local_ip", + "local_port": "data_events[53]_network_info_local_port", + "nfm": { + "direction": "data_events[53]_network_info_nfm_direction", + "protocol": "data_events[53]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[53]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[53]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[54]_timestamp", + "timestamp_nanoseconds": "data_events[54]_timestamp_nanoseconds", + "date": "data_events[54]_date", + "event_type": "data_events[54]_event_type", + "group_guids": [ + "data_events[54]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[54]_network_info_remote_ip", + "remote_port": "data_events[54]_network_info_remote_port", + "local_ip": "data_events[54]_network_info_local_ip", + "local_port": "data_events[54]_network_info_local_port", + "nfm": { + "direction": "data_events[54]_network_info_nfm_direction", + "protocol": "data_events[54]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[54]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[54]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[55]_timestamp", + "timestamp_nanoseconds": "data_events[55]_timestamp_nanoseconds", + "date": "data_events[55]_date", + "event_type": "data_events[55]_event_type", + "group_guids": [ + "data_events[55]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[55]_network_info_dirty_url", + "remote_ip": "data_events[55]_network_info_remote_ip", + "remote_port": "data_events[55]_network_info_remote_port", + "local_ip": "data_events[55]_network_info_local_ip", + "local_port": "data_events[55]_network_info_local_port", + "nfm": { + "direction": "data_events[55]_network_info_nfm_direction", + "protocol": "data_events[55]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[55]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[55]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[56]_timestamp", + "timestamp_nanoseconds": "data_events[56]_timestamp_nanoseconds", + "date": "data_events[56]_date", + "event_type": "data_events[56]_event_type", + "group_guids": [ + "data_events[56]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[56]_network_info_remote_ip", + "remote_port": "data_events[56]_network_info_remote_port", + "local_ip": "data_events[56]_network_info_local_ip", + "local_port": "data_events[56]_network_info_local_port", + "nfm": { + "direction": "data_events[56]_network_info_nfm_direction", + "protocol": "data_events[56]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[56]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[56]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[57]_timestamp", + "timestamp_nanoseconds": "data_events[57]_timestamp_nanoseconds", + "date": "data_events[57]_date", + "event_type": "data_events[57]_event_type", + "group_guids": [ + "data_events[57]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[57]_network_info_dirty_url", + "remote_ip": "data_events[57]_network_info_remote_ip", + "remote_port": "data_events[57]_network_info_remote_port", + "local_ip": "data_events[57]_network_info_local_ip", + "local_port": "data_events[57]_network_info_local_port", + "nfm": { + "direction": "data_events[57]_network_info_nfm_direction", + "protocol": "data_events[57]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[57]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[57]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[58]_timestamp", + "timestamp_nanoseconds": "data_events[58]_timestamp_nanoseconds", + "date": "data_events[58]_date", + "event_type": "data_events[58]_event_type", + "group_guids": [ + "data_events[58]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[58]_network_info_remote_ip", + "remote_port": "data_events[58]_network_info_remote_port", + "local_ip": "data_events[58]_network_info_local_ip", + "local_port": "data_events[58]_network_info_local_port", + "nfm": { + "direction": "data_events[58]_network_info_nfm_direction", + "protocol": "data_events[58]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[58]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[58]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[59]_timestamp", + "timestamp_nanoseconds": "data_events[59]_timestamp_nanoseconds", + "date": "data_events[59]_date", + "event_type": "data_events[59]_event_type", + "group_guids": [ + "data_events[59]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[59]_network_info_remote_ip", + "remote_port": "data_events[59]_network_info_remote_port", + "local_ip": "data_events[59]_network_info_local_ip", + "local_port": "data_events[59]_network_info_local_port", + "nfm": { + "direction": "data_events[59]_network_info_nfm_direction", + "protocol": "data_events[59]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[59]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[59]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[60]_timestamp", + "timestamp_nanoseconds": "data_events[60]_timestamp_nanoseconds", + "date": "data_events[60]_date", + "event_type": "data_events[60]_event_type", + "group_guids": [ + "data_events[60]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[60]_network_info_remote_ip", + "remote_port": "data_events[60]_network_info_remote_port", + "local_ip": "data_events[60]_network_info_local_ip", + "local_port": "data_events[60]_network_info_local_port", + "nfm": { + "direction": "data_events[60]_network_info_nfm_direction", + "protocol": "data_events[60]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[60]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[60]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[61]_timestamp", + "timestamp_nanoseconds": "data_events[61]_timestamp_nanoseconds", + "date": "data_events[61]_date", + "event_type": "data_events[61]_event_type", + "group_guids": [ + "data_events[61]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[61]_network_info_dirty_url", + "remote_ip": "data_events[61]_network_info_remote_ip", + "remote_port": "data_events[61]_network_info_remote_port", + "local_ip": "data_events[61]_network_info_local_ip", + "local_port": "data_events[61]_network_info_local_port", + "nfm": { + "direction": "data_events[61]_network_info_nfm_direction", + "protocol": "data_events[61]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[61]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[61]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[62]_timestamp", + "timestamp_nanoseconds": "data_events[62]_timestamp_nanoseconds", + "date": "data_events[62]_date", + "event_type": "data_events[62]_event_type", + "group_guids": [ + "data_events[62]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[62]_network_info_remote_ip", + "remote_port": "data_events[62]_network_info_remote_port", + "local_ip": "data_events[62]_network_info_local_ip", + "local_port": "data_events[62]_network_info_local_port", + "nfm": { + "direction": "data_events[62]_network_info_nfm_direction", + "protocol": "data_events[62]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[62]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[62]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[63]_timestamp", + "timestamp_nanoseconds": "data_events[63]_timestamp_nanoseconds", + "date": "data_events[63]_date", + "event_type": "data_events[63]_event_type", + "group_guids": [ + "data_events[63]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[63]_network_info_dirty_url", + "remote_ip": "data_events[63]_network_info_remote_ip", + "remote_port": "data_events[63]_network_info_remote_port", + "local_ip": "data_events[63]_network_info_local_ip", + "local_port": "data_events[63]_network_info_local_port", + "nfm": { + "direction": "data_events[63]_network_info_nfm_direction", + "protocol": "data_events[63]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[63]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[63]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[64]_timestamp", + "timestamp_nanoseconds": "data_events[64]_timestamp_nanoseconds", + "date": "data_events[64]_date", + "event_type": "data_events[64]_event_type", + "group_guids": [ + "data_events[64]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[64]_network_info_dirty_url", + "remote_ip": "data_events[64]_network_info_remote_ip", + "remote_port": "data_events[64]_network_info_remote_port", + "local_ip": "data_events[64]_network_info_local_ip", + "local_port": "data_events[64]_network_info_local_port", + "nfm": { + "direction": "data_events[64]_network_info_nfm_direction", + "protocol": "data_events[64]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[64]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[64]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[65]_timestamp", + "timestamp_nanoseconds": "data_events[65]_timestamp_nanoseconds", + "date": "data_events[65]_date", + "event_type": "data_events[65]_event_type", + "group_guids": [ + "data_events[65]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[65]_network_info_dirty_url", + "remote_ip": "data_events[65]_network_info_remote_ip", + "remote_port": "data_events[65]_network_info_remote_port", + "local_ip": "data_events[65]_network_info_local_ip", + "local_port": "data_events[65]_network_info_local_port", + "nfm": { + "direction": "data_events[65]_network_info_nfm_direction", + "protocol": "data_events[65]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[65]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[65]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[66]_timestamp", + "timestamp_nanoseconds": "data_events[66]_timestamp_nanoseconds", + "date": "data_events[66]_date", + "event_type": "data_events[66]_event_type", + "group_guids": [ + "data_events[66]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[66]_network_info_dirty_url", + "remote_ip": "data_events[66]_network_info_remote_ip", + "remote_port": "data_events[66]_network_info_remote_port", + "local_ip": "data_events[66]_network_info_local_ip", + "local_port": "data_events[66]_network_info_local_port", + "nfm": { + "direction": "data_events[66]_network_info_nfm_direction", + "protocol": "data_events[66]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[66]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[66]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[67]_timestamp", + "timestamp_nanoseconds": "data_events[67]_timestamp_nanoseconds", + "date": "data_events[67]_date", + "event_type": "data_events[67]_event_type", + "group_guids": [ + "data_events[67]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[67]_network_info_dirty_url", + "remote_ip": "data_events[67]_network_info_remote_ip", + "remote_port": "data_events[67]_network_info_remote_port", + "local_ip": "data_events[67]_network_info_local_ip", + "local_port": "data_events[67]_network_info_local_port", + "nfm": { + "direction": "data_events[67]_network_info_nfm_direction", + "protocol": "data_events[67]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[67]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[67]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[68]_timestamp", + "timestamp_nanoseconds": "data_events[68]_timestamp_nanoseconds", + "date": "data_events[68]_date", + "event_type": "data_events[68]_event_type", + "group_guids": [ + "data_events[68]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[68]_network_info_dirty_url", + "remote_ip": "data_events[68]_network_info_remote_ip", + "remote_port": "data_events[68]_network_info_remote_port", + "local_ip": "data_events[68]_network_info_local_ip", + "local_port": "data_events[68]_network_info_local_port", + "nfm": { + "direction": "data_events[68]_network_info_nfm_direction", + "protocol": "data_events[68]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[68]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[68]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[69]_timestamp", + "timestamp_nanoseconds": "data_events[69]_timestamp_nanoseconds", + "date": "data_events[69]_date", + "event_type": "data_events[69]_event_type", + "group_guids": [ + "data_events[69]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[69]_network_info_dirty_url", + "remote_ip": "data_events[69]_network_info_remote_ip", + "remote_port": "data_events[69]_network_info_remote_port", + "local_ip": "data_events[69]_network_info_local_ip", + "local_port": "data_events[69]_network_info_local_port", + "nfm": { + "direction": "data_events[69]_network_info_nfm_direction", + "protocol": "data_events[69]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[69]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[69]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[70]_timestamp", + "timestamp_nanoseconds": "data_events[70]_timestamp_nanoseconds", + "date": "data_events[70]_date", + "event_type": "data_events[70]_event_type", + "group_guids": [ + "data_events[70]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[70]_network_info_remote_ip", + "remote_port": "data_events[70]_network_info_remote_port", + "local_ip": "data_events[70]_network_info_local_ip", + "local_port": "data_events[70]_network_info_local_port", + "nfm": { + "direction": "data_events[70]_network_info_nfm_direction", + "protocol": "data_events[70]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[70]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[70]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[71]_timestamp", + "timestamp_nanoseconds": "data_events[71]_timestamp_nanoseconds", + "date": "data_events[71]_date", + "event_type": "data_events[71]_event_type", + "group_guids": [ + "data_events[71]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[71]_network_info_remote_ip", + "remote_port": "data_events[71]_network_info_remote_port", + "local_ip": "data_events[71]_network_info_local_ip", + "local_port": "data_events[71]_network_info_local_port", + "nfm": { + "direction": "data_events[71]_network_info_nfm_direction", + "protocol": "data_events[71]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[71]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[71]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[72]_timestamp", + "timestamp_nanoseconds": "data_events[72]_timestamp_nanoseconds", + "date": "data_events[72]_date", + "event_type": "data_events[72]_event_type", + "group_guids": [ + "data_events[72]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[72]_network_info_remote_ip", + "remote_port": "data_events[72]_network_info_remote_port", + "local_ip": "data_events[72]_network_info_local_ip", + "local_port": "data_events[72]_network_info_local_port", + "nfm": { + "direction": "data_events[72]_network_info_nfm_direction", + "protocol": "data_events[72]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[72]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[72]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[73]_timestamp", + "timestamp_nanoseconds": "data_events[73]_timestamp_nanoseconds", + "date": "data_events[73]_date", + "event_type": "data_events[73]_event_type", + "group_guids": [ + "data_events[73]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[73]_network_info_dirty_url", + "remote_ip": "data_events[73]_network_info_remote_ip", + "remote_port": "data_events[73]_network_info_remote_port", + "local_ip": "data_events[73]_network_info_local_ip", + "local_port": "data_events[73]_network_info_local_port", + "nfm": { + "direction": "data_events[73]_network_info_nfm_direction", + "protocol": "data_events[73]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[73]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[73]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[74]_timestamp", + "timestamp_nanoseconds": "data_events[74]_timestamp_nanoseconds", + "date": "data_events[74]_date", + "event_type": "data_events[74]_event_type", + "group_guids": [ + "data_events[74]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[74]_network_info_remote_ip", + "remote_port": "data_events[74]_network_info_remote_port", + "local_ip": "data_events[74]_network_info_local_ip", + "local_port": "data_events[74]_network_info_local_port", + "nfm": { + "direction": "data_events[74]_network_info_nfm_direction", + "protocol": "data_events[74]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[74]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[74]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[75]_timestamp", + "timestamp_nanoseconds": "data_events[75]_timestamp_nanoseconds", + "date": "data_events[75]_date", + "event_type": "data_events[75]_event_type", + "group_guids": [ + "data_events[75]_group_guids_0" + ], + "network_info": { + "dirty_url": "data_events[75]_network_info_dirty_url", + "remote_ip": "data_events[75]_network_info_remote_ip", + "remote_port": "data_events[75]_network_info_remote_port", + "local_ip": "data_events[75]_network_info_local_ip", + "local_port": "data_events[75]_network_info_local_port", + "nfm": { + "direction": "data_events[75]_network_info_nfm_direction", + "protocol": "data_events[75]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[75]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[75]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[76]_timestamp", + "timestamp_nanoseconds": "data_events[76]_timestamp_nanoseconds", + "date": "data_events[76]_date", + "event_type": "data_events[76]_event_type", + "group_guids": [ + "data_events[76]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[76]_network_info_remote_ip", + "remote_port": "data_events[76]_network_info_remote_port", + "local_ip": "data_events[76]_network_info_local_ip", + "local_port": "data_events[76]_network_info_local_port", + "nfm": { + "direction": "data_events[76]_network_info_nfm_direction", + "protocol": "data_events[76]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[76]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[76]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[77]_timestamp", + "timestamp_nanoseconds": "data_events[77]_timestamp_nanoseconds", + "date": "data_events[77]_date", + "event_type": "data_events[77]_event_type", + "group_guids": [ + "data_events[77]_group_guids_0" + ], + "file": { + "disposition": "data_events[77]_file_disposition", + "file_name": "data_events[77]_file_file_name", + "file_path": "data_events[77]_file_file_path", + "file_type": "data_events[77]_file_file_type", + "identity": { + "sha256": "data_events[77]_file_identity_sha256" + }, + "parent": { + "disposition": "data_events[77]_file_parent_disposition", + "identity": { + "sha256": "data_events[77]_file_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[78]_timestamp", + "timestamp_nanoseconds": "data_events[78]_timestamp_nanoseconds", + "date": "data_events[78]_date", + "event_type": "data_events[78]_event_type", + "group_guids": [ + "data_events[78]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[78]_network_info_remote_ip", + "remote_port": "data_events[78]_network_info_remote_port", + "local_ip": "data_events[78]_network_info_local_ip", + "local_port": "data_events[78]_network_info_local_port", + "nfm": { + "direction": "data_events[78]_network_info_nfm_direction", + "protocol": "data_events[78]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[78]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[78]_network_info_parent_identity_sha256" + } + } + } + }, + { + "timestamp": "data_events[79]_timestamp", + "timestamp_nanoseconds": "data_events[79]_timestamp_nanoseconds", + "date": "data_events[79]_date", + "event_type": "data_events[79]_event_type", + "group_guids": [ + "data_events[79]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[79]_network_info_remote_ip", + "remote_port": "data_events[79]_network_info_remote_port", + "local_ip": "data_events[79]_network_info_local_ip", + "local_port": "data_events[79]_network_info_local_port", + "nfm": { + "direction": "data_events[79]_network_info_nfm_direction", + "protocol": "data_events[79]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[79]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[79]_network_info_parent_identity_sha256" + } + } + } + }, + { + "id": "data_events[80]_id", + "timestamp": "data_events[80]_timestamp", + "timestamp_nanoseconds": "data_events[80]_timestamp_nanoseconds", + "date": "data_events[80]_date", + "event_type": "data_events[80]_event_type", + "event_type_id": "data_events[80]_event_type_id", + "group_guids": [ + "data_events[80]_group_guids_0" + ], + "scan": { + "description": "data_events[80]_scan_description", + "clean": "data_events[80]_scan_clean", + "scanned_files": "data_events[80]_scan_scanned_files", + "scanned_processes": "data_events[80]_scan_scanned_processes", + "scanned_paths": "data_events[80]_scan_scanned_paths", + "malicious_detections": "data_events[80]_scan_malicious_detections" + } + }, + { + "timestamp": "data_events[81]_timestamp", + "timestamp_nanoseconds": "data_events[81]_timestamp_nanoseconds", + "date": "data_events[81]_date", + "event_type": "data_events[81]_event_type", + "group_guids": [ + "data_events[81]_group_guids_0" + ], + "network_info": { + "remote_ip": "data_events[81]_network_info_remote_ip", + "remote_port": "data_events[81]_network_info_remote_port", + "local_ip": "data_events[81]_network_info_local_ip", + "local_port": "data_events[81]_network_info_local_port", + "nfm": { + "direction": "data_events[81]_network_info_nfm_direction", + "protocol": "data_events[81]_network_info_nfm_protocol" + }, + "parent": { + "disposition": "data_events[81]_network_info_parent_disposition", + "identity": { + "sha256": "data_events[81]_network_info_parent_identity_sha256" + } + } + } + }, + { + "id": "data_events[82]_id", + "timestamp": "data_events[82]_timestamp", + "timestamp_nanoseconds": "data_events[82]_timestamp_nanoseconds", + "date": "data_events[82]_date", + "event_type": "data_events[82]_event_type", + "event_type_id": "data_events[82]_event_type_id", + "group_guids": [ + "data_events[82]_group_guids_0" + ], + "scan": { + "description": "data_events[82]_scan_description" + } + } + ] + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/computer_user_activity_response.json b/Packs/AMP/Integrations/AMPv2/test_data/computer_user_activity_response.json new file mode 100644 index 000000000000..16e58fbcf52d --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/computer_user_activity_response.json @@ -0,0 +1,86 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": [ + { + "connector_guid": "data[0]_connector_guid", + "hostname": "data[0]_hostname", + "active": "data[0]_active", + "links": { + "computer": "data[0]_links_computer", + "trajectory": "data[0]_links_trajectory", + "group": "data[0]_links_group" + } + }, + { + "connector_guid": "data[1]_connector_guid", + "hostname": "data[1]_hostname", + "active": "data[1]_active", + "links": { + "computer": "data[1]_links_computer", + "trajectory": "data[1]_links_trajectory", + "group": "data[1]_links_group" + } + }, + { + "connector_guid": "data[2]_connector_guid", + "hostname": "data[2]_hostname", + "active": "data[2]_active", + "links": { + "computer": "data[2]_links_computer", + "trajectory": "data[2]_links_trajectory", + "group": "data[2]_links_group" + } + }, + { + "connector_guid": "data[3]_connector_guid", + "hostname": "data[3]_hostname", + "active": "data[3]_active", + "links": { + "computer": "data[3]_links_computer", + "trajectory": "data[3]_links_trajectory", + "group": "data[3]_links_group" + } + }, + { + "connector_guid": "data[4]_connector_guid", + "hostname": "data[4]_hostname", + "active": "data[4]_active", + "links": { + "computer": "data[4]_links_computer", + "trajectory": "data[4]_links_trajectory", + "group": "data[4]_links_group" + } + }, + { + "connector_guid": "data[5]_connector_guid", + "hostname": "data[5]_hostname", + "active": "data[5]_active", + "links": { + "computer": "data[5]_links_computer", + "trajectory": "data[5]_links_trajectory", + "group": "data[5]_links_group" + } + }, + { + "connector_guid": "data[6]_connector_guid", + "hostname": "data[6]_hostname", + "active": "data[6]_active", + "links": { + "computer": "data[6]_links_computer", + "trajectory": "data[6]_links_trajectory", + "group": "data[6]_links_group" + } + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/computer_user_trajectory_response.json b/Packs/AMP/Integrations/AMPv2/test_data/computer_user_trajectory_response.json new file mode 100644 index 000000000000..019909523faf --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/computer_user_trajectory_response.json @@ -0,0 +1,74 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "computer": { + "connector_guid": "data_computer_connector_guid", + "hostname": "data_computer_hostname", + "active": "data_computer_active", + "links": { + "computer": "data_computer_links_computer", + "trajectory": "data_computer_links_trajectory", + "group": "data_computer_links_group" + } + }, + "events": [ + { + "id": "data_events[0]_id", + "timestamp": "data_events[0]_timestamp", + "timestamp_nanoseconds": "data_events[0]_timestamp_nanoseconds", + "date": "data_events[0]_date", + "event_type": "data_events[0]_event_type", + "event_type_id": "data_events[0]_event_type_id", + "detection_id": "data_events[0]_detection_id", + "group_guids": [ + "data_events[0]_group_guids_0" + ], + "severity": "data_events[0]_severity", + "file": { + "disposition": "data_events[0]_file_disposition", + "file_name": "data_events[0]_file_file_name", + "file_path": "data_events[0]_file_file_path", + "identity": { + "sha256": "data_events[0]_file_identity_sha256", + "sha1": "data_events[0]_file_identity_sha1", + "md5": "data_events[0]_file_identity_md5" + }, + "attack_details": { + "application": "data_events[0]_file_attack_details_application", + "attacked_module": "data_events[0]_file_attack_details_attacked_module", + "base_address": "data_events[0]_file_attack_details_base_address", + "suspicious_files": [ + "data_events[0]_file_attack_details_suspicious_files_0" + ], + "indicators": [ + { + "tactics": [ + "data_events[0]_file_attack_details_indicators[0]_tactics_0" + ], + "severity": "data_events[0]_file_attack_details_indicators[0]_severity", + "description": "data_events[0]_file_attack_details_indicators[0]_description", + "short_description": "data_events[0]_file_attack_details_indicators[0]_short_description", + "id": "data_events[0]_file_attack_details_indicators[0]_id", + "techniques": [ + "data_events[0]_file_attack_details_indicators[0]_techniques_0" + ] + } + ] + } + }, + "user_name": "data_events[0]_user_name", + "tactics": [ + "data_events[0]_tactics_0" + ], + "techniques": [ + "data_events[0]_techniques_0" + ] + } + ] + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/computer_vulnerabilities_response.json b/Packs/AMP/Integrations/AMPv2/test_data/computer_vulnerabilities_response.json new file mode 100644 index 000000000000..0bad85d4d73d --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/computer_vulnerabilities_response.json @@ -0,0 +1,47 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": { + "connector_guid": "data_connector_guid", + "hostname": "data_hostname", + "windows_processor_id": "data_windows_processor_id", + "active": "data_active", + "links": { + "computer": "data_links_computer", + "trajectory": "data_links_trajectory", + "group": "data_links_group" + }, + "group_guid": "data_group_guid", + "vulnerabilities": [ + { + "application": "data_vulnerabilities[0]_application", + "version": "data_vulnerabilities[0]_version", + "file": { + "filename": "data_vulnerabilities[0]_file_filename", + "identity": { + "sha256": "data_vulnerabilities[0]_file_identity_sha256" + } + }, + "cves": [ + { + "id": "data_vulnerabilities[0]_cves[0]_id", + "link": "data_vulnerabilities[0]_cves[0]_link", + "cvss": "data_vulnerabilities[0]_cves[0]_cvss" + } + ], + "latest_timestamp": "data_vulnerabilities[0]_latest_timestamp", + "latest_date": "data_vulnerabilities[0]_latest_date" + } + ] + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/event_list_response.json b/Packs/AMP/Integrations/AMPv2/test_data/event_list_response.json new file mode 100644 index 000000000000..5f4148e1d037 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/event_list_response.json @@ -0,0 +1,515 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self", + "next": "metadata_links_next" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": [ + { + "id": "data[0]_id", + "timestamp": "data[0]_timestamp", + "timestamp_nanoseconds": "data[0]_timestamp_nanoseconds", + "date": "data[0]_date", + "event_type": "data[0]_event_type", + "event_type_id": "data[0]_event_type_id", + "connector_guid": "data[0]_connector_guid", + "group_guids": [ + "data[0]_group_guids_0" + ], + "computer": { + "connector_guid": "data[0]_computer_connector_guid", + "hostname": "data[0]_computer_hostname", + "external_ip": "data[0]_computer_external_ip", + "active": "data[0]_computer_active", + "network_addresses": [ + { + "ip": "data[0]_computer_network_addresses[0]_ip", + "mac": "data[0]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[0]_computer_links_computer", + "trajectory": "data[0]_computer_links_trajectory", + "group": "data[0]_computer_links_group" + } + } + }, + { + "id": "data[1]_id", + "timestamp": "data[1]_timestamp", + "timestamp_nanoseconds": "data[1]_timestamp_nanoseconds", + "date": "data[1]_date", + "event_type": "data[1]_event_type", + "event_type_id": "data[1]_event_type_id", + "connector_guid": "data[1]_connector_guid", + "group_guids": [ + "data[1]_group_guids_0" + ], + "computer": { + "connector_guid": "data[1]_computer_connector_guid", + "hostname": "data[1]_computer_hostname", + "external_ip": "data[1]_computer_external_ip", + "active": "data[1]_computer_active", + "network_addresses": [ + { + "ip": "data[1]_computer_network_addresses[0]_ip", + "mac": "data[1]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[1]_computer_links_computer", + "trajectory": "data[1]_computer_links_trajectory", + "group": "data[1]_computer_links_group" + } + }, + "bp_data": { + "package_manager_serial_number": "data[1]_bp_data_package_manager_serial_number", + "sts": "data[1]_bp_data_sts" + } + }, + { + "id": "data[2]_id", + "timestamp": "data[2]_timestamp", + "timestamp_nanoseconds": "data[2]_timestamp_nanoseconds", + "date": "data[2]_date", + "event_type": "data[2]_event_type", + "event_type_id": "data[2]_event_type_id", + "connector_guid": "data[2]_connector_guid", + "group_guids": [ + "data[2]_group_guids_0" + ], + "computer": { + "connector_guid": "data[2]_computer_connector_guid", + "hostname": "data[2]_computer_hostname", + "external_ip": "data[2]_computer_external_ip", + "active": "data[2]_computer_active", + "network_addresses": [ + { + "ip": "data[2]_computer_network_addresses[0]_ip", + "mac": "data[2]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[2]_computer_links_computer", + "trajectory": "data[2]_computer_links_trajectory", + "group": "data[2]_computer_links_group" + } + }, + "bp_data": { + "package_manager_serial_number": "data[2]_bp_data_package_manager_serial_number", + "sts": "data[2]_bp_data_sts" + } + }, + { + "id": "data[3]_id", + "timestamp": "data[3]_timestamp", + "timestamp_nanoseconds": "data[3]_timestamp_nanoseconds", + "date": "data[3]_date", + "event_type": "data[3]_event_type", + "event_type_id": "data[3]_event_type_id", + "connector_guid": "data[3]_connector_guid", + "group_guids": [ + "data[3]_group_guids_0" + ], + "computer": { + "connector_guid": "data[3]_computer_connector_guid", + "hostname": "data[3]_computer_hostname", + "external_ip": "data[3]_computer_external_ip", + "active": "data[3]_computer_active", + "network_addresses": [ + { + "ip": "data[3]_computer_network_addresses[0]_ip", + "mac": "data[3]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[3]_computer_links_computer", + "trajectory": "data[3]_computer_links_trajectory", + "group": "data[3]_computer_links_group" + } + }, + "bp_data": { + "package_manager_current_version": "data[3]_bp_data_package_manager_current_version", + "package_manager_pending_version": "data[3]_bp_data_package_manager_pending_version", + "sts": "data[3]_bp_data_sts" + } + }, + { + "id": "data[4]_id", + "timestamp": "data[4]_timestamp", + "timestamp_nanoseconds": "data[4]_timestamp_nanoseconds", + "date": "data[4]_date", + "event_type": "data[4]_event_type", + "event_type_id": "data[4]_event_type_id", + "connector_guid": "data[4]_connector_guid", + "group_guids": [ + "data[4]_group_guids_0" + ], + "computer": { + "connector_guid": "data[4]_computer_connector_guid", + "hostname": "data[4]_computer_hostname", + "external_ip": "data[4]_computer_external_ip", + "active": "data[4]_computer_active", + "network_addresses": [ + { + "ip": "data[4]_computer_network_addresses[0]_ip", + "mac": "data[4]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[4]_computer_links_computer", + "trajectory": "data[4]_computer_links_trajectory", + "group": "data[4]_computer_links_group" + } + }, + "bp_data": { + "package_manager_current_version": "data[4]_bp_data_package_manager_current_version", + "package_manager_pending_version": "data[4]_bp_data_package_manager_pending_version", + "sts": "data[4]_bp_data_sts" + } + }, + { + "id": "data[5]_id", + "timestamp": "data[5]_timestamp", + "timestamp_nanoseconds": "data[5]_timestamp_nanoseconds", + "date": "data[5]_date", + "event_type": "data[5]_event_type", + "event_type_id": "data[5]_event_type_id", + "connector_guid": "data[5]_connector_guid", + "group_guids": [ + "data[5]_group_guids_0" + ], + "error": { + "error_code": "data[5]_error_error_code", + "description": "data[5]_error_description" + }, + "computer": { + "connector_guid": "data[5]_computer_connector_guid", + "hostname": "data[5]_computer_hostname", + "external_ip": "data[5]_computer_external_ip", + "active": "data[5]_computer_active", + "network_addresses": [ + { + "ip": "data[5]_computer_network_addresses[0]_ip", + "mac": "data[5]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[5]_computer_links_computer", + "trajectory": "data[5]_computer_links_trajectory", + "group": "data[5]_computer_links_group" + } + }, + "isolation": { + "error_code": "data[5]_isolation_error_code" + } + }, + { + "id": "data[6]_id", + "timestamp": "data[6]_timestamp", + "timestamp_nanoseconds": "data[6]_timestamp_nanoseconds", + "date": "data[6]_date", + "event_type": "data[6]_event_type", + "event_type_id": "data[6]_event_type_id", + "connector_guid": "data[6]_connector_guid", + "group_guids": [ + "data[6]_group_guids_0" + ], + "error": { + "error_code": "data[6]_error_error_code", + "description": "data[6]_error_description" + }, + "computer": { + "connector_guid": "data[6]_computer_connector_guid", + "hostname": "data[6]_computer_hostname", + "external_ip": "data[6]_computer_external_ip", + "active": "data[6]_computer_active", + "network_addresses": [ + { + "ip": "data[6]_computer_network_addresses[0]_ip", + "mac": "data[6]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[6]_computer_links_computer", + "trajectory": "data[6]_computer_links_trajectory", + "group": "data[6]_computer_links_group" + } + }, + "isolation": { + "error_code": "data[6]_isolation_error_code" + } + }, + { + "id": "data[7]_id", + "timestamp": "data[7]_timestamp", + "timestamp_nanoseconds": "data[7]_timestamp_nanoseconds", + "date": "data[7]_date", + "event_type": "data[7]_event_type", + "event_type_id": "data[7]_event_type_id", + "connector_guid": "data[7]_connector_guid", + "group_guids": [ + "data[7]_group_guids_0" + ], + "computer": { + "connector_guid": "data[7]_computer_connector_guid", + "hostname": "data[7]_computer_hostname", + "external_ip": "data[7]_computer_external_ip", + "active": "data[7]_computer_active", + "network_addresses": [ + { + "ip": "data[7]_computer_network_addresses[0]_ip", + "mac": "data[7]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[7]_computer_links_computer", + "trajectory": "data[7]_computer_links_trajectory", + "group": "data[7]_computer_links_group" + } + }, + "bp_data": { + "package_manager_serial_number": "data[7]_bp_data_package_manager_serial_number", + "sts": "data[7]_bp_data_sts" + } + }, + { + "id": "data[8]_id", + "timestamp": "data[8]_timestamp", + "timestamp_nanoseconds": "data[8]_timestamp_nanoseconds", + "date": "data[8]_date", + "event_type": "data[8]_event_type", + "event_type_id": "data[8]_event_type_id", + "connector_guid": "data[8]_connector_guid", + "group_guids": [ + "data[8]_group_guids_0" + ], + "computer": { + "connector_guid": "data[8]_computer_connector_guid", + "hostname": "data[8]_computer_hostname", + "external_ip": "data[8]_computer_external_ip", + "active": "data[8]_computer_active", + "network_addresses": [ + { + "ip": "data[8]_computer_network_addresses[0]_ip", + "mac": "data[8]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[8]_computer_links_computer", + "trajectory": "data[8]_computer_links_trajectory", + "group": "data[8]_computer_links_group" + } + }, + "bp_data": { + "package_manager_serial_number": "data[8]_bp_data_package_manager_serial_number", + "sts": "data[8]_bp_data_sts" + } + }, + { + "id": "data[9]_id", + "timestamp": "data[9]_timestamp", + "timestamp_nanoseconds": "data[9]_timestamp_nanoseconds", + "date": "data[9]_date", + "event_type": "data[9]_event_type", + "event_type_id": "data[9]_event_type_id", + "connector_guid": "data[9]_connector_guid", + "group_guids": [ + "data[9]_group_guids_0" + ], + "computer": { + "connector_guid": "data[9]_computer_connector_guid", + "hostname": "data[9]_computer_hostname", + "external_ip": "data[9]_computer_external_ip", + "active": "data[9]_computer_active", + "network_addresses": [ + { + "ip": "data[9]_computer_network_addresses[0]_ip", + "mac": "data[9]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[9]_computer_links_computer", + "trajectory": "data[9]_computer_links_trajectory", + "group": "data[9]_computer_links_group" + } + }, + "bp_data": { + "package_manager_pending_version": "data[9]_bp_data_package_manager_pending_version", + "sts": "data[9]_bp_data_sts" + } + }, + { + "id": "data[10]_id", + "timestamp": "data[10]_timestamp", + "timestamp_nanoseconds": "data[10]_timestamp_nanoseconds", + "date": "data[10]_date", + "event_type": "data[10]_event_type", + "event_type_id": "data[10]_event_type_id", + "connector_guid": "data[10]_connector_guid", + "group_guids": [ + "data[10]_group_guids_0" + ], + "computer": { + "connector_guid": "data[10]_computer_connector_guid", + "hostname": "data[10]_computer_hostname", + "external_ip": "data[10]_computer_external_ip", + "active": "data[10]_computer_active", + "network_addresses": [ + { + "ip": "data[10]_computer_network_addresses[0]_ip", + "mac": "data[10]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[10]_computer_links_computer", + "trajectory": "data[10]_computer_links_trajectory", + "group": "data[10]_computer_links_group" + } + }, + "bp_data": { + "package_manager_pending_version": "data[10]_bp_data_package_manager_pending_version", + "sts": "data[10]_bp_data_sts" + } + }, + { + "id": "data[11]_id", + "timestamp": "data[11]_timestamp", + "timestamp_nanoseconds": "data[11]_timestamp_nanoseconds", + "date": "data[11]_date", + "event_type": "data[11]_event_type", + "event_type_id": "data[11]_event_type_id", + "connector_guid": "data[11]_connector_guid", + "group_guids": [ + "data[11]_group_guids_0" + ], + "computer": { + "connector_guid": "data[11]_computer_connector_guid", + "hostname": "data[11]_computer_hostname", + "external_ip": "data[11]_computer_external_ip", + "active": "data[11]_computer_active", + "network_addresses": [ + { + "ip": "data[11]_computer_network_addresses[0]_ip", + "mac": "data[11]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[11]_computer_links_computer", + "trajectory": "data[11]_computer_links_trajectory", + "group": "data[11]_computer_links_group" + } + }, + "bp_data": { + "ecx": "data[11]_bp_data_ecx", + "error_code": "data[11]_bp_data_error_code", + "error_source": "data[11]_bp_data_error_source", + "package_name": "data[11]_bp_data_package_name", + "package_uri": "data[11]_bp_data_package_uri", + "sts": "data[11]_bp_data_sts" + } + }, + { + "id": "data[12]_id", + "timestamp": "data[12]_timestamp", + "timestamp_nanoseconds": "data[12]_timestamp_nanoseconds", + "date": "data[12]_date", + "event_type": "data[12]_event_type", + "event_type_id": "data[12]_event_type_id", + "connector_guid": "data[12]_connector_guid", + "group_guids": [ + "data[12]_group_guids_0" + ], + "computer": { + "connector_guid": "data[12]_computer_connector_guid", + "hostname": "data[12]_computer_hostname", + "external_ip": "data[12]_computer_external_ip", + "active": "data[12]_computer_active", + "network_addresses": [ + { + "ip": "data[12]_computer_network_addresses[0]_ip", + "mac": "data[12]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[12]_computer_links_computer", + "trajectory": "data[12]_computer_links_trajectory", + "group": "data[12]_computer_links_group" + } + }, + "bp_data": { + "ecx": "data[12]_bp_data_ecx", + "error_code": "data[12]_bp_data_error_code", + "error_source": "data[12]_bp_data_error_source", + "package_name": "data[12]_bp_data_package_name", + "package_uri": "data[12]_bp_data_package_uri", + "sts": "data[12]_bp_data_sts" + } + }, + { + "id": "data[13]_id", + "timestamp": "data[13]_timestamp", + "timestamp_nanoseconds": "data[13]_timestamp_nanoseconds", + "date": "data[13]_date", + "event_type": "data[13]_event_type", + "event_type_id": "data[13]_event_type_id", + "hostname": "data[13]_hostname" + }, + { + "id": "data[14]_id", + "timestamp": "data[14]_timestamp", + "timestamp_nanoseconds": "data[14]_timestamp_nanoseconds", + "date": "data[14]_date", + "event_type": "data[14]_event_type", + "event_type_id": "data[14]_event_type_id", + "detection": "data[14]_detection", + "detection_id": "data[14]_detection_id", + "connector_guid": "data[14]_connector_guid", + "group_guids": [ + "data[14]_group_guids_0" + ], + "severity": "data[14]_severity", + "computer": { + "connector_guid": "data[14]_computer_connector_guid", + "hostname": "data[14]_computer_hostname", + "external_ip": "data[14]_computer_external_ip", + "active": "data[14]_computer_active", + "network_addresses": [ + { + "ip": "data[14]_computer_network_addresses[0]_ip", + "mac": "data[14]_computer_network_addresses[0]_mac" + } + ], + "links": { + "computer": "data[14]_computer_links_computer", + "trajectory": "data[14]_computer_links_trajectory", + "group": "data[14]_computer_links_group" + } + }, + "file": { + "disposition": "data[14]_file_disposition", + "file_name": "data[14]_file_file_name", + "file_path": "data[14]_file_file_path", + "identity": { + "sha256": "data[14]_file_identity_sha256", + "sha1": "data[14]_file_identity_sha1", + "md5": "data[14]_file_identity_md5" + } + }, + "tactics": [ + "data[14]_tactics_0" + ], + "techniques": [ + "data[14]_techniques_0" + ] + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/event_type_list_response.json b/Packs/AMP/Integrations/AMPv2/test_data/event_type_list_response.json new file mode 100644 index 000000000000..aa20c8ab6798 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/event_type_list_response.json @@ -0,0 +1,563 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + }, + "results": { + "total": "metadata_results_total" + } + }, + "data": [ + { + "id": "data[0]_id", + "name": "data[0]_name", + "description": "data[0]_description" + }, + { + "id": "data[1]_id", + "name": "data[1]_name", + "description": "data[1]_description" + }, + { + "id": "data[2]_id", + "name": "data[2]_name", + "description": "data[2]_description" + }, + { + "id": "data[3]_id", + "name": "data[3]_name", + "description": "data[3]_description" + }, + { + "id": "data[4]_id", + "name": "data[4]_name", + "description": "data[4]_description" + }, + { + "id": "data[5]_id", + "name": "data[5]_name", + "description": "data[5]_description" + }, + { + "id": "data[6]_id", + "name": "data[6]_name", + "description": "data[6]_description" + }, + { + "id": "data[7]_id", + "name": "data[7]_name", + "description": "data[7]_description" + }, + { + "id": "data[8]_id", + "name": "data[8]_name", + "description": "data[8]_description" + }, + { + "id": "data[9]_id", + "name": "data[9]_name", + "description": "data[9]_description" + }, + { + "id": "data[10]_id", + "name": "data[10]_name", + "description": "data[10]_description" + }, + { + "id": "data[11]_id", + "name": "data[11]_name", + "description": "data[11]_description" + }, + { + "id": "data[12]_id", + "name": "data[12]_name", + "description": "data[12]_description" + }, + { + "id": "data[13]_id", + "name": "data[13]_name", + "description": "data[13]_description" + }, + { + "id": "data[14]_id", + "name": "data[14]_name", + "description": "data[14]_description" + }, + { + "id": "data[15]_id", + "name": "data[15]_name", + "description": "data[15]_description" + }, + { + "id": "data[16]_id", + "name": "data[16]_name", + "description": "data[16]_description" + }, + { + "id": "data[17]_id", + "name": "data[17]_name", + "description": "data[17]_description" + }, + { + "id": "data[18]_id", + "name": "data[18]_name", + "description": "data[18]_description" + }, + { + "id": "data[19]_id", + "name": "data[19]_name", + "description": "data[19]_description" + }, + { + "id": "data[20]_id", + "name": "data[20]_name", + "description": "data[20]_description" + }, + { + "id": "data[21]_id", + "name": "data[21]_name", + "description": "data[21]_description" + }, + { + "id": "data[22]_id", + "name": "data[22]_name", + "description": "data[22]_description" + }, + { + "id": "data[23]_id", + "name": "data[23]_name", + "description": "data[23]_description" + }, + { + "id": "data[24]_id", + "name": "data[24]_name", + "description": "data[24]_description" + }, + { + "id": "data[25]_id", + "name": "data[25]_name", + "description": "data[25]_description" + }, + { + "id": "data[26]_id", + "name": "data[26]_name", + "description": "data[26]_description" + }, + { + "id": "data[27]_id", + "name": "data[27]_name", + "description": "data[27]_description" + }, + { + "id": "data[28]_id", + "name": "data[28]_name", + "description": "data[28]_description" + }, + { + "id": "data[29]_id", + "name": "data[29]_name", + "description": "data[29]_description" + }, + { + "id": "data[30]_id", + "name": "data[30]_name", + "description": "data[30]_description" + }, + { + "id": "data[31]_id", + "name": "data[31]_name", + "description": "data[31]_description" + }, + { + "id": "data[32]_id", + "name": "data[32]_name", + "description": "data[32]_description" + }, + { + "id": "data[33]_id", + "name": "data[33]_name", + "description": "data[33]_description" + }, + { + "id": "data[34]_id", + "name": "data[34]_name", + "description": "data[34]_description" + }, + { + "id": "data[35]_id", + "name": "data[35]_name", + "description": "data[35]_description" + }, + { + "id": "data[36]_id", + "name": "data[36]_name", + "description": "data[36]_description" + }, + { + "id": "data[37]_id", + "name": "data[37]_name", + "description": "data[37]_description" + }, + { + "id": "data[38]_id", + "name": "data[38]_name", + "description": "data[38]_description" + }, + { + "id": "data[39]_id", + "name": "data[39]_name", + "description": "data[39]_description" + }, + { + "id": "data[40]_id", + "name": "data[40]_name", + "description": "data[40]_description" + }, + { + "id": "data[41]_id", + "name": "data[41]_name", + "description": "data[41]_description" + }, + { + "id": "data[42]_id", + "name": "data[42]_name", + "description": "data[42]_description" + }, + { + "id": "data[43]_id", + "name": "data[43]_name", + "description": "data[43]_description" + }, + { + "id": "data[44]_id", + "name": "data[44]_name", + "description": "data[44]_description" + }, + { + "id": "data[45]_id", + "name": "data[45]_name", + "description": "data[45]_description" + }, + { + "id": "data[46]_id", + "name": "data[46]_name", + "description": "data[46]_description" + }, + { + "id": "data[47]_id", + "name": "data[47]_name", + "description": "data[47]_description" + }, + { + "id": "data[48]_id", + "name": "data[48]_name", + "description": "data[48]_description" + }, + { + "id": "data[49]_id", + "name": "data[49]_name", + "description": "data[49]_description" + }, + { + "id": "data[50]_id", + "name": "data[50]_name", + "description": "data[50]_description" + }, + { + "id": "data[51]_id", + "name": "data[51]_name", + "description": "data[51]_description" + }, + { + "id": "data[52]_id", + "name": "data[52]_name", + "description": "data[52]_description" + }, + { + "id": "data[53]_id", + "name": "data[53]_name", + "description": "data[53]_description" + }, + { + "id": "data[54]_id", + "name": "data[54]_name", + "description": "data[54]_description" + }, + { + "id": "data[55]_id", + "name": "data[55]_name", + "description": "data[55]_description" + }, + { + "id": "data[56]_id", + "name": "data[56]_name", + "description": "data[56]_description" + }, + { + "id": "data[57]_id", + "name": "data[57]_name", + "description": "data[57]_description" + }, + { + "id": "data[58]_id", + "name": "data[58]_name", + "description": "data[58]_description" + }, + { + "id": "data[59]_id", + "name": "data[59]_name", + "description": "data[59]_description" + }, + { + "id": "data[60]_id", + "name": "data[60]_name", + "description": "data[60]_description" + }, + { + "id": "data[61]_id", + "name": "data[61]_name", + "description": "data[61]_description" + }, + { + "id": "data[62]_id", + "name": "data[62]_name", + "description": "data[62]_description" + }, + { + "id": "data[63]_id", + "name": "data[63]_name", + "description": "data[63]_description" + }, + { + "id": "data[64]_id", + "name": "data[64]_name", + "description": "data[64]_description" + }, + { + "id": "data[65]_id", + "name": "data[65]_name", + "description": "data[65]_description" + }, + { + "id": "data[66]_id", + "name": "data[66]_name", + "description": "data[66]_description" + }, + { + "id": "data[67]_id", + "name": "data[67]_name", + "description": "data[67]_description" + }, + { + "id": "data[68]_id", + "name": "data[68]_name", + "description": "data[68]_description" + }, + { + "id": "data[69]_id", + "name": "data[69]_name", + "description": "data[69]_description" + }, + { + "id": "data[70]_id", + "name": "data[70]_name", + "description": "data[70]_description" + }, + { + "id": "data[71]_id", + "name": "data[71]_name", + "description": "data[71]_description" + }, + { + "id": "data[72]_id", + "name": "data[72]_name", + "description": "data[72]_description" + }, + { + "id": "data[73]_id", + "name": "data[73]_name", + "description": "data[73]_description" + }, + { + "id": "data[74]_id", + "name": "data[74]_name", + "description": "data[74]_description" + }, + { + "id": "data[75]_id", + "name": "data[75]_name", + "description": "data[75]_description" + }, + { + "id": "data[76]_id", + "name": "data[76]_name", + "description": "data[76]_description" + }, + { + "id": "data[77]_id", + "name": "data[77]_name", + "description": "data[77]_description" + }, + { + "id": "data[78]_id", + "name": "data[78]_name", + "description": "data[78]_description" + }, + { + "id": "data[79]_id", + "name": "data[79]_name", + "description": "data[79]_description" + }, + { + "id": "data[80]_id", + "name": "data[80]_name", + "description": "data[80]_description" + }, + { + "id": "data[81]_id", + "name": "data[81]_name", + "description": "data[81]_description" + }, + { + "id": "data[82]_id", + "name": "data[82]_name", + "description": "data[82]_description" + }, + { + "id": "data[83]_id", + "name": "data[83]_name", + "description": "data[83]_description" + }, + { + "id": "data[84]_id", + "name": "data[84]_name", + "description": "data[84]_description" + }, + { + "id": "data[85]_id", + "name": "data[85]_name", + "description": "data[85]_description" + }, + { + "id": "data[86]_id", + "name": "data[86]_name", + "description": "data[86]_description" + }, + { + "id": "data[87]_id", + "name": "data[87]_name", + "description": "data[87]_description" + }, + { + "id": "data[88]_id", + "name": "data[88]_name", + "description": "data[88]_description" + }, + { + "id": "data[89]_id", + "name": "data[89]_name", + "description": "data[89]_description" + }, + { + "id": "data[90]_id", + "name": "data[90]_name", + "description": "data[90]_description" + }, + { + "id": "data[91]_id", + "name": "data[91]_name", + "description": "data[91]_description" + }, + { + "id": "data[92]_id", + "name": "data[92]_name", + "description": "data[92]_description" + }, + { + "id": "data[93]_id", + "name": "data[93]_name", + "description": "data[93]_description" + }, + { + "id": "data[94]_id", + "name": "data[94]_name", + "description": "data[94]_description" + }, + { + "id": "data[95]_id", + "name": "data[95]_name", + "description": "data[95]_description" + }, + { + "id": "data[96]_id", + "name": "data[96]_name", + "description": "data[96]_description" + }, + { + "id": "data[97]_id", + "name": "data[97]_name", + "description": "data[97]_description" + }, + { + "id": "data[98]_id", + "name": "data[98]_name", + "description": "data[98]_description" + }, + { + "id": "data[99]_id", + "name": "data[99]_name", + "description": "data[99]_description" + }, + { + "id": "data[100]_id", + "name": "data[100]_name", + "description": "data[100]_description" + }, + { + "id": "data[101]_id", + "name": "data[101]_name", + "description": "data[101]_description" + }, + { + "id": "data[102]_id", + "name": "data[102]_name", + "description": "data[102]_description" + }, + { + "id": "data[103]_id", + "name": "data[103]_name", + "description": "data[103]_description" + }, + { + "id": "data[104]_id", + "name": "data[104]_name", + "description": "data[104]_description" + }, + { + "id": "data[105]_id", + "name": "data[105]_name", + "description": "data[105]_description" + }, + { + "id": "data[106]_id", + "name": "data[106]_name", + "description": "data[106]_description" + }, + { + "id": "data[107]_id", + "name": "data[107]_name", + "description": "data[107]_description" + }, + { + "id": "data[108]_id", + "name": "data[108]_name", + "description": "data[108]_description" + }, + { + "id": "data[109]_id", + "name": "data[109]_name", + "description": "data[109]_description" + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/file_list_application_blocking_response.json b/Packs/AMP/Integrations/AMPv2/test_data/file_list_application_blocking_response.json new file mode 100644 index 000000000000..8e12be8d407f --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/file_list_application_blocking_response.json @@ -0,0 +1,32 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": [ + { + "name": "data[0]_name", + "guid": "data[0]_guid", + "type": "application_blocking", + "links": { + "file_list": "data[0]_links_file_list" + } + }, + { + "name": "data[1]_name", + "guid": "data[1]_guid", + "type": "application_blocking", + "links": { + "file_list": "data[1]_links_file_list" + } + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_create_response.json b/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_create_response.json new file mode 100644 index 000000000000..d5f1871fe45d --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_create_response.json @@ -0,0 +1,16 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "sha256": "data_sha256", + "description": "data_description", + "source": "data_source", + "links": { + "file_list": "data_links_file_list" + } + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_delete_fail_response.json b/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_delete_fail_response.json new file mode 100644 index 000000000000..af5c38b11b72 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_delete_fail_response.json @@ -0,0 +1,10 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": {}, + "errors": "Don't look behind you" +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_delete_response.json b/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_delete_response.json new file mode 100644 index 000000000000..4e3528e73e14 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_delete_response.json @@ -0,0 +1,9 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": {} +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_get_response.json b/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_get_response.json new file mode 100644 index 000000000000..d5f1871fe45d --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_get_response.json @@ -0,0 +1,16 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "sha256": "data_sha256", + "description": "data_description", + "source": "data_source", + "links": { + "file_list": "data_links_file_list" + } + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_list_response.json b/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_list_response.json new file mode 100644 index 000000000000..f1924143c2d5 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/file_list_item_list_response.json @@ -0,0 +1,106 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": { + "name": "data_name", + "guid": "data_guid", + "policies": [ + { + "name": "data_policies[0]_name", + "guid": "data_policies[0]_guid", + "links": { + "policy": "data_policies[0]_links_policy" + } + }, + { + "name": "data_policies[1]_name", + "guid": "data_policies[1]_guid", + "links": { + "policy": "data_policies[1]_links_policy" + } + }, + { + "name": "data_policies[2]_name", + "guid": "data_policies[2]_guid", + "links": { + "policy": "data_policies[2]_links_policy" + } + }, + { + "name": "data_policies[3]_name", + "guid": "data_policies[3]_guid", + "links": { + "policy": "data_policies[3]_links_policy" + } + }, + { + "name": "data_policies[4]_name", + "guid": "data_policies[4]_guid", + "links": { + "policy": "data_policies[4]_links_policy" + } + }, + { + "name": "data_policies[5]_name", + "guid": "data_policies[5]_guid", + "links": { + "policy": "data_policies[5]_links_policy" + } + }, + { + "name": "data_policies[6]_name", + "guid": "data_policies[6]_guid", + "links": { + "policy": "data_policies[6]_links_policy" + } + }, + { + "name": "data_policies[7]_name", + "guid": "data_policies[7]_guid", + "links": { + "policy": "data_policies[7]_links_policy" + } + }, + { + "name": "data_policies[8]_name", + "guid": "data_policies[8]_guid", + "links": { + "policy": "data_policies[8]_links_policy" + } + }, + { + "name": "data_policies[9]_name", + "guid": "data_policies[9]_guid", + "links": { + "policy": "data_policies[9]_links_policy" + } + } + ], + "items": [ + { + "sha256": "data_items[0]_sha256", + "source": "data_items[0]_source", + "links": { + "file_list": "data_items[0]_links_file_list" + } + }, + { + "sha256": "data_items[1]_sha256", + "source": "data_items[1]_source", + "links": { + "file_list": "data_items[1]_links_file_list" + } + } + ] + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/file_list_list_response.json b/Packs/AMP/Integrations/AMPv2/test_data/file_list_list_response.json new file mode 100644 index 000000000000..5a3f4230f9d6 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/file_list_list_response.json @@ -0,0 +1,16 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "name": "data_name", + "guid": "data_guid", + "type": "application_blocking", + "links": { + "details": "data_links_details" + } + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/file_list_simple_custom_detections_response.json b/Packs/AMP/Integrations/AMPv2/test_data/file_list_simple_custom_detections_response.json new file mode 100644 index 000000000000..b6b353cd23e6 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/file_list_simple_custom_detections_response.json @@ -0,0 +1,32 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": [ + { + "name": "data[0]_name", + "guid": "data[0]_guid", + "type": "simple_custom_detections", + "links": { + "file_list": "data[0]_links_file_list" + } + }, + { + "name": "data[1]_name", + "guid": "data[1]_guid", + "type": "simple_custom_detections", + "links": { + "file_list": "data[1]_links_file_list" + } + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/group_delete_fail_response.json b/Packs/AMP/Integrations/AMPv2/test_data/group_delete_fail_response.json new file mode 100644 index 000000000000..6655f8007c7e --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/group_delete_fail_response.json @@ -0,0 +1,12 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "deleted": false, + "group_guid": "data_group_guid" + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/group_delete_response.json b/Packs/AMP/Integrations/AMPv2/test_data/group_delete_response.json new file mode 100644 index 000000000000..47d4b3f7c433 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/group_delete_response.json @@ -0,0 +1,12 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "deleted": true, + "group_guid": "data_group_guid" + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/group_list_response.json b/Packs/AMP/Integrations/AMPv2/test_data/group_list_response.json new file mode 100644 index 000000000000..bbbfd86b48ff --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/group_list_response.json @@ -0,0 +1,76 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": [ + { + "name": "data[0]_name", + "description": "data[0]_description", + "guid": "data[0]_guid", + "source": "data[0]_source", + "links": { + "group": "data[0]_links_group" + } + }, + { + "name": "data[1]_name", + "description": "data[1]_description", + "guid": "data[1]_guid", + "source": "data[1]_source", + "links": { + "group": "data[1]_links_group" + } + }, + { + "name": "data[2]_name", + "description": "data[2]_description", + "guid": "data[2]_guid", + "source": "data[2]_source", + "ancestry": [ + { + "name": "data[2]_ancestry[0]_name", + "guid": "data[2]_ancestry[0]_guid" + } + ], + "links": { + "group": "data[2]_links_group" + } + }, + { + "name": "data[3]_name", + "description": "data[3]_description", + "guid": "data[3]_guid", + "source": "data[3]_source", + "links": { + "group": "data[3]_links_group" + } + }, + { + "name": "data[4]_name", + "description": "data[4]_description", + "guid": "data[4]_guid", + "source": "data[4]_source", + "links": { + "group": "data[4]_links_group" + } + }, + { + "name": "data[5]_name", + "description": "data[5]_description", + "guid": "data[5]_guid", + "source": "data[5]_source", + "links": { + "group": "data[5]_links_group" + } + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/group_response.json b/Packs/AMP/Integrations/AMPv2/test_data/group_response.json new file mode 100644 index 000000000000..b83508d7d3a8 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/group_response.json @@ -0,0 +1,291 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "name": "data_name", + "description": "data_description", + "guid": "data_guid", + "source": "data_source", + "creator": "data_creator", + "created_at": "data_created_at", + "computers_count": "data_computers_count", + "descendant_computers_count": "data_descendant_computers_count", + "policies": [ + { + "name": "data_policies[0]_name", + "description": "data_policies[0]_description", + "guid": "data_policies[0]_guid", + "product": "data_policies[0]_product", + "default": "data_policies[0]_default", + "serial_number": "data_policies[0]_serial_number", + "links": { + "policy_xml": "data_policies[0]_links_policy_xml", + "policy": "data_policies[0]_links_policy" + }, + "file_lists": [ + { + "name": "data_policies[0]_file_lists[0]_name", + "guid": "data_policies[0]_file_lists[0]_guid", + "type": "data_policies[0]_file_lists[0]_type" + }, + { + "name": "data_policies[0]_file_lists[1]_name", + "guid": "data_policies[0]_file_lists[1]_guid", + "type": "data_policies[0]_file_lists[1]_type" + }, + { + "name": "data_policies[0]_file_lists[2]_name", + "guid": "data_policies[0]_file_lists[2]_guid", + "type": "data_policies[0]_file_lists[2]_type" + } + ], + "ip_lists": [], + "isolation_ip_lists": [], + "exclusion_sets": [ + { + "name": "data_policies[0]_exclusion_sets[0]_name", + "guid": "data_policies[0]_exclusion_sets[0]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[1]_name", + "guid": "data_policies[0]_exclusion_sets[1]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[2]_name", + "guid": "data_policies[0]_exclusion_sets[2]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[3]_name", + "guid": "data_policies[0]_exclusion_sets[3]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[4]_name", + "guid": "data_policies[0]_exclusion_sets[4]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[5]_name", + "guid": "data_policies[0]_exclusion_sets[5]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[6]_name", + "guid": "data_policies[0]_exclusion_sets[6]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[7]_name", + "guid": "data_policies[0]_exclusion_sets[7]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[8]_name", + "guid": "data_policies[0]_exclusion_sets[8]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[9]_name", + "guid": "data_policies[0]_exclusion_sets[9]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[10]_name", + "guid": "data_policies[0]_exclusion_sets[10]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[11]_name", + "guid": "data_policies[0]_exclusion_sets[11]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[12]_name", + "guid": "data_policies[0]_exclusion_sets[12]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[13]_name", + "guid": "data_policies[0]_exclusion_sets[13]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[14]_name", + "guid": "data_policies[0]_exclusion_sets[14]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[15]_name", + "guid": "data_policies[0]_exclusion_sets[15]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[16]_name", + "guid": "data_policies[0]_exclusion_sets[16]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[17]_name", + "guid": "data_policies[0]_exclusion_sets[17]_guid" + }, + { + "name": "data_policies[0]_exclusion_sets[18]_name", + "guid": "data_policies[0]_exclusion_sets[18]_guid" + } + ], + "used_in_groups": [ + { + "name": "data_policies[0]_used_in_groups[0]_name", + "description": "data_policies[0]_used_in_groups[0]_description", + "guid": "data_policies[0]_used_in_groups[0]_guid" + } + ], + "inherited": "data_policies[0]_inherited" + }, + { + "name": "data_policies[1]_name", + "description": "data_policies[1]_description", + "guid": "data_policies[1]_guid", + "product": "data_policies[1]_product", + "default": "data_policies[1]_default", + "serial_number": "data_policies[1]_serial_number", + "links": { + "policy_xml": "data_policies[1]_links_policy_xml", + "policy": "data_policies[1]_links_policy" + }, + "file_lists": [], + "ip_lists": [], + "isolation_ip_lists": [], + "used_in_groups": [ + { + "name": "data_policies[1]_used_in_groups[0]_name", + "description": "data_policies[1]_used_in_groups[0]_description", + "guid": "data_policies[1]_used_in_groups[0]_guid" + } + ], + "inherited": "data_policies[1]_inherited" + }, + { + "name": "data_policies[2]_name", + "description": "data_policies[2]_description", + "guid": "data_policies[2]_guid", + "product": "data_policies[2]_product", + "default": "data_policies[2]_default", + "serial_number": "data_policies[2]_serial_number", + "links": { + "policy_xml": "data_policies[2]_links_policy_xml", + "policy": "data_policies[2]_links_policy" + }, + "file_lists": [ + { + "name": "data_policies[2]_file_lists[0]_name", + "guid": "data_policies[2]_file_lists[0]_guid", + "type": "data_policies[2]_file_lists[0]_type" + }, + { + "name": "data_policies[2]_file_lists[1]_name", + "guid": "data_policies[2]_file_lists[1]_guid", + "type": "data_policies[2]_file_lists[1]_type" + }, + { + "name": "data_policies[2]_file_lists[2]_name", + "guid": "data_policies[2]_file_lists[2]_guid", + "type": "data_policies[2]_file_lists[2]_type" + } + ], + "ip_lists": [], + "isolation_ip_lists": [], + "exclusion_sets": [ + { + "name": "data_policies[2]_exclusion_sets[0]_name", + "guid": "data_policies[2]_exclusion_sets[0]_guid" + }, + { + "name": "data_policies[2]_exclusion_sets[1]_name", + "guid": "data_policies[2]_exclusion_sets[1]_guid" + }, + { + "name": "data_policies[2]_exclusion_sets[2]_name", + "guid": "data_policies[2]_exclusion_sets[2]_guid" + }, + { + "name": "data_policies[2]_exclusion_sets[3]_name", + "guid": "data_policies[2]_exclusion_sets[3]_guid" + }, + { + "name": "data_policies[2]_exclusion_sets[4]_name", + "guid": "data_policies[2]_exclusion_sets[4]_guid" + }, + { + "name": "data_policies[2]_exclusion_sets[5]_name", + "guid": "data_policies[2]_exclusion_sets[5]_guid" + }, + { + "name": "data_policies[2]_exclusion_sets[6]_name", + "guid": "data_policies[2]_exclusion_sets[6]_guid" + } + ], + "used_in_groups": [ + { + "name": "data_policies[2]_used_in_groups[0]_name", + "description": "data_policies[2]_used_in_groups[0]_description", + "guid": "data_policies[2]_used_in_groups[0]_guid" + } + ], + "inherited": "data_policies[2]_inherited" + }, + { + "name": "data_policies[3]_name", + "description": "data_policies[3]_description", + "guid": "data_policies[3]_guid", + "product": "data_policies[3]_product", + "default": "data_policies[3]_default", + "serial_number": "data_policies[3]_serial_number", + "links": { + "policy_xml": "data_policies[3]_links_policy_xml", + "policy": "data_policies[3]_links_policy" + }, + "file_lists": [ + { + "name": "data_policies[3]_file_lists[0]_name", + "guid": "data_policies[3]_file_lists[0]_guid", + "type": "data_policies[3]_file_lists[0]_type" + }, + { + "name": "data_policies[3]_file_lists[1]_name", + "guid": "data_policies[3]_file_lists[1]_guid", + "type": "data_policies[3]_file_lists[1]_type" + }, + { + "name": "data_policies[3]_file_lists[2]_name", + "guid": "data_policies[3]_file_lists[2]_guid", + "type": "data_policies[3]_file_lists[2]_type" + } + ], + "ip_lists": [], + "isolation_ip_lists": [], + "used_in_groups": [ + { + "name": "data_policies[3]_used_in_groups[0]_name", + "description": "data_policies[3]_used_in_groups[0]_description", + "guid": "data_policies[3]_used_in_groups[0]_guid" + } + ], + "inherited": "data_policies[3]_inherited" + }, + { + "name": "data_policies[4]_name", + "description": "data_policies[4]_description", + "guid": "data_policies[4]_guid", + "product": "data_policies[4]_product", + "default": "data_policies[4]_default", + "serial_number": "data_policies[4]_serial_number", + "links": { + "policy_xml": "data_policies[4]_links_policy_xml", + "policy": "data_policies[4]_links_policy" + }, + "file_lists": [], + "ip_lists": [], + "isolation_ip_lists": [], + "used_in_groups": [ + { + "name": "data_policies[4]_used_in_groups[0]_name", + "description": "data_policies[4]_used_in_groups[0]_description", + "guid": "data_policies[4]_used_in_groups[0]_guid" + } + ], + "inherited": "data_policies[4]_inherited" + } + ] + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/indicator_get_response.json b/Packs/AMP/Integrations/AMPv2/test_data/indicator_get_response.json new file mode 100644 index 000000000000..11befc184be2 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/indicator_get_response.json @@ -0,0 +1,40 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "name": "data_name", + "description": "data_description", + "guid": "data_guid", + "severity": "data_severity", + "mitre": { + "tactics": [ + { + "external_id": "data_mitre_tactics[0]_external_id", + "name": "data_mitre_tactics[0]_name", + "mitre_url": "data_mitre_tactics[0]_mitre_url" + } + ], + "techniques": [ + { + "external_id": "data_mitre_techniques[0]_external_id", + "name": "data_mitre_techniques[0]_name", + "mitre_url": "data_mitre_techniques[0]_mitre_url" + }, + { + "external_id": "data_mitre_techniques[1]_external_id", + "name": "data_mitre_techniques[1]_name", + "mitre_url": "data_mitre_techniques[1]_mitre_url" + } + ] + }, + "observed_compromises": { + "unresolved": "data_observed_compromises_unresolved", + "in_progress": "data_observed_compromises_in_progress", + "resolved": "data_observed_compromises_resolved" + } + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/indicator_list_response.json b/Packs/AMP/Integrations/AMPv2/test_data/indicator_list_response.json new file mode 100644 index 000000000000..829a3a32e8c1 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/indicator_list_response.json @@ -0,0 +1,127 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self", + "next": "metadata_links_next" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": [ + { + "name": "data[0]_name", + "description": "data[0]_description", + "guid": "data[0]_guid", + "observed_compromises": "data[0]_observed_compromises", + "severity": "data[0]_severity", + "links": { + "indicator": "data[0]_links_indicator" + } + }, + { + "name": "data[1]_name", + "description": "data[1]_description", + "guid": "data[1]_guid", + "observed_compromises": "data[1]_observed_compromises", + "severity": "data[1]_severity", + "links": { + "indicator": "data[1]_links_indicator" + } + }, + { + "name": "data[2]_name", + "description": "data[2]_description", + "guid": "data[2]_guid", + "observed_compromises": "data[2]_observed_compromises", + "severity": "data[2]_severity", + "links": { + "indicator": "data[2]_links_indicator" + } + }, + { + "name": "data[3]_name", + "description": "data[3]_description", + "guid": "data[3]_guid", + "observed_compromises": "data[3]_observed_compromises", + "severity": "data[3]_severity", + "links": { + "indicator": "data[3]_links_indicator" + } + }, + { + "name": "data[4]_name", + "description": "data[4]_description", + "guid": "data[4]_guid", + "observed_compromises": "data[4]_observed_compromises", + "severity": "data[4]_severity", + "links": { + "indicator": "data[4]_links_indicator" + } + }, + { + "name": "data[5]_name", + "description": "data[5]_description", + "guid": "data[5]_guid", + "observed_compromises": "data[5]_observed_compromises", + "severity": "data[5]_severity", + "links": { + "indicator": "data[5]_links_indicator" + } + }, + { + "name": "data[6]_name", + "description": "data[6]_description", + "guid": "data[6]_guid", + "observed_compromises": "data[6]_observed_compromises", + "severity": "data[6]_severity", + "links": { + "indicator": "data[6]_links_indicator" + } + }, + { + "name": "data[7]_name", + "description": "data[7]_description", + "guid": "data[7]_guid", + "observed_compromises": "data[7]_observed_compromises", + "severity": "data[7]_severity", + "links": { + "indicator": "data[7]_links_indicator" + } + }, + { + "name": "data[8]_name", + "description": "data[8]_description", + "guid": "data[8]_guid", + "observed_compromises": "data[8]_observed_compromises", + "severity": "data[8]_severity", + "links": { + "indicator": "data[8]_links_indicator" + } + }, + { + "name": "data[9]_name", + "description": "data[9]_description", + "guid": "data[9]_guid", + "observed_compromises": "data[9]_observed_compromises", + "severity": "data[9]_severity", + "links": { + "indicator": "data[9]_links_indicator" + } + }, + { + "name": "data[10]_name", + "description": "data[10]_description", + "guid": "data[10]_guid", + "observed_compromises": "data[10]_observed_compromises", + "severity": "data[10]_severity", + "links": { + "indicator": "data[10]_links_indicator" + } + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/isolation_response.json b/Packs/AMP/Integrations/AMPv2/test_data/isolation_response.json new file mode 100644 index 000000000000..ec51af4ddc4e --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/isolation_response.json @@ -0,0 +1,14 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "available": "data_available", + "status": "data_status", + "unlock_code": "data_unlock_code", + "comment": "data_comment" + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/policy_get_response.json b/Packs/AMP/Integrations/AMPv2/test_data/policy_get_response.json new file mode 100644 index 000000000000..2104fbd8e44a --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/policy_get_response.json @@ -0,0 +1,69 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": { + "name": "data_name", + "description": "data_description", + "guid": "data_guid", + "product": "data_product", + "default": "data_default", + "serial_number": "data_serial_number", + "links": { + "policy_xml": "data_links_policy_xml" + }, + "file_lists": [ + { + "name": "data_file_lists[0]_name", + "guid": "data_file_lists[0]_guid", + "type": "data_file_lists[0]_type" + }, + { + "name": "data_file_lists[1]_name", + "guid": "data_file_lists[1]_guid", + "type": "data_file_lists[1]_type" + }, + { + "name": "data_file_lists[2]_name", + "guid": "data_file_lists[2]_guid", + "type": "data_file_lists[2]_type" + } + ], + "ip_lists": [], + "isolation_ip_lists": [], + "exclusion_sets": [ + { + "name": "data_exclusion_sets[0]_name", + "guid": "data_exclusion_sets[0]_guid" + }, + { + "name": "data_exclusion_sets[1]_name", + "guid": "data_exclusion_sets[1]_guid" + }, + { + "name": "data_exclusion_sets[2]_name", + "guid": "data_exclusion_sets[2]_guid" + }, + { + "name": "data_exclusion_sets[3]_name", + "guid": "data_exclusion_sets[3]_guid" + }, + { + "name": "data_exclusion_sets[4]_name", + "guid": "data_exclusion_sets[4]_guid" + }, + { + "name": "data_exclusion_sets[5]_name", + "guid": "data_exclusion_sets[5]_guid" + }, + { + "name": "data_exclusion_sets[6]_name", + "guid": "data_exclusion_sets[6]_guid" + } + ], + "used_in_groups": [] + } +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/policy_list_response.json b/Packs/AMP/Integrations/AMPv2/test_data/policy_list_response.json new file mode 100644 index 000000000000..3792f93504f4 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/policy_list_response.json @@ -0,0 +1,159 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": [ + { + "name": "data[0]_name", + "description": "data[0]_description", + "guid": "data[0]_guid", + "product": "data[0]_product", + "default": "data[0]_default", + "serial_number": "data[0]_serial_number", + "links": { + "policy": "data[0]_links_policy" + } + }, + { + "name": "data[1]_name", + "description": "data[1]_description", + "guid": "data[1]_guid", + "product": "data[1]_product", + "default": "data[1]_default", + "serial_number": "data[1]_serial_number", + "links": { + "policy": "data[1]_links_policy" + } + }, + { + "name": "data[2]_name", + "description": "data[2]_description", + "guid": "data[2]_guid", + "product": "data[2]_product", + "default": "data[2]_default", + "serial_number": "data[2]_serial_number", + "links": { + "policy": "data[2]_links_policy" + } + }, + { + "name": "data[3]_name", + "description": "data[3]_description", + "guid": "data[3]_guid", + "product": "data[3]_product", + "default": "data[3]_default", + "serial_number": "data[3]_serial_number", + "links": { + "policy": "data[3]_links_policy" + } + }, + { + "name": "data[4]_name", + "description": "data[4]_description", + "guid": "data[4]_guid", + "product": "data[4]_product", + "default": "data[4]_default", + "serial_number": "data[4]_serial_number", + "links": { + "policy": "data[4]_links_policy" + } + }, + { + "name": "data[5]_name", + "description": "data[5]_description", + "guid": "data[5]_guid", + "product": "data[5]_product", + "default": "data[5]_default", + "serial_number": "data[5]_serial_number", + "links": { + "policy": "data[5]_links_policy" + } + }, + { + "name": "data[6]_name", + "description": "data[6]_description", + "guid": "data[6]_guid", + "product": "data[6]_product", + "default": "data[6]_default", + "serial_number": "data[6]_serial_number", + "links": { + "policy": "data[6]_links_policy" + } + }, + { + "name": "data[7]_name", + "description": "data[7]_description", + "guid": "data[7]_guid", + "product": "data[7]_product", + "default": "data[7]_default", + "serial_number": "data[7]_serial_number", + "links": { + "policy": "data[7]_links_policy" + } + }, + { + "name": "data[8]_name", + "description": "data[8]_description", + "guid": "data[8]_guid", + "product": "data[8]_product", + "default": "data[8]_default", + "serial_number": "data[8]_serial_number", + "links": { + "policy": "data[8]_links_policy" + } + }, + { + "name": "data[9]_name", + "description": "data[9]_description", + "guid": "data[9]_guid", + "product": "data[9]_product", + "default": "data[9]_default", + "serial_number": "data[9]_serial_number", + "links": { + "policy": "data[9]_links_policy" + } + }, + { + "name": "data[10]_name", + "description": "data[10]_description", + "guid": "data[10]_guid", + "product": "data[10]_product", + "default": "data[10]_default", + "serial_number": "data[10]_serial_number", + "links": { + "policy": "data[10]_links_policy" + } + }, + { + "name": "data[11]_name", + "description": "data[11]_description", + "guid": "data[11]_guid", + "product": "data[11]_product", + "default": "data[11]_default", + "serial_number": "data[11]_serial_number", + "links": { + "policy": "data[11]_links_policy" + } + }, + { + "name": "data[12]_name", + "description": "data[12]_description", + "guid": "data[12]_guid", + "product": "data[12]_product", + "default": "data[12]_default", + "serial_number": "data[12]_serial_number", + "links": { + "policy": "data[12]_links_policy" + } + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/version_get_response.json b/Packs/AMP/Integrations/AMPv2/test_data/version_get_response.json new file mode 100644 index 000000000000..4e3528e73e14 --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/version_get_response.json @@ -0,0 +1,9 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + } + }, + "data": {} +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/vulnerability_get_response.json b/Packs/AMP/Integrations/AMPv2/test_data/vulnerability_get_response.json new file mode 100644 index 000000000000..084fd333afdb --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/vulnerability_get_response.json @@ -0,0 +1,28 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": [ + { + "connector_guid": "data[0]_connector_guid", + "hostname": "data[0]_hostname", + "windows_processor_id": "data[0]_windows_processor_id", + "active": "data[0]_active", + "links": { + "computer": "data[0]_links_computer", + "trajectory": "data[0]_links_trajectory", + "group": "data[0]_links_group" + }, + "group_guid": "data[0]_group_guid" + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/Integrations/AMPv2/test_data/vulnerability_list_response.json b/Packs/AMP/Integrations/AMPv2/test_data/vulnerability_list_response.json new file mode 100644 index 000000000000..889e3f9ce86f --- /dev/null +++ b/Packs/AMP/Integrations/AMPv2/test_data/vulnerability_list_response.json @@ -0,0 +1,1360 @@ +{ + "version": "version", + "metadata": { + "links": { + "self": "metadata_links_self" + }, + "results": { + "total": "metadata_results_total", + "current_item_count": "metadata_results_current_item_count", + "index": "metadata_results_index", + "items_per_page": "metadata_results_items_per_page" + } + }, + "data": [ + { + "application": "data[0]_application", + "version": "data[0]_version", + "file": { + "filename": "data[0]_file_filename", + "identity": { + "sha256": "data[0]_file_identity_sha256" + } + }, + "cves": [ + { + "id": "data[0]_cves[0]_id", + "link": "data[0]_cves[0]_link", + "cvss": "data[0]_cves[0]_cvss" + } + ], + "latest_timestamp": "data[0]_latest_timestamp", + "latest_date": "data[0]_latest_date", + "groups": [ + { + "name": "data[0]_groups[0]_name", + "description": "data[0]_groups[0]_description", + "guid": "data[0]_groups[0]_guid" + } + ], + "computers_total_count": "data[0]_computers_total_count", + "computers": [ + { + "connector_guid": "data[0]_computers[0]_connector_guid", + "hostname": "data[0]_computers[0]_hostname", + "windows_processor_id": "data[0]_computers[0]_windows_processor_id", + "active": "data[0]_computers[0]_active", + "links": { + "computer": "data[0]_computers[0]_links_computer", + "trajectory": "data[0]_computers[0]_links_trajectory", + "group": "data[0]_computers[0]_links_group" + } + } + ] + }, + { + "application": "data[1]_application", + "version": "data[1]_version", + "file": { + "filename": "data[1]_file_filename", + "identity": { + "sha256": "data[1]_file_identity_sha256" + } + }, + "cves": [ + { + "id": "data[1]_cves[0]_id", + "link": "data[1]_cves[0]_link", + "cvss": "data[1]_cves[0]_cvss" + }, + { + "id": "data[1]_cves[1]_id", + "link": "data[1]_cves[1]_link", + "cvss": "data[1]_cves[1]_cvss" + }, + { + "id": "data[1]_cves[2]_id", + "link": "data[1]_cves[2]_link", + "cvss": "data[1]_cves[2]_cvss" + }, + { + "id": "data[1]_cves[3]_id", + "link": "data[1]_cves[3]_link", + "cvss": "data[1]_cves[3]_cvss" + }, + { + "id": "data[1]_cves[4]_id", + "link": "data[1]_cves[4]_link", + "cvss": "data[1]_cves[4]_cvss" + }, + { + "id": "data[1]_cves[5]_id", + "link": "data[1]_cves[5]_link", + "cvss": "data[1]_cves[5]_cvss" + }, + { + "id": "data[1]_cves[6]_id", + "link": "data[1]_cves[6]_link", + "cvss": "data[1]_cves[6]_cvss" + }, + { + "id": "data[1]_cves[7]_id", + "link": "data[1]_cves[7]_link", + "cvss": "data[1]_cves[7]_cvss" + }, + { + "id": "data[1]_cves[8]_id", + "link": "data[1]_cves[8]_link", + "cvss": "data[1]_cves[8]_cvss" + }, + { + "id": "data[1]_cves[9]_id", + "link": "data[1]_cves[9]_link", + "cvss": "data[1]_cves[9]_cvss" + }, + { + "id": "data[1]_cves[10]_id", + "link": "data[1]_cves[10]_link", + "cvss": "data[1]_cves[10]_cvss" + }, + { + "id": "data[1]_cves[11]_id", + "link": "data[1]_cves[11]_link", + "cvss": "data[1]_cves[11]_cvss" + }, + { + "id": "data[1]_cves[12]_id", + "link": "data[1]_cves[12]_link", + "cvss": "data[1]_cves[12]_cvss" + }, + { + "id": "data[1]_cves[13]_id", + "link": "data[1]_cves[13]_link", + "cvss": "data[1]_cves[13]_cvss" + }, + { + "id": "data[1]_cves[14]_id", + "link": "data[1]_cves[14]_link", + "cvss": "data[1]_cves[14]_cvss" + }, + { + "id": "data[1]_cves[15]_id", + "link": "data[1]_cves[15]_link", + "cvss": "data[1]_cves[15]_cvss" + }, + { + "id": "data[1]_cves[16]_id", + "link": "data[1]_cves[16]_link", + "cvss": "data[1]_cves[16]_cvss" + }, + { + "id": "data[1]_cves[17]_id", + "link": "data[1]_cves[17]_link", + "cvss": "data[1]_cves[17]_cvss" + }, + { + "id": "data[1]_cves[18]_id", + "link": "data[1]_cves[18]_link", + "cvss": "data[1]_cves[18]_cvss" + }, + { + "id": "data[1]_cves[19]_id", + "link": "data[1]_cves[19]_link", + "cvss": "data[1]_cves[19]_cvss" + }, + { + "id": "data[1]_cves[20]_id", + "link": "data[1]_cves[20]_link", + "cvss": "data[1]_cves[20]_cvss" + }, + { + "id": "data[1]_cves[21]_id", + "link": "data[1]_cves[21]_link", + "cvss": "data[1]_cves[21]_cvss" + }, + { + "id": "data[1]_cves[22]_id", + "link": "data[1]_cves[22]_link", + "cvss": "data[1]_cves[22]_cvss" + }, + { + "id": "data[1]_cves[23]_id", + "link": "data[1]_cves[23]_link", + "cvss": "data[1]_cves[23]_cvss" + }, + { + "id": "data[1]_cves[24]_id", + "link": "data[1]_cves[24]_link", + "cvss": "data[1]_cves[24]_cvss" + }, + { + "id": "data[1]_cves[25]_id", + "link": "data[1]_cves[25]_link", + "cvss": "data[1]_cves[25]_cvss" + }, + { + "id": "data[1]_cves[26]_id", + "link": "data[1]_cves[26]_link", + "cvss": "data[1]_cves[26]_cvss" + }, + { + "id": "data[1]_cves[27]_id", + "link": "data[1]_cves[27]_link", + "cvss": "data[1]_cves[27]_cvss" + }, + { + "id": "data[1]_cves[28]_id", + "link": "data[1]_cves[28]_link", + "cvss": "data[1]_cves[28]_cvss" + }, + { + "id": "data[1]_cves[29]_id", + "link": "data[1]_cves[29]_link", + "cvss": "data[1]_cves[29]_cvss" + }, + { + "id": "data[1]_cves[30]_id", + "link": "data[1]_cves[30]_link", + "cvss": "data[1]_cves[30]_cvss" + }, + { + "id": "data[1]_cves[31]_id", + "link": "data[1]_cves[31]_link", + "cvss": "data[1]_cves[31]_cvss" + }, + { + "id": "data[1]_cves[32]_id", + "link": "data[1]_cves[32]_link", + "cvss": "data[1]_cves[32]_cvss" + }, + { + "id": "data[1]_cves[33]_id", + "link": "data[1]_cves[33]_link", + "cvss": "data[1]_cves[33]_cvss" + }, + { + "id": "data[1]_cves[34]_id", + "link": "data[1]_cves[34]_link", + "cvss": "data[1]_cves[34]_cvss" + }, + { + "id": "data[1]_cves[35]_id", + "link": "data[1]_cves[35]_link", + "cvss": "data[1]_cves[35]_cvss" + }, + { + "id": "data[1]_cves[36]_id", + "link": "data[1]_cves[36]_link", + "cvss": "data[1]_cves[36]_cvss" + }, + { + "id": "data[1]_cves[37]_id", + "link": "data[1]_cves[37]_link", + "cvss": "data[1]_cves[37]_cvss" + }, + { + "id": "data[1]_cves[38]_id", + "link": "data[1]_cves[38]_link", + "cvss": "data[1]_cves[38]_cvss" + }, + { + "id": "data[1]_cves[39]_id", + "link": "data[1]_cves[39]_link", + "cvss": "data[1]_cves[39]_cvss" + }, + { + "id": "data[1]_cves[40]_id", + "link": "data[1]_cves[40]_link", + "cvss": "data[1]_cves[40]_cvss" + }, + { + "id": "data[1]_cves[41]_id", + "link": "data[1]_cves[41]_link", + "cvss": "data[1]_cves[41]_cvss" + }, + { + "id": "data[1]_cves[42]_id", + "link": "data[1]_cves[42]_link", + "cvss": "data[1]_cves[42]_cvss" + }, + { + "id": "data[1]_cves[43]_id", + "link": "data[1]_cves[43]_link", + "cvss": "data[1]_cves[43]_cvss" + }, + { + "id": "data[1]_cves[44]_id", + "link": "data[1]_cves[44]_link", + "cvss": "data[1]_cves[44]_cvss" + }, + { + "id": "data[1]_cves[45]_id", + "link": "data[1]_cves[45]_link", + "cvss": "data[1]_cves[45]_cvss" + }, + { + "id": "data[1]_cves[46]_id", + "link": "data[1]_cves[46]_link", + "cvss": "data[1]_cves[46]_cvss" + }, + { + "id": "data[1]_cves[47]_id", + "link": "data[1]_cves[47]_link", + "cvss": "data[1]_cves[47]_cvss" + }, + { + "id": "data[1]_cves[48]_id", + "link": "data[1]_cves[48]_link", + "cvss": "data[1]_cves[48]_cvss" + }, + { + "id": "data[1]_cves[49]_id", + "link": "data[1]_cves[49]_link", + "cvss": "data[1]_cves[49]_cvss" + }, + { + "id": "data[1]_cves[50]_id", + "link": "data[1]_cves[50]_link", + "cvss": "data[1]_cves[50]_cvss" + }, + { + "id": "data[1]_cves[51]_id", + "link": "data[1]_cves[51]_link", + "cvss": "data[1]_cves[51]_cvss" + }, + { + "id": "data[1]_cves[52]_id", + "link": "data[1]_cves[52]_link", + "cvss": "data[1]_cves[52]_cvss" + }, + { + "id": "data[1]_cves[53]_id", + "link": "data[1]_cves[53]_link", + "cvss": "data[1]_cves[53]_cvss" + }, + { + "id": "data[1]_cves[54]_id", + "link": "data[1]_cves[54]_link", + "cvss": "data[1]_cves[54]_cvss" + }, + { + "id": "data[1]_cves[55]_id", + "link": "data[1]_cves[55]_link", + "cvss": "data[1]_cves[55]_cvss" + }, + { + "id": "data[1]_cves[56]_id", + "link": "data[1]_cves[56]_link", + "cvss": "data[1]_cves[56]_cvss" + }, + { + "id": "data[1]_cves[57]_id", + "link": "data[1]_cves[57]_link", + "cvss": "data[1]_cves[57]_cvss" + }, + { + "id": "data[1]_cves[58]_id", + "link": "data[1]_cves[58]_link", + "cvss": "data[1]_cves[58]_cvss" + }, + { + "id": "data[1]_cves[59]_id", + "link": "data[1]_cves[59]_link", + "cvss": "data[1]_cves[59]_cvss" + }, + { + "id": "data[1]_cves[60]_id", + "link": "data[1]_cves[60]_link", + "cvss": "data[1]_cves[60]_cvss" + }, + { + "id": "data[1]_cves[61]_id", + "link": "data[1]_cves[61]_link", + "cvss": "data[1]_cves[61]_cvss" + } + ], + "latest_timestamp": "data[1]_latest_timestamp", + "latest_date": "data[1]_latest_date", + "groups": [ + { + "name": "data[1]_groups[0]_name", + "description": "data[1]_groups[0]_description", + "guid": "data[1]_groups[0]_guid" + } + ], + "computers_total_count": "data[1]_computers_total_count", + "computers": [ + { + "connector_guid": "data[1]_computers[0]_connector_guid", + "hostname": "data[1]_computers[0]_hostname", + "windows_processor_id": "data[1]_computers[0]_windows_processor_id", + "active": "data[1]_computers[0]_active", + "links": { + "computer": "data[1]_computers[0]_links_computer", + "trajectory": "data[1]_computers[0]_links_trajectory", + "group": "data[1]_computers[0]_links_group" + } + } + ] + }, + { + "application": "data[2]_application", + "version": "data[2]_version", + "file": { + "filename": "data[2]_file_filename", + "identity": { + "sha256": "data[2]_file_identity_sha256" + } + }, + "cves": [ + { + "id": "data[2]_cves[0]_id", + "link": "data[2]_cves[0]_link", + "cvss": "data[2]_cves[0]_cvss" + }, + { + "id": "data[2]_cves[1]_id", + "link": "data[2]_cves[1]_link", + "cvss": "data[2]_cves[1]_cvss" + }, + { + "id": "data[2]_cves[2]_id", + "link": "data[2]_cves[2]_link", + "cvss": "data[2]_cves[2]_cvss" + }, + { + "id": "data[2]_cves[3]_id", + "link": "data[2]_cves[3]_link", + "cvss": "data[2]_cves[3]_cvss" + }, + { + "id": "data[2]_cves[4]_id", + "link": "data[2]_cves[4]_link", + "cvss": "data[2]_cves[4]_cvss" + }, + { + "id": "data[2]_cves[5]_id", + "link": "data[2]_cves[5]_link", + "cvss": "data[2]_cves[5]_cvss" + }, + { + "id": "data[2]_cves[6]_id", + "link": "data[2]_cves[6]_link", + "cvss": "data[2]_cves[6]_cvss" + }, + { + "id": "data[2]_cves[7]_id", + "link": "data[2]_cves[7]_link", + "cvss": "data[2]_cves[7]_cvss" + }, + { + "id": "data[2]_cves[8]_id", + "link": "data[2]_cves[8]_link", + "cvss": "data[2]_cves[8]_cvss" + }, + { + "id": "data[2]_cves[9]_id", + "link": "data[2]_cves[9]_link", + "cvss": "data[2]_cves[9]_cvss" + }, + { + "id": "data[2]_cves[10]_id", + "link": "data[2]_cves[10]_link", + "cvss": "data[2]_cves[10]_cvss" + }, + { + "id": "data[2]_cves[11]_id", + "link": "data[2]_cves[11]_link", + "cvss": "data[2]_cves[11]_cvss" + }, + { + "id": "data[2]_cves[12]_id", + "link": "data[2]_cves[12]_link", + "cvss": "data[2]_cves[12]_cvss" + }, + { + "id": "data[2]_cves[13]_id", + "link": "data[2]_cves[13]_link", + "cvss": "data[2]_cves[13]_cvss" + }, + { + "id": "data[2]_cves[14]_id", + "link": "data[2]_cves[14]_link", + "cvss": "data[2]_cves[14]_cvss" + }, + { + "id": "data[2]_cves[15]_id", + "link": "data[2]_cves[15]_link", + "cvss": "data[2]_cves[15]_cvss" + }, + { + "id": "data[2]_cves[16]_id", + "link": "data[2]_cves[16]_link", + "cvss": "data[2]_cves[16]_cvss" + }, + { + "id": "data[2]_cves[17]_id", + "link": "data[2]_cves[17]_link", + "cvss": "data[2]_cves[17]_cvss" + }, + { + "id": "data[2]_cves[18]_id", + "link": "data[2]_cves[18]_link", + "cvss": "data[2]_cves[18]_cvss" + }, + { + "id": "data[2]_cves[19]_id", + "link": "data[2]_cves[19]_link", + "cvss": "data[2]_cves[19]_cvss" + }, + { + "id": "data[2]_cves[20]_id", + "link": "data[2]_cves[20]_link", + "cvss": "data[2]_cves[20]_cvss" + }, + { + "id": "data[2]_cves[21]_id", + "link": "data[2]_cves[21]_link", + "cvss": "data[2]_cves[21]_cvss" + }, + { + "id": "data[2]_cves[22]_id", + "link": "data[2]_cves[22]_link", + "cvss": "data[2]_cves[22]_cvss" + }, + { + "id": "data[2]_cves[23]_id", + "link": "data[2]_cves[23]_link", + "cvss": "data[2]_cves[23]_cvss" + }, + { + "id": "data[2]_cves[24]_id", + "link": "data[2]_cves[24]_link", + "cvss": "data[2]_cves[24]_cvss" + }, + { + "id": "data[2]_cves[25]_id", + "link": "data[2]_cves[25]_link", + "cvss": "data[2]_cves[25]_cvss" + }, + { + "id": "data[2]_cves[26]_id", + "link": "data[2]_cves[26]_link", + "cvss": "data[2]_cves[26]_cvss" + }, + { + "id": "data[2]_cves[27]_id", + "link": "data[2]_cves[27]_link", + "cvss": "data[2]_cves[27]_cvss" + }, + { + "id": "data[2]_cves[28]_id", + "link": "data[2]_cves[28]_link", + "cvss": "data[2]_cves[28]_cvss" + }, + { + "id": "data[2]_cves[29]_id", + "link": "data[2]_cves[29]_link", + "cvss": "data[2]_cves[29]_cvss" + }, + { + "id": "data[2]_cves[30]_id", + "link": "data[2]_cves[30]_link", + "cvss": "data[2]_cves[30]_cvss" + }, + { + "id": "data[2]_cves[31]_id", + "link": "data[2]_cves[31]_link", + "cvss": "data[2]_cves[31]_cvss" + }, + { + "id": "data[2]_cves[32]_id", + "link": "data[2]_cves[32]_link", + "cvss": "data[2]_cves[32]_cvss" + }, + { + "id": "data[2]_cves[33]_id", + "link": "data[2]_cves[33]_link", + "cvss": "data[2]_cves[33]_cvss" + }, + { + "id": "data[2]_cves[34]_id", + "link": "data[2]_cves[34]_link", + "cvss": "data[2]_cves[34]_cvss" + }, + { + "id": "data[2]_cves[35]_id", + "link": "data[2]_cves[35]_link", + "cvss": "data[2]_cves[35]_cvss" + }, + { + "id": "data[2]_cves[36]_id", + "link": "data[2]_cves[36]_link", + "cvss": "data[2]_cves[36]_cvss" + }, + { + "id": "data[2]_cves[37]_id", + "link": "data[2]_cves[37]_link", + "cvss": "data[2]_cves[37]_cvss" + }, + { + "id": "data[2]_cves[38]_id", + "link": "data[2]_cves[38]_link", + "cvss": "data[2]_cves[38]_cvss" + }, + { + "id": "data[2]_cves[39]_id", + "link": "data[2]_cves[39]_link", + "cvss": "data[2]_cves[39]_cvss" + }, + { + "id": "data[2]_cves[40]_id", + "link": "data[2]_cves[40]_link", + "cvss": "data[2]_cves[40]_cvss" + }, + { + "id": "data[2]_cves[41]_id", + "link": "data[2]_cves[41]_link", + "cvss": "data[2]_cves[41]_cvss" + }, + { + "id": "data[2]_cves[42]_id", + "link": "data[2]_cves[42]_link", + "cvss": "data[2]_cves[42]_cvss" + }, + { + "id": "data[2]_cves[43]_id", + "link": "data[2]_cves[43]_link", + "cvss": "data[2]_cves[43]_cvss" + }, + { + "id": "data[2]_cves[44]_id", + "link": "data[2]_cves[44]_link", + "cvss": "data[2]_cves[44]_cvss" + }, + { + "id": "data[2]_cves[45]_id", + "link": "data[2]_cves[45]_link", + "cvss": "data[2]_cves[45]_cvss" + }, + { + "id": "data[2]_cves[46]_id", + "link": "data[2]_cves[46]_link", + "cvss": "data[2]_cves[46]_cvss" + }, + { + "id": "data[2]_cves[47]_id", + "link": "data[2]_cves[47]_link", + "cvss": "data[2]_cves[47]_cvss" + }, + { + "id": "data[2]_cves[48]_id", + "link": "data[2]_cves[48]_link", + "cvss": "data[2]_cves[48]_cvss" + }, + { + "id": "data[2]_cves[49]_id", + "link": "data[2]_cves[49]_link", + "cvss": "data[2]_cves[49]_cvss" + }, + { + "id": "data[2]_cves[50]_id", + "link": "data[2]_cves[50]_link", + "cvss": "data[2]_cves[50]_cvss" + }, + { + "id": "data[2]_cves[51]_id", + "link": "data[2]_cves[51]_link", + "cvss": "data[2]_cves[51]_cvss" + }, + { + "id": "data[2]_cves[52]_id", + "link": "data[2]_cves[52]_link", + "cvss": "data[2]_cves[52]_cvss" + }, + { + "id": "data[2]_cves[53]_id", + "link": "data[2]_cves[53]_link", + "cvss": "data[2]_cves[53]_cvss" + }, + { + "id": "data[2]_cves[54]_id", + "link": "data[2]_cves[54]_link", + "cvss": "data[2]_cves[54]_cvss" + }, + { + "id": "data[2]_cves[55]_id", + "link": "data[2]_cves[55]_link", + "cvss": "data[2]_cves[55]_cvss" + }, + { + "id": "data[2]_cves[56]_id", + "link": "data[2]_cves[56]_link", + "cvss": "data[2]_cves[56]_cvss" + }, + { + "id": "data[2]_cves[57]_id", + "link": "data[2]_cves[57]_link", + "cvss": "data[2]_cves[57]_cvss" + }, + { + "id": "data[2]_cves[58]_id", + "link": "data[2]_cves[58]_link", + "cvss": "data[2]_cves[58]_cvss" + }, + { + "id": "data[2]_cves[59]_id", + "link": "data[2]_cves[59]_link", + "cvss": "data[2]_cves[59]_cvss" + }, + { + "id": "data[2]_cves[60]_id", + "link": "data[2]_cves[60]_link", + "cvss": "data[2]_cves[60]_cvss" + }, + { + "id": "data[2]_cves[61]_id", + "link": "data[2]_cves[61]_link", + "cvss": "data[2]_cves[61]_cvss" + }, + { + "id": "data[2]_cves[62]_id", + "link": "data[2]_cves[62]_link", + "cvss": "data[2]_cves[62]_cvss" + }, + { + "id": "data[2]_cves[63]_id", + "link": "data[2]_cves[63]_link", + "cvss": "data[2]_cves[63]_cvss" + }, + { + "id": "data[2]_cves[64]_id", + "link": "data[2]_cves[64]_link", + "cvss": "data[2]_cves[64]_cvss" + }, + { + "id": "data[2]_cves[65]_id", + "link": "data[2]_cves[65]_link", + "cvss": "data[2]_cves[65]_cvss" + }, + { + "id": "data[2]_cves[66]_id", + "link": "data[2]_cves[66]_link", + "cvss": "data[2]_cves[66]_cvss" + }, + { + "id": "data[2]_cves[67]_id", + "link": "data[2]_cves[67]_link", + "cvss": "data[2]_cves[67]_cvss" + }, + { + "id": "data[2]_cves[68]_id", + "link": "data[2]_cves[68]_link", + "cvss": "data[2]_cves[68]_cvss" + }, + { + "id": "data[2]_cves[69]_id", + "link": "data[2]_cves[69]_link", + "cvss": "data[2]_cves[69]_cvss" + }, + { + "id": "data[2]_cves[70]_id", + "link": "data[2]_cves[70]_link", + "cvss": "data[2]_cves[70]_cvss" + }, + { + "id": "data[2]_cves[71]_id", + "link": "data[2]_cves[71]_link", + "cvss": "data[2]_cves[71]_cvss" + }, + { + "id": "data[2]_cves[72]_id", + "link": "data[2]_cves[72]_link", + "cvss": "data[2]_cves[72]_cvss" + }, + { + "id": "data[2]_cves[73]_id", + "link": "data[2]_cves[73]_link", + "cvss": "data[2]_cves[73]_cvss" + }, + { + "id": "data[2]_cves[74]_id", + "link": "data[2]_cves[74]_link", + "cvss": "data[2]_cves[74]_cvss" + }, + { + "id": "data[2]_cves[75]_id", + "link": "data[2]_cves[75]_link", + "cvss": "data[2]_cves[75]_cvss" + }, + { + "id": "data[2]_cves[76]_id", + "link": "data[2]_cves[76]_link", + "cvss": "data[2]_cves[76]_cvss" + }, + { + "id": "data[2]_cves[77]_id", + "link": "data[2]_cves[77]_link", + "cvss": "data[2]_cves[77]_cvss" + }, + { + "id": "data[2]_cves[78]_id", + "link": "data[2]_cves[78]_link", + "cvss": "data[2]_cves[78]_cvss" + }, + { + "id": "data[2]_cves[79]_id", + "link": "data[2]_cves[79]_link", + "cvss": "data[2]_cves[79]_cvss" + }, + { + "id": "data[2]_cves[80]_id", + "link": "data[2]_cves[80]_link", + "cvss": "data[2]_cves[80]_cvss" + }, + { + "id": "data[2]_cves[81]_id", + "link": "data[2]_cves[81]_link", + "cvss": "data[2]_cves[81]_cvss" + }, + { + "id": "data[2]_cves[82]_id", + "link": "data[2]_cves[82]_link", + "cvss": "data[2]_cves[82]_cvss" + }, + { + "id": "data[2]_cves[83]_id", + "link": "data[2]_cves[83]_link", + "cvss": "data[2]_cves[83]_cvss" + }, + { + "id": "data[2]_cves[84]_id", + "link": "data[2]_cves[84]_link", + "cvss": "data[2]_cves[84]_cvss" + }, + { + "id": "data[2]_cves[85]_id", + "link": "data[2]_cves[85]_link", + "cvss": "data[2]_cves[85]_cvss" + }, + { + "id": "data[2]_cves[86]_id", + "link": "data[2]_cves[86]_link", + "cvss": "data[2]_cves[86]_cvss" + }, + { + "id": "data[2]_cves[87]_id", + "link": "data[2]_cves[87]_link", + "cvss": "data[2]_cves[87]_cvss" + }, + { + "id": "data[2]_cves[88]_id", + "link": "data[2]_cves[88]_link", + "cvss": "data[2]_cves[88]_cvss" + }, + { + "id": "data[2]_cves[89]_id", + "link": "data[2]_cves[89]_link", + "cvss": "data[2]_cves[89]_cvss" + }, + { + "id": "data[2]_cves[90]_id", + "link": "data[2]_cves[90]_link", + "cvss": "data[2]_cves[90]_cvss" + }, + { + "id": "data[2]_cves[91]_id", + "link": "data[2]_cves[91]_link", + "cvss": "data[2]_cves[91]_cvss" + }, + { + "id": "data[2]_cves[92]_id", + "link": "data[2]_cves[92]_link", + "cvss": "data[2]_cves[92]_cvss" + }, + { + "id": "data[2]_cves[93]_id", + "link": "data[2]_cves[93]_link", + "cvss": "data[2]_cves[93]_cvss" + }, + { + "id": "data[2]_cves[94]_id", + "link": "data[2]_cves[94]_link", + "cvss": "data[2]_cves[94]_cvss" + }, + { + "id": "data[2]_cves[95]_id", + "link": "data[2]_cves[95]_link", + "cvss": "data[2]_cves[95]_cvss" + }, + { + "id": "data[2]_cves[96]_id", + "link": "data[2]_cves[96]_link", + "cvss": "data[2]_cves[96]_cvss" + }, + { + "id": "data[2]_cves[97]_id", + "link": "data[2]_cves[97]_link", + "cvss": "data[2]_cves[97]_cvss" + }, + { + "id": "data[2]_cves[98]_id", + "link": "data[2]_cves[98]_link", + "cvss": "data[2]_cves[98]_cvss" + } + ], + "latest_timestamp": "data[2]_latest_timestamp", + "latest_date": "data[2]_latest_date", + "groups": [ + { + "name": "data[2]_groups[0]_name", + "description": "data[2]_groups[0]_description", + "guid": "data[2]_groups[0]_guid" + } + ], + "computers_total_count": "data[2]_computers_total_count", + "computers": [ + { + "connector_guid": "data[2]_computers[0]_connector_guid", + "hostname": "data[2]_computers[0]_hostname", + "windows_processor_id": "data[2]_computers[0]_windows_processor_id", + "active": "data[2]_computers[0]_active", + "links": { + "computer": "data[2]_computers[0]_links_computer", + "trajectory": "data[2]_computers[0]_links_trajectory", + "group": "data[2]_computers[0]_links_group" + } + } + ] + }, + { + "application": "data[3]_application", + "version": "data[3]_version", + "file": { + "filename": "data[3]_file_filename", + "identity": { + "sha256": "data[3]_file_identity_sha256" + } + }, + "cves": [ + { + "id": "data[3]_cves[0]_id", + "link": "data[3]_cves[0]_link", + "cvss": "data[3]_cves[0]_cvss" + }, + { + "id": "data[3]_cves[1]_id", + "link": "data[3]_cves[1]_link", + "cvss": "data[3]_cves[1]_cvss" + }, + { + "id": "data[3]_cves[2]_id", + "link": "data[3]_cves[2]_link", + "cvss": "data[3]_cves[2]_cvss" + }, + { + "id": "data[3]_cves[3]_id", + "link": "data[3]_cves[3]_link", + "cvss": "data[3]_cves[3]_cvss" + }, + { + "id": "data[3]_cves[4]_id", + "link": "data[3]_cves[4]_link", + "cvss": "data[3]_cves[4]_cvss" + }, + { + "id": "data[3]_cves[5]_id", + "link": "data[3]_cves[5]_link", + "cvss": "data[3]_cves[5]_cvss" + }, + { + "id": "data[3]_cves[6]_id", + "link": "data[3]_cves[6]_link", + "cvss": "data[3]_cves[6]_cvss" + }, + { + "id": "data[3]_cves[7]_id", + "link": "data[3]_cves[7]_link", + "cvss": "data[3]_cves[7]_cvss" + }, + { + "id": "data[3]_cves[8]_id", + "link": "data[3]_cves[8]_link", + "cvss": "data[3]_cves[8]_cvss" + }, + { + "id": "data[3]_cves[9]_id", + "link": "data[3]_cves[9]_link", + "cvss": "data[3]_cves[9]_cvss" + }, + { + "id": "data[3]_cves[10]_id", + "link": "data[3]_cves[10]_link", + "cvss": "data[3]_cves[10]_cvss" + }, + { + "id": "data[3]_cves[11]_id", + "link": "data[3]_cves[11]_link", + "cvss": "data[3]_cves[11]_cvss" + }, + { + "id": "data[3]_cves[12]_id", + "link": "data[3]_cves[12]_link", + "cvss": "data[3]_cves[12]_cvss" + }, + { + "id": "data[3]_cves[13]_id", + "link": "data[3]_cves[13]_link", + "cvss": "data[3]_cves[13]_cvss" + }, + { + "id": "data[3]_cves[14]_id", + "link": "data[3]_cves[14]_link", + "cvss": "data[3]_cves[14]_cvss" + }, + { + "id": "data[3]_cves[15]_id", + "link": "data[3]_cves[15]_link", + "cvss": "data[3]_cves[15]_cvss" + }, + { + "id": "data[3]_cves[16]_id", + "link": "data[3]_cves[16]_link", + "cvss": "data[3]_cves[16]_cvss" + }, + { + "id": "data[3]_cves[17]_id", + "link": "data[3]_cves[17]_link", + "cvss": "data[3]_cves[17]_cvss" + }, + { + "id": "data[3]_cves[18]_id", + "link": "data[3]_cves[18]_link", + "cvss": "data[3]_cves[18]_cvss" + }, + { + "id": "data[3]_cves[19]_id", + "link": "data[3]_cves[19]_link", + "cvss": "data[3]_cves[19]_cvss" + }, + { + "id": "data[3]_cves[20]_id", + "link": "data[3]_cves[20]_link", + "cvss": "data[3]_cves[20]_cvss" + }, + { + "id": "data[3]_cves[21]_id", + "link": "data[3]_cves[21]_link", + "cvss": "data[3]_cves[21]_cvss" + }, + { + "id": "data[3]_cves[22]_id", + "link": "data[3]_cves[22]_link", + "cvss": "data[3]_cves[22]_cvss" + }, + { + "id": "data[3]_cves[23]_id", + "link": "data[3]_cves[23]_link", + "cvss": "data[3]_cves[23]_cvss" + }, + { + "id": "data[3]_cves[24]_id", + "link": "data[3]_cves[24]_link", + "cvss": "data[3]_cves[24]_cvss" + }, + { + "id": "data[3]_cves[25]_id", + "link": "data[3]_cves[25]_link", + "cvss": "data[3]_cves[25]_cvss" + }, + { + "id": "data[3]_cves[26]_id", + "link": "data[3]_cves[26]_link", + "cvss": "data[3]_cves[26]_cvss" + }, + { + "id": "data[3]_cves[27]_id", + "link": "data[3]_cves[27]_link", + "cvss": "data[3]_cves[27]_cvss" + }, + { + "id": "data[3]_cves[28]_id", + "link": "data[3]_cves[28]_link", + "cvss": "data[3]_cves[28]_cvss" + }, + { + "id": "data[3]_cves[29]_id", + "link": "data[3]_cves[29]_link", + "cvss": "data[3]_cves[29]_cvss" + }, + { + "id": "data[3]_cves[30]_id", + "link": "data[3]_cves[30]_link", + "cvss": "data[3]_cves[30]_cvss" + }, + { + "id": "data[3]_cves[31]_id", + "link": "data[3]_cves[31]_link", + "cvss": "data[3]_cves[31]_cvss" + }, + { + "id": "data[3]_cves[32]_id", + "link": "data[3]_cves[32]_link", + "cvss": "data[3]_cves[32]_cvss" + }, + { + "id": "data[3]_cves[33]_id", + "link": "data[3]_cves[33]_link", + "cvss": "data[3]_cves[33]_cvss" + }, + { + "id": "data[3]_cves[34]_id", + "link": "data[3]_cves[34]_link", + "cvss": "data[3]_cves[34]_cvss" + }, + { + "id": "data[3]_cves[35]_id", + "link": "data[3]_cves[35]_link", + "cvss": "data[3]_cves[35]_cvss" + }, + { + "id": "data[3]_cves[36]_id", + "link": "data[3]_cves[36]_link", + "cvss": "data[3]_cves[36]_cvss" + }, + { + "id": "data[3]_cves[37]_id", + "link": "data[3]_cves[37]_link", + "cvss": "data[3]_cves[37]_cvss" + }, + { + "id": "data[3]_cves[38]_id", + "link": "data[3]_cves[38]_link", + "cvss": "data[3]_cves[38]_cvss" + }, + { + "id": "data[3]_cves[39]_id", + "link": "data[3]_cves[39]_link", + "cvss": "data[3]_cves[39]_cvss" + }, + { + "id": "data[3]_cves[40]_id", + "link": "data[3]_cves[40]_link", + "cvss": "data[3]_cves[40]_cvss" + }, + { + "id": "data[3]_cves[41]_id", + "link": "data[3]_cves[41]_link", + "cvss": "data[3]_cves[41]_cvss" + }, + { + "id": "data[3]_cves[42]_id", + "link": "data[3]_cves[42]_link", + "cvss": "data[3]_cves[42]_cvss" + }, + { + "id": "data[3]_cves[43]_id", + "link": "data[3]_cves[43]_link", + "cvss": "data[3]_cves[43]_cvss" + }, + { + "id": "data[3]_cves[44]_id", + "link": "data[3]_cves[44]_link", + "cvss": "data[3]_cves[44]_cvss" + }, + { + "id": "data[3]_cves[45]_id", + "link": "data[3]_cves[45]_link", + "cvss": "data[3]_cves[45]_cvss" + }, + { + "id": "data[3]_cves[46]_id", + "link": "data[3]_cves[46]_link", + "cvss": "data[3]_cves[46]_cvss" + }, + { + "id": "data[3]_cves[47]_id", + "link": "data[3]_cves[47]_link", + "cvss": "data[3]_cves[47]_cvss" + }, + { + "id": "data[3]_cves[48]_id", + "link": "data[3]_cves[48]_link", + "cvss": "data[3]_cves[48]_cvss" + }, + { + "id": "data[3]_cves[49]_id", + "link": "data[3]_cves[49]_link", + "cvss": "data[3]_cves[49]_cvss" + }, + { + "id": "data[3]_cves[50]_id", + "link": "data[3]_cves[50]_link", + "cvss": "data[3]_cves[50]_cvss" + }, + { + "id": "data[3]_cves[51]_id", + "link": "data[3]_cves[51]_link", + "cvss": "data[3]_cves[51]_cvss" + }, + { + "id": "data[3]_cves[52]_id", + "link": "data[3]_cves[52]_link", + "cvss": "data[3]_cves[52]_cvss" + }, + { + "id": "data[3]_cves[53]_id", + "link": "data[3]_cves[53]_link", + "cvss": "data[3]_cves[53]_cvss" + } + ], + "latest_timestamp": "data[3]_latest_timestamp", + "latest_date": "data[3]_latest_date", + "groups": [ + { + "name": "data[3]_groups[0]_name", + "description": "data[3]_groups[0]_description", + "guid": "data[3]_groups[0]_guid" + }, + { + "name": "data[3]_groups[1]_name", + "description": "data[3]_groups[1]_description", + "guid": "data[3]_groups[1]_guid" + } + ], + "computers_total_count": "data[3]_computers_total_count", + "computers": [ + { + "connector_guid": "data[3]_computers[0]_connector_guid", + "hostname": "data[3]_computers[0]_hostname", + "windows_processor_id": "data[3]_computers[0]_windows_processor_id", + "active": "data[3]_computers[0]_active", + "links": { + "computer": "data[3]_computers[0]_links_computer", + "trajectory": "data[3]_computers[0]_links_trajectory", + "group": "data[3]_computers[0]_links_group" + } + }, + { + "connector_guid": "data[3]_computers[1]_connector_guid", + "hostname": "data[3]_computers[1]_hostname", + "windows_processor_id": "data[3]_computers[1]_windows_processor_id", + "active": "data[3]_computers[1]_active", + "links": { + "computer": "data[3]_computers[1]_links_computer", + "trajectory": "data[3]_computers[1]_links_trajectory", + "group": "data[3]_computers[1]_links_group" + } + } + ] + }, + { + "application": "data[4]_application", + "version": "data[4]_version", + "file": { + "filename": "data[4]_file_filename", + "identity": { + "sha256": "data[4]_file_identity_sha256" + } + }, + "cves": [ + { + "id": "data[4]_cves[0]_id", + "link": "data[4]_cves[0]_link", + "cvss": "data[4]_cves[0]_cvss" + }, + { + "id": "data[4]_cves[1]_id", + "link": "data[4]_cves[1]_link", + "cvss": "data[4]_cves[1]_cvss" + }, + { + "id": "data[4]_cves[2]_id", + "link": "data[4]_cves[2]_link", + "cvss": "data[4]_cves[2]_cvss" + }, + { + "id": "data[4]_cves[3]_id", + "link": "data[4]_cves[3]_link", + "cvss": "data[4]_cves[3]_cvss" + }, + { + "id": "data[4]_cves[4]_id", + "link": "data[4]_cves[4]_link", + "cvss": "data[4]_cves[4]_cvss" + }, + { + "id": "data[4]_cves[5]_id", + "link": "data[4]_cves[5]_link", + "cvss": "data[4]_cves[5]_cvss" + }, + { + "id": "data[4]_cves[6]_id", + "link": "data[4]_cves[6]_link", + "cvss": "data[4]_cves[6]_cvss" + }, + { + "id": "data[4]_cves[7]_id", + "link": "data[4]_cves[7]_link", + "cvss": "data[4]_cves[7]_cvss" + }, + { + "id": "data[4]_cves[8]_id", + "link": "data[4]_cves[8]_link", + "cvss": "data[4]_cves[8]_cvss" + }, + { + "id": "data[4]_cves[9]_id", + "link": "data[4]_cves[9]_link", + "cvss": "data[4]_cves[9]_cvss" + }, + { + "id": "data[4]_cves[10]_id", + "link": "data[4]_cves[10]_link", + "cvss": "data[4]_cves[10]_cvss" + }, + { + "id": "data[4]_cves[11]_id", + "link": "data[4]_cves[11]_link", + "cvss": "data[4]_cves[11]_cvss" + }, + { + "id": "data[4]_cves[12]_id", + "link": "data[4]_cves[12]_link", + "cvss": "data[4]_cves[12]_cvss" + }, + { + "id": "data[4]_cves[13]_id", + "link": "data[4]_cves[13]_link", + "cvss": "data[4]_cves[13]_cvss" + }, + { + "id": "data[4]_cves[14]_id", + "link": "data[4]_cves[14]_link", + "cvss": "data[4]_cves[14]_cvss" + } + ], + "latest_timestamp": "data[4]_latest_timestamp", + "latest_date": "data[4]_latest_date", + "groups": [ + { + "name": "data[4]_groups[0]_name", + "description": "data[4]_groups[0]_description", + "guid": "data[4]_groups[0]_guid" + } + ], + "computers_total_count": "data[4]_computers_total_count", + "computers": [ + { + "connector_guid": "data[4]_computers[0]_connector_guid", + "hostname": "data[4]_computers[0]_hostname", + "windows_processor_id": "data[4]_computers[0]_windows_processor_id", + "active": "data[4]_computers[0]_active", + "links": { + "group": "data[4]_computers[0]_links_group" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Packs/AMP/ReleaseNotes/2_0_0.md b/Packs/AMP/ReleaseNotes/2_0_0.md new file mode 100644 index 000000000000..5852c507b5b3 --- /dev/null +++ b/Packs/AMP/ReleaseNotes/2_0_0.md @@ -0,0 +1,4 @@ + +#### Integrations +##### New: Cisco AMP v2 +- Cisco Advanced Malware Protection software is designed to prevent, detect, and help remove threats in an efficient manner from computer systems. Threats can take the form of software viruses and other malware such as ransomware, worms, Trojans, spyware, adware, and fileless malware. \ No newline at end of file diff --git a/Packs/AMP/ReleaseNotes/2_0_1.md b/Packs/AMP/ReleaseNotes/2_0_1.md new file mode 100644 index 000000000000..b38144aa954a --- /dev/null +++ b/Packs/AMP/ReleaseNotes/2_0_1.md @@ -0,0 +1,3 @@ +#### Integrations +##### Cisco AMP v2 +- Updated the Docker image to: *demisto/python3:3.10.9.46032*. diff --git a/Packs/AMP/ReleaseNotes/2_0_2.md b/Packs/AMP/ReleaseNotes/2_0_2.md new file mode 100644 index 000000000000..5a4fe56e3441 --- /dev/null +++ b/Packs/AMP/ReleaseNotes/2_0_2.md @@ -0,0 +1,3 @@ +#### Integrations +##### Cisco AMP v2 +- Updated the Docker image to: *demisto/python3:3.10.10.48392*. diff --git a/Packs/AMP/ReleaseNotes/2_0_3.md b/Packs/AMP/ReleaseNotes/2_0_3.md new file mode 100644 index 000000000000..f454f7a3830b --- /dev/null +++ b/Packs/AMP/ReleaseNotes/2_0_3.md @@ -0,0 +1,4 @@ + +#### Integrations +##### Cisco AMP v2 +- Fixed an issue where incidents without severities would raise an error. diff --git a/Packs/AMP/TestPlaybooks/playbook-CiscoAMPv2_Test.yml b/Packs/AMP/TestPlaybooks/playbook-CiscoAMPv2_Test.yml new file mode 100644 index 000000000000..0ed06b9c0202 --- /dev/null +++ b/Packs/AMP/TestPlaybooks/playbook-CiscoAMPv2_Test.yml @@ -0,0 +1,3391 @@ +id: AMPv2_Test +version: -1 +name: AMPv2_Test +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: d46fa305-db13-4b34-8c85-1872fa3a2f64 + type: start + task: + id: d46fa305-db13-4b34-8c85-1872fa3a2f64 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: b5d66363-1afa-4b4b-8960-97670f494d7b + type: regular + task: + id: b5d66363-1afa-4b4b-8960-97670f494d7b + version: -1 + name: DeleteContext + script: DeleteContext + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + all: + simple: "yes" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 2bdd0333-86e3-4a1f-8123-8e923d018fa6 + type: regular + task: + id: 2bdd0333-86e3-4a1f-8123-8e923d018fa6 + version: -1 + name: cisco-amp-computer-list + script: CiscoAMP|||cisco-amp-computer-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "3" + scriptarguments: + limit: + simple: "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 400 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 1c4c231c-894a-49fd-83d3-35d96af9bb38 + type: condition + task: + id: 1c4c231c-894a-49fd-83d3-35d96af9bb38 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "4" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.connector_guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.hostname + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.windows_processor_id + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.active + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.connector_version + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.operating_system + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.os_version + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.internal_ips + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.external_ip + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.group_guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.install_date + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Computer.is_compromised + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Computer.demo + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.network_addresses.mac + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.network_addresses.ip + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.policy.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.policy.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.groups.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.groups.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.last_seen + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Computer.isolation.available + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.isolation.status + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 600 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 2bcbede3-3f4e-4351-85d2-d17eb2dfe8e2 + type: regular + task: + id: 2bcbede3-3f4e-4351-85d2-d17eb2dfe8e2 + version: -1 + name: cisco-amp-computer-trajectory-list + script: CiscoAMP|||cisco-amp-computer-trajectory-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "5" + scriptarguments: + connector_guid: + simple: ${CiscoAMP.Computer.connector_guid} + limit: + simple: "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 800 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 1171ca7d-f351-4f7e-8a73-bbf3ce788b48 + type: condition + task: + id: 1171ca7d-f351-4f7e-8a73-bbf3ce788b48 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "6" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerTrajectory.connector_guid + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerTrajectory.id + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerTrajectory.timestamp + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerTrajectory.date + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerTrajectory.event_type + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerTrajectory.event_type_id + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerTrajectory.group_guids + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 1000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: c9bb0a76-2bd9-46f6-823c-a1dafe15913b + type: regular + task: + id: c9bb0a76-2bd9-46f6-823c-a1dafe15913b + version: -1 + name: cisco-amp-computer-user-activity-list + script: CiscoAMP|||cisco-amp-computer-user-activity-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "7" + scriptarguments: + limit: + simple: "1" + username: + simple: johndoe + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 1200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 6414227b-a02c-440f-87cb-393f55b193f9 + type: condition + task: + id: 6414227b-a02c-440f-87cb-393f55b193f9 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "8" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerUserActivity.connector_guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerUserActivity.hostname + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.ComputerUserActivity.active + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 1400 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: bf64cfce-a879-4627-8a84-dae923b1c8cd + type: regular + task: + id: bf64cfce-a879-4627-8a84-dae923b1c8cd + version: -1 + name: cisco-amp-computer-user-trajectory-list + script: CiscoAMP|||cisco-amp-computer-user-trajectory-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "9" + scriptarguments: + connector_guid: + simple: ${CiscoAMP.Computer.connector_guid} + limit: + simple: "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 1600 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 9dea2217-226f-4c5c-813a-dd5bdde359ad + type: condition + task: + id: 9dea2217-226f-4c5c-813a-dd5bdde359ad + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "10" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerUserTrajectory.connector_guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerUserTrajectory.id + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerUserTrajectory.timestamp + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerUserTrajectory.timestamp_nanoseconds + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerUserTrajectory.date + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerUserTrajectory.event_type + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerUserTrajectory.event_type_id + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerUserTrajectory.group_guids + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 1800 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: f44f23a0-fcc7-40f4-818c-122ebec53140 + type: regular + task: + id: f44f23a0-fcc7-40f4-818c-122ebec53140 + version: -1 + name: cisco-amp-computer-vulnerabilities-list + script: CiscoAMP|||cisco-amp-computer-vulnerabilities-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "11" + scriptarguments: + connector_guid: + simple: ${CiscoAMP.Computer.connector_guid} + limit: + simple: "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 2000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: b2448caa-41a2-4b0b-864f-e09c19f6344c + type: condition + task: + id: b2448caa-41a2-4b0b-864f-e09c19f6344c + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "12" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerVulnerability.connector_guid + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerVulnerability.application + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerVulnerability.version + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerVulnerability.file.filename + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerVulnerability.file.identity.sha256 + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerVulnerability.cves.id + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerVulnerability.cves.link + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerVulnerability.cves.cvss + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerVulnerability.latest_timestamp + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerVulnerability.latest_date + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 2200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: a8b64693-29bc-4581-89a8-d758f3f50941 + type: regular + task: + id: a8b64693-29bc-4581-89a8-d758f3f50941 + version: -1 + name: cisco-amp-computer-move + script: CiscoAMP|||cisco-amp-computer-move + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "13" + scriptarguments: + connector_guid: + simple: ${CiscoAMP.Computer.connector_guid} + group_guid: + simple: ${CiscoAMP.Computer.groups.guid} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 2400 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: 686be1b3-197c-46a3-8f98-a0789f1cb11b + type: condition + task: + id: 686be1b3-197c-46a3-8f98-a0789f1cb11b + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "15" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.connector_guid + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.hostname + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.windows_processor_id + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Computer.active + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.connector_version + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.operating_system + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.os_version + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.internal_ips + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.external_ip + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.group_guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.install_date + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Computer.is_compromised + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Computer.demo + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.network_addresses.mac + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.network_addresses.ip + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.policy.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.policy.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.groups.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Computer.groups.name + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Computer.isolation.available + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 2600 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 63648d1c-88dd-4310-8ab0-6fd7cd6d757b + type: regular + task: + id: 63648d1c-88dd-4310-8ab0-6fd7cd6d757b + version: -1 + name: cisco-amp-computer-activity-list + script: CiscoAMP|||cisco-amp-computer-activity-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "16" + scriptarguments: + limit: + simple: "1" + query_string: + simple: 8.8.8.8 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 2840 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: da4720ea-3231-468f-8cd6-2944fb55f3d2 + type: condition + task: + id: da4720ea-3231-468f-8cd6-2944fb55f3d2 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "17" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerActivity.connector_guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerActivity.hostname + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerActivity.windows_processor_id + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.ComputerActivity.active + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 3020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: 09d44aa1-04f4-4b39-8722-f1a67aa4d87c + type: regular + task: + id: 09d44aa1-04f4-4b39-8722-f1a67aa4d87c + version: -1 + name: cisco-amp-computer-isolation-feature-availability-get + script: CiscoAMP|||cisco-amp-computer-isolation-feature-availability-get + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "18" + scriptarguments: + connector_guid: + simple: ${CiscoAMP.Computer.connector_guid} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 3220 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 4b71fa13-f9cd-460d-8b31-a1484b916ed9 + type: regular + task: + id: 4b71fa13-f9cd-460d-8b31-a1484b916ed9 + version: -1 + name: cisco-amp-computer-isolation-get + script: CiscoAMP|||cisco-amp-computer-isolation-get + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "19" + scriptarguments: + connector_guid: + simple: ${CiscoAMP.Computer.connector_guid} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 3390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 4cd9fd41-22c2-48b4-8311-ee1f6c4f83eb + type: condition + task: + id: 4cd9fd41-22c2-48b4-8311-ee1f6c4f83eb + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "61" + "yes": + - "20" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.connector_guid + iscontext: true + right: + value: {} + - - operator: isExists + left: + value: + simple: CiscoAMP.ComputerIsolation.available + iscontext: true + - - operator: isEqualString + left: + value: + simple: CiscoAMP.ComputerIsolation.status + iscontext: true + right: + value: + simple: not_isolated + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.unlock_code + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.comment + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 3560 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: ac9cef8c-f757-4bbe-8afc-c55307f2d3b6 + type: regular + task: + id: ac9cef8c-f757-4bbe-8afc-c55307f2d3b6 + version: -1 + name: cisco-amp-computer-isolation-create + script: CiscoAMP|||cisco-amp-computer-isolation-create + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "21" + scriptarguments: + comment: + simple: Playbook Test Create + connector_guid: + simple: ${CiscoAMP.ComputerIsolation.connector_guid} + interval_in_seconds: + simple: "5" + unlock_code: + simple: playbooktest + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 300, + "y": 3800 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "21": + id: "21" + taskid: 4862f575-a3d3-4a89-8967-05b4bb846c2c + type: condition + task: + id: 4862f575-a3d3-4a89-8967-05b4bb846c2c + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "22" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.connector_guid + iscontext: true + right: + value: {} + - - operator: isExists + left: + value: + simple: CiscoAMP.ComputerIsolation.available + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.status + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.unlock_code + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.comment + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 300, + "y": 4000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: 4af9d3a8-955d-46f4-85ad-1d04248852f0 + type: regular + task: + id: 4af9d3a8-955d-46f4-85ad-1d04248852f0 + version: -1 + name: cisco-amp-computer-isolation-delete + script: CiscoAMP|||cisco-amp-computer-isolation-delete + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "23" + scriptarguments: + comment: + simple: Playbook Test Delete + connector_guid: + simple: ${CiscoAMP.ComputerIsolation.connector_guid} + interval_in_seconds: + simple: "5" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 300, + "y": 4200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: a839955f-25ee-4aef-8fc7-6ed086bff5c9 + type: condition + task: + id: a839955f-25ee-4aef-8fc7-6ed086bff5c9 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "24" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: CiscoAMP.ComputerIsolation.available + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.status + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.unlock_code + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.comment + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 300, + "y": 4400 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: 3dee0ab6-6d04-4f0c-828a-4920adc5bf1b + type: regular + task: + id: 3dee0ab6-6d04-4f0c-828a-4920adc5bf1b + version: -1 + name: cisco-amp-event-list + script: CiscoAMP|||cisco-amp-event-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "25" + scriptarguments: + limit: + simple: "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 4800 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: 2d269a81-423b-4f0d-8633-03ed049af201 + type: condition + task: + id: 2d269a81-423b-4f0d-8633-03ed049af201 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "26" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.id + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.timestamp + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.timestamp_nanoseconds + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.date + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.event_type + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.event_type_id + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.connector_guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.group_guids + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.computer.connector_guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.computer.hostname + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.computer.external_ip + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Event.computer.active + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.computer.network_addresses.ip + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Event.computer.network_addresses.mac + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 5000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "26": + id: "26" + taskid: faaceb9e-2888-4a25-8a67-78b6e02f5640 + type: regular + task: + id: faaceb9e-2888-4a25-8a67-78b6e02f5640 + version: -1 + name: cisco-amp-event-type-list + script: CiscoAMP|||cisco-amp-event-type-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "27" + scriptarguments: + limit: + simple: "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 5200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: 4a4ff81b-e478-4a28-8649-de3193b84272 + type: condition + task: + id: 4a4ff81b-e478-4a28-8649-de3193b84272 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "28" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.EventType.id + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.EventType.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.EventType.description + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 5400 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: afdee4bc-b3be-4e8c-8510-e1183ddcb19c + type: regular + task: + id: afdee4bc-b3be-4e8c-8510-e1183ddcb19c + version: -1 + name: cisco-amp-file-list-list + script: CiscoAMP|||cisco-amp-file-list-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "29" + scriptarguments: + limit: + simple: "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 5600 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: 083afcec-2e74-4391-86b8-cb106855a26b + type: condition + task: + id: 083afcec-2e74-4391-86b8-cb106855a26b + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "30" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.FileList.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.FileList.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.FileList.type + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 5800 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: 121a9e07-f56e-4adc-83f8-75ae054cbc8c + type: regular + task: + id: 121a9e07-f56e-4adc-83f8-75ae054cbc8c + version: -1 + name: cisco-amp-file-list-item-list + script: CiscoAMP|||cisco-amp-file-list-item-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "31" + scriptarguments: + file_list_guid: + simple: ${CiscoAMP.FileList.guid} + limit: + simple: "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 6000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: 8507c865-e19e-4993-8ae0-89c0168c70bb + type: condition + task: + id: 8507c865-e19e-4993-8ae0-89c0168c70bb + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "32" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.FileListItem.name + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.FileListItem.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.FileListItem.policies.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.FileListItem.policies.guid + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 6200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: 53f6a5cf-432b-407a-8fde-91ed23156e23 + type: regular + task: + id: 53f6a5cf-432b-407a-8fde-91ed23156e23 + version: -1 + name: cisco-amp-file-list-item-create + script: CiscoAMP|||cisco-amp-file-list-item-create + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "33" + scriptarguments: + file_list_guid: + simple: ${CiscoAMP.FileList.guid} + sha256: + simple: ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 6400 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: 6f0aa667-f5ec-44fa-8828-3e8246ef2102 + type: condition + task: + id: 6f0aa667-f5ec-44fa-8828-3e8246ef2102 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "34" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.FileListItem.sha256 + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.FileListItem.source + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 6600 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: 80c2cb2a-74c9-4990-85f4-360261ff7e15 + type: regular + task: + id: 80c2cb2a-74c9-4990-85f4-360261ff7e15 + version: -1 + name: cisco-amp-file-list-item-delete + script: CiscoAMP|||cisco-amp-file-list-item-delete + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "35" + scriptarguments: + file_list_guid: + simple: ${CiscoAMP.FileListItem.guid} + sha256: + simple: ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 6800 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: 1bf3c704-f4f7-4eee-823f-ecfd8e3ed0d6 + type: regular + task: + id: 1bf3c704-f4f7-4eee-823f-ecfd8e3ed0d6 + version: -1 + name: cisco-amp-group-list + script: CiscoAMP|||cisco-amp-group-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "36" + scriptarguments: + limit: + simple: "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 7000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: cba12b40-6dd6-4f2d-8dd5-fcf959b58075 + type: condition + task: + id: cba12b40-6dd6-4f2d-8dd5-fcf959b58075 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "46" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.name + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.guid + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 7200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "37": + id: "37" + taskid: 453a1cbd-dc74-4525-8dbf-b7180c39baff + type: regular + task: + id: 453a1cbd-dc74-4525-8dbf-b7180c39baff + version: -1 + name: cisco-amp-group-policy-update + script: CiscoAMP|||cisco-amp-group-policy-update + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "38" + scriptarguments: + group_guid: + simple: ${CiscoAMP.Group.guid} + windows_policy_guid: + simple: ${CiscoAMP.Policy.guid} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 7880 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: ee3f6309-6d9e-4b37-84c3-1f357787d5e2 + type: condition + task: + id: ee3f6309-6d9e-4b37-84c3-1f357787d5e2 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "39" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.name + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.creator + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.created_at + iscontext: true + - - operator: greaterThanOrEqual + left: + value: + simple: CiscoAMP.Group.computers_count + iscontext: true + right: + value: + simple: "0" + - - operator: greaterThanOrEqual + left: + value: + simple: CiscoAMP.Group.descendant_computers_count + iscontext: true + right: + value: + simple: "0" + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.product + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Group.policies.default + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.serial_number + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Group.policies.inherited + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.file_lists.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.file_lists.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.file_lists.type + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.exclusion_sets.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.exclusion_sets.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.used_in_groups.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.used_in_groups.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.used_in_groups.guid + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 8150 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "39": + id: "39" + taskid: 7f5a1f67-f0a9-446e-8a2b-0c64a78d3dee + type: regular + task: + id: 7f5a1f67-f0a9-446e-8a2b-0c64a78d3dee + version: -1 + name: cisco-amp-group-parent-update + script: CiscoAMP|||cisco-amp-group-parent-update + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "40" + scriptarguments: + child_guid: + simple: ${CiscoAMP.Group.guid} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 8350 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: 27400429-3994-4447-8050-f2b0559a305b + type: condition + task: + id: 27400429-3994-4447-8050-f2b0559a305b + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "63" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.name + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.creator + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.created_at + iscontext: true + - - operator: greaterThanOrEqual + left: + value: + simple: CiscoAMP.Group.computers_count + iscontext: true + right: + value: + simple: "0" + - - operator: greaterThanOrEqual + left: + value: + simple: CiscoAMP.Group.descendant_computers_count + iscontext: true + right: + value: + simple: "0" + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.product + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Group.policies.default + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.serial_number + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Group.policies.inherited + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.file_lists.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.file_lists.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.file_lists.type + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.exclusion_sets.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.exclusion_sets.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.used_in_groups.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.used_in_groups.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.used_in_groups.guid + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 8500 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: 76053eb3-3c67-4bff-8333-fb9597af27fd + type: regular + task: + id: 76053eb3-3c67-4bff-8333-fb9597af27fd + version: -1 + name: cisco-amp-group-create + script: CiscoAMP|||cisco-amp-group-create + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "42" + scriptarguments: + description: + simple: Delete this group + name: + simple: Playbook Group Creation Test + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 8900 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: 55c92db0-9a44-4ae2-8abc-86e7f8dba022 + type: condition + task: + id: 55c92db0-9a44-4ae2-8abc-86e7f8dba022 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "43" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.name + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.source + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.created_at + iscontext: true + - - operator: greaterThanOrEqual + left: + value: + simple: CiscoAMP.Group.computers_count + iscontext: true + right: + value: + simple: "0" + - - operator: greaterThanOrEqual + left: + value: + simple: CiscoAMP.Group.descendant_computers_count + iscontext: true + right: + value: + simple: "0" + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.product + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Group.policies.default + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.serial_number + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Group.policies.inherited + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.file_lists.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.file_lists.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.file_lists.type + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.exclusion_sets.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.exclusion_sets.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.used_in_groups.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.used_in_groups.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Group.policies.used_in_groups.guid + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 9090 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: 1c878996-09e0-459a-8b7a-5e49043b31d6 + type: regular + task: + id: 1c878996-09e0-459a-8b7a-5e49043b31d6 + version: -1 + name: cisco-amp-group-delete + script: CiscoAMP|||cisco-amp-group-delete + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "44" + scriptarguments: + group_guid: + simple: ${CiscoAMP.Group.guid} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 9290 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: b451a422-8b92-4b8a-80cd-79009ff13c93 + type: regular + task: + id: b451a422-8b92-4b8a-80cd-79009ff13c93 + version: -1 + name: cisco-amp-indicator-list + script: CiscoAMP|||cisco-amp-indicator-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "45" + scriptarguments: + limit: + simple: "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 9490 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: 74ef2572-675d-449b-8f10-dbeecd6275a1 + type: condition + task: + id: 74ef2572-675d-449b-8f10-dbeecd6275a1 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "48" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Indicator.name + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Indicator.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Indicator.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Indicator.severity + iscontext: true + - - operator: greaterThanOrEqual + left: + value: + simple: CiscoAMP.Indicator.observed_compromises + iscontext: true + right: + value: + simple: "0" + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 9690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "46": + id: "46" + taskid: bb126bee-cfa6-4a55-8c57-3ec3ecc0d18f + type: regular + task: + id: bb126bee-cfa6-4a55-8c57-3ec3ecc0d18f + version: -1 + name: cisco-amp-policy-list + script: CiscoAMP|||cisco-amp-policy-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "47" + scriptarguments: + limit: + simple: "1" + product: + simple: windows + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 7370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "47": + id: "47" + taskid: ef15ce70-f050-4253-813f-6abc2584ad92 + type: condition + task: + id: ef15ce70-f050-4253-813f-6abc2584ad92 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "37" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Policy.name + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Policy.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Policy.guid + iscontext: true + - - operator: isEqualString + left: + value: + simple: CiscoAMP.Policy.product + iscontext: true + right: + value: + simple: windows + - - operator: isExists + left: + value: + simple: CiscoAMP.Policy.default + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Policy.serial_number + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 7610 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "48": + id: "48" + taskid: 8f356108-b6e9-49a4-8dec-954e9669dbc7 + type: regular + task: + id: 8f356108-b6e9-49a4-8dec-954e9669dbc7 + version: -1 + name: cisco-amp-app-trajectory-query-list + script: CiscoAMP|||cisco-amp-app-trajectory-query-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "49" + scriptarguments: + ios_bid: + simple: com.apple.Safari.SafeBrowsing + limit: + simple: "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 9930 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "49": + id: "49" + taskid: 6c8e399f-7b6d-4c69-8cac-905f06e9783f + type: condition + task: + id: 6c8e399f-7b6d-4c69-8cac-905f06e9783f + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "50" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.connector_guid + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.bundle_id + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.group_guids + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.timestamp + iscontext: true + - - operator: greaterThanOrEqual + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.timestamp_nanoseconds + iscontext: true + right: + value: + simple: "0" + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.date + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.query_type + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.network_info.dirty_url + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.network_info.remote_ip + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.network_info.remote_port + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.network_info.local_ip + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.network_info.local_port + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.network_info.direction + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.AppTrajectoryQuery.network_info.protocol + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 10130 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "50": + id: "50" + taskid: 44a06e85-d4b3-42dc-82d0-5b2466424948 + type: regular + task: + id: 44a06e85-d4b3-42dc-82d0-5b2466424948 + version: -1 + name: cisco-amp-version-get + script: CiscoAMP|||cisco-amp-version-get + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "51" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 10330 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "51": + id: "51" + taskid: d7dcb606-3bff-44c8-8e7b-178ef96289f5 + type: condition + task: + id: d7dcb606-3bff-44c8-8e7b-178ef96289f5 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "52" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Version.version + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 10530 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "52": + id: "52" + taskid: bcb008d2-dc02-4fb7-853c-8a64876328b7 + type: regular + task: + id: bcb008d2-dc02-4fb7-853c-8a64876328b7 + version: -1 + name: cisco-amp-vulnerability-list + script: CiscoAMP|||cisco-amp-vulnerability-list + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "53" + scriptarguments: + limit: + simple: "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 10730 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "53": + id: "53" + taskid: c9a1c880-f3c5-4805-8f34-6f093a68d34c + type: condition + task: + id: c9a1c880-f3c5-4805-8f34-6f093a68d34c + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "54" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.application + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.version + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.file.filename + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.file.identity.sha256 + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.latest_timestamp + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.latest_date + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.computers_total_count + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.cves.id + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.cves.link + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.cves.cvss + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.groups.name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.groups.description + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.groups.guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.computers.connector_guid + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.computers.hostname + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.Vulnerability.computers.windows_processor_id + iscontext: true + - - operator: isExists + left: + value: + simple: CiscoAMP.Vulnerability.computers.active + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 10930 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "54": + id: "54" + taskid: 3400de75-91f4-442a-83e4-aeefd58e4783 + type: regular + task: + id: 3400de75-91f4-442a-83e4-aeefd58e4783 + version: -1 + name: endpoint + script: CiscoAMP|||endpoint + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "55" + scriptarguments: + id: + simple: ${CiscoAMP.Computer.connector_guid} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 11130 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "55": + id: "55" + taskid: 2baa0595-c21c-4a38-8925-a7afd3591ed5 + type: condition + task: + id: 2baa0595-c21c-4a38-8925-a7afd3591ed5 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "56" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: Endpoint.Hostname + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: Endpoint.ID + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: Endpoint.IPAddress + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: Endpoint.OS + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: Endpoint.OSVersion + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: Endpoint.Status + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: Endpoint.MACAddress + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: Endpoint.Vendor + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 11330 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "56": + id: "56" + taskid: 7879c995-a882-4373-8e54-c212326a7490 + type: regular + task: + id: 7879c995-a882-4373-8e54-c212326a7490 + version: -1 + name: file + script: CiscoAMP|||file + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "57" + scriptarguments: + file: + simple: ${CiscoAMP.Vulnerability.file.identity.sha256} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 11530 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "57": + id: "57" + taskid: dce6e508-1b98-4cf2-86b9-bdf03ba4985b + type: condition + task: + id: dce6e508-1b98-4cf2-86b9-bdf03ba4985b + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "58" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: File.SHA256 + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: File.Name + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: File.Hostname + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: DBotScore.Indicator + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: DBotScore.Type + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: DBotScore.Vendor + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: DBotScore.Reliability + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: DBotScore.Score + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 11730 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "58": + id: "58" + taskid: 145b4571-c5fc-4895-8b05-009aa7bde2d2 + type: title + task: + id: 145b4571-c5fc-4895-8b05-009aa7bde2d2 + version: -1 + name: Test Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 50, + "y": 11930 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "61": + id: "61" + taskid: 491c8503-d9ef-4541-82a8-08db9a679959 + type: regular + task: + id: 491c8503-d9ef-4541-82a8-08db9a679959 + version: -1 + name: cisco-amp-computer-isolation-delete + script: CiscoAMP|||cisco-amp-computer-isolation-delete + type: regular + iscommand: true + brand: CiscoAMP + nexttasks: + '#none#': + - "62" + scriptarguments: + comment: + simple: Playbook Test Delete + connector_guid: + simple: ${CiscoAMP.ComputerIsolation.connector_guid} + interval_in_seconds: + simple: "5" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -280, + "y": 3800 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "62": + id: "62" + taskid: c46c8444-0fb6-45a3-8994-be1dcf0c4bb3 + type: condition + task: + id: c46c8444-0fb6-45a3-8994-be1dcf0c4bb3 + version: -1 + name: Verify Outputs + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "20" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: CiscoAMP.ComputerIsolation.available + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.status + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.unlock_code + iscontext: true + - - operator: isNotEmpty + left: + value: + simple: CiscoAMP.ComputerIsolation.comment + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -280, + "y": 4000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "63": + id: "63" + taskid: 0ccc540f-36d9-4b9a-8446-3b946e678d9e + type: regular + task: + id: 0ccc540f-36d9-4b9a-8446-3b946e678d9e + version: -1 + name: DeleteContext + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "41" + scriptarguments: + key: + simple: CiscoAMP.Group.guid + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 8700 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 11945, + "width": 960, + "x": -280, + "y": 50 + } + } + } +inputs: [] +outputs: [] +fromversion: 6.5.0 +description: '' diff --git a/Packs/AMP/pack_metadata.json b/Packs/AMP/pack_metadata.json index 1db763f238c7..0a7ce2eced30 100644 --- a/Packs/AMP/pack_metadata.json +++ b/Packs/AMP/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cisco AMP", "description": "Uses CISCO AMP Endpoint", "support": "xsoar", - "currentVersion": "1.1.0", + "currentVersion": "2.0.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.py b/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.py index 4a0c01a487ad..180f152f53c0 100644 --- a/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.py +++ b/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.py @@ -9,6 +9,7 @@ import os import json import requests +import urllib3 from base64 import b64encode ''' GLOBAL VARS / INSTANCE CONFIGURATION ''' @@ -47,7 +48,7 @@ ''' SETUP ''' # Disable insecure warnings -requests.packages.urllib3.disable_warnings() +urllib3.disable_warnings() # Remove proxy if not set to true in params if not PROXY: diff --git a/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.yml b/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.yml index 2686afef4bf3..6723747432f1 100644 --- a/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.yml +++ b/Packs/ANYRUN/Integrations/ANYRUN/ANYRUN.yml @@ -358,6 +358,15 @@ script: - '64' required: false secret: false + - name: obj_ext_browser + auto: PREDEFINED + predefined: + - Internet Explorer + - Google Chrome + - Mozilla Firefox + - Opera + - Microsoft Edge + description: Browser name, used only for "url" type. - auto: PREDEFINED default: false defaultValue: Windows 7 @@ -425,7 +434,7 @@ script: - contextPath: ANYRUN.Task.ID description: ID of the task created to analyze the submission. type: String - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.10.48392 subtype: python3 isfetch: false runonce: false diff --git a/Packs/ANYRUN/Integrations/ANYRUN/README.md b/Packs/ANYRUN/Integrations/ANYRUN/README.md index 389f686cf012..0dadf5d11bb1 100644 --- a/Packs/ANYRUN/Integrations/ANYRUN/README.md +++ b/Packs/ANYRUN/Integrations/ANYRUN/README.md @@ -345,6 +345,7 @@ Submit a file or url for analysis. | opt_network_connect | Network connection state. Possible values are: true, false. Default is true. | Optional | | opt_kernel_heavyevasion | Heavy evasion option. Possible values are: true, false. Default is false. | Optional | | opt_privacy_type | Privacy settings for generated task. Possible values are: owner, bylink, public. Default is owner. | Optional | +| obj_ext_browser | Browser name, used only for "url" type. Possible values are: Internet Explorer, Google Chrome, Mozilla Firefox, Opera, Microsoft Edge. | Optional | #### Context Output diff --git a/Packs/ANYRUN/ReleaseNotes/1_0_11.md b/Packs/ANYRUN/ReleaseNotes/1_0_11.md new file mode 100644 index 000000000000..1f49c33eb284 --- /dev/null +++ b/Packs/ANYRUN/ReleaseNotes/1_0_11.md @@ -0,0 +1,3 @@ +#### Integrations +##### ANY.RUN +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/ANYRUN/ReleaseNotes/1_0_12.md b/Packs/ANYRUN/ReleaseNotes/1_0_12.md new file mode 100644 index 000000000000..7919c4949a5a --- /dev/null +++ b/Packs/ANYRUN/ReleaseNotes/1_0_12.md @@ -0,0 +1,4 @@ +#### Integrations +##### ANY.RUN +- Added the *obj_ext_browser* argument to the ***anyrun-run-analysis*** command. +- Updated the Docker image to: *demisto/python3:3.10.10.47713*. \ No newline at end of file diff --git a/Packs/ANYRUN/ReleaseNotes/1_0_13.md b/Packs/ANYRUN/ReleaseNotes/1_0_13.md new file mode 100644 index 000000000000..7e3eb4dabe01 --- /dev/null +++ b/Packs/ANYRUN/ReleaseNotes/1_0_13.md @@ -0,0 +1,3 @@ +#### Integrations +##### ANY.RUN +- Updated the Docker image to: *demisto/python3:3.10.10.48392*. diff --git a/Packs/ANYRUN/pack_metadata.json b/Packs/ANYRUN/pack_metadata.json index eb230a80cf19..a24faa9c5986 100644 --- a/Packs/ANYRUN/pack_metadata.json +++ b/Packs/ANYRUN/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ANY.RUN", "description": "ANY.RUN is a cloud-based sandbox with interactive access.", "support": "xsoar", - "currentVersion": "1.0.10", + "currentVersion": "1.0.13", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/APIVoid/.pack-ignore b/Packs/APIVoid/.pack-ignore index b3b7eb3458f7..51b97ddceaff 100644 --- a/Packs/APIVoid/.pack-ignore +++ b/Packs/APIVoid/.pack-ignore @@ -1,5 +1,5 @@ [file:APIVoid.yml] -ignore=IN145,IN154 +ignore=IN154 [known_words] APIVoid \ No newline at end of file diff --git a/Packs/APIVoid/Integrations/APIVoid/APIVoid.py b/Packs/APIVoid/Integrations/APIVoid/APIVoid.py index e1f30c50e672..6b7fdef74aef 100644 --- a/Packs/APIVoid/Integrations/APIVoid/APIVoid.py +++ b/Packs/APIVoid/Integrations/APIVoid/APIVoid.py @@ -549,7 +549,7 @@ def main(): # get the service API url (This is static for this service) base_url = API_ENDPOINT - apikey = params.get('apikey', None) + apikey = params.get('credentials', {}).get('password') or params.get('apikey', None) verify_certificate = not params.get('insecure', False) proxy = params.get('proxy', False) diff --git a/Packs/APIVoid/Integrations/APIVoid/APIVoid.yml b/Packs/APIVoid/Integrations/APIVoid/APIVoid.yml index d3c003fad274..b13462af5e7a 100644 --- a/Packs/APIVoid/Integrations/APIVoid/APIVoid.yml +++ b/Packs/APIVoid/Integrations/APIVoid/APIVoid.yml @@ -1,55 +1,74 @@ commonfields: id: APIVoid version: -1 +sectionOrder: +- Connect +- Collect name: APIVoid display: APIVoid category: Data Enrichment & Threat Intelligence description: APIVoid wraps up a number of services such as ipvoid & urlvoid configuration: +- name: credentials + type: 9 + required: false + displaypassword: API KEY + hiddenusername: true + section: Connect - display: API KEY name: apikey defaultvalue: '' type: 4 - required: true + required: false + hidden: true + section: Connect + advanced: true - display: Good Reputation (Percentage) name: good defaultvalue: '10' type: 0 required: true additionalinfo: If the percentage of detections is BELOW this value, the indicator is considered GOOD + section: Collect - display: Suspicious Reputation (Percentage) name: suspicious defaultvalue: '30' type: 0 required: true additionalinfo: If the percentage of detections is ABOVE this value, the indicator is considered SUSPICIOUS + section: Collect - display: Bad Reputation (Percentage) name: bad defaultvalue: '60' type: 0 required: true additionalinfo: If the percentage of detections is ABOVE this value, the indicator is considered BAD + section: Collect - display: Malicious name: malicious - defaultvalue: suspicious type: 15 required: true + defaultvalue: suspicious options: - suspicious - bad additionalinfo: Consider the indicator malicious if either "suspicious" or "bad" + section: Collect - display: Trust any certificate (not secure) name: insecure type: 8 required: false + section: Connect + advanced: true - display: Use system proxy settings name: proxy - type: 8 required: false -- additionalinfo: Reliability of the source providing the intelligence data. - defaultvalue: C - Fairly reliable - display: Source Reliability + type: 8 + section: Connect + advanced: true +- defaultvalue: C - Fairly reliable name: integrationReliability + display: 'Source Reliability' options: - A+ - 3rd party enrichment - A - Completely reliable @@ -60,21 +79,27 @@ configuration: - F - Reliability cannot be judged required: false type: 15 -- defaultvalue: indicatorType + additionalinfo: Reliability of the source providing the intelligence data. + section: Collect +- defaultvalue: 'indicatorType' name: feedExpirationPolicy display: '' + required: false + type: 17 options: - never - interval - indicatorType - suddenDeath - required: false - type: 17 + section: Collect + advanced: true - defaultvalue: '20160' name: feedExpirationInterval display: '' required: false type: 1 + section: Collect + advanced: true script: script: '' type: python @@ -1614,7 +1639,7 @@ script: description: '' type: boolean description: A smart API that accurately checks a website's trustworthiness. - dockerimage: demisto/python3:3.10.8.39276 + dockerimage: demisto/python3:3.10.10.48392 runonce: false subtype: python3 fromversion: 5.0.0 diff --git a/Packs/APIVoid/ReleaseNotes/1_0_25.md b/Packs/APIVoid/ReleaseNotes/1_0_25.md new file mode 100644 index 000000000000..25d2d833f14b --- /dev/null +++ b/Packs/APIVoid/ReleaseNotes/1_0_25.md @@ -0,0 +1,3 @@ +#### Integrations +##### APIVoid +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/APIVoid/ReleaseNotes/1_0_26.md b/Packs/APIVoid/ReleaseNotes/1_0_26.md new file mode 100644 index 000000000000..8cc78d2e0d2d --- /dev/null +++ b/Packs/APIVoid/ReleaseNotes/1_0_26.md @@ -0,0 +1,3 @@ +#### Integrations +##### APIVoid +- Updated the Docker image to: *demisto/python3:3.10.9.42476*. diff --git a/Packs/APIVoid/ReleaseNotes/1_0_27.md b/Packs/APIVoid/ReleaseNotes/1_0_27.md new file mode 100644 index 000000000000..a7217dc2e3f8 --- /dev/null +++ b/Packs/APIVoid/ReleaseNotes/1_0_27.md @@ -0,0 +1,4 @@ + +#### Integrations +##### APIVoid +- Added the *API KEY* integration parameter to support credentials fetching object. diff --git a/Packs/APIVoid/ReleaseNotes/1_0_28.md b/Packs/APIVoid/ReleaseNotes/1_0_28.md new file mode 100644 index 000000000000..e77b611f08f2 --- /dev/null +++ b/Packs/APIVoid/ReleaseNotes/1_0_28.md @@ -0,0 +1,5 @@ + +#### Integrations +##### APIVoid +- Note: Organized the the integrations' parameters by sections. Relevant for XSIAM and XSOAR 8.1 and above. +- Updated the Docker image to: *demisto/python3:3.10.9.45313*. diff --git a/Packs/APIVoid/ReleaseNotes/1_0_29.md b/Packs/APIVoid/ReleaseNotes/1_0_29.md new file mode 100644 index 000000000000..d9807184df81 --- /dev/null +++ b/Packs/APIVoid/ReleaseNotes/1_0_29.md @@ -0,0 +1,3 @@ +#### Integrations +##### APIVoid +- Updated the Docker image to: *demisto/python3:3.10.10.48392*. diff --git a/Packs/APIVoid/pack_metadata.json b/Packs/APIVoid/pack_metadata.json index bd32db307817..fc4f72a5d38e 100644 --- a/Packs/APIVoid/pack_metadata.json +++ b/Packs/APIVoid/pack_metadata.json @@ -2,7 +2,7 @@ "name": "APIVoid", "description": "APIVoid wraps up a number of services such as ipvoid & urlvoid", "support": "xsoar", - "currentVersion": "1.0.24", + "currentVersion": "1.0.29", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.py b/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.py index 8d7346273a1c..0d18e5c96022 100644 --- a/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.py +++ b/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.py @@ -4,6 +4,7 @@ import requests import time import re +import urllib3 class ParameterError(Exception): @@ -2224,7 +2225,7 @@ def mute_alert_src_subnet_command(instance, args): def main(): # disable insecure warnings - requests.packages.urllib3.disable_warnings() + urllib3.disable_warnings() # IP address or FQDN of your SDSo node SDSO = demisto.params().get('sdso') diff --git a/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.yml b/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.yml index 70f1017e2fc5..e77912d5a190 100755 --- a/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.yml +++ b/Packs/ARIAPacketIntelligence/Integrations/ARIAPacketIntelligence/ARIAPacketIntelligence.yml @@ -906,7 +906,7 @@ script: description: 'Endpoint information, such as the IP address, about the SIAs that were modified based on the rule change.' type: string description: Removes a named rule from the source subnet logic block, disabling the alerts. - dockerimage: demisto/python3:3.10.5.31928 + dockerimage: demisto/python3:3.10.10.48392 runonce: false tests: - No test diff --git a/Packs/ARIAPacketIntelligence/ReleaseNotes/2_0_10.md b/Packs/ARIAPacketIntelligence/ReleaseNotes/2_0_10.md new file mode 100644 index 000000000000..06619d9062eb --- /dev/null +++ b/Packs/ARIAPacketIntelligence/ReleaseNotes/2_0_10.md @@ -0,0 +1,3 @@ +#### Integrations +##### ARIA Packet Intelligence +- Updated the Docker image to: *demisto/python3:3.10.9.40422*. diff --git a/Packs/ARIAPacketIntelligence/ReleaseNotes/2_0_11.md b/Packs/ARIAPacketIntelligence/ReleaseNotes/2_0_11.md new file mode 100644 index 000000000000..eea6cb1f4ed0 --- /dev/null +++ b/Packs/ARIAPacketIntelligence/ReleaseNotes/2_0_11.md @@ -0,0 +1,3 @@ +#### Integrations +##### ARIA Packet Intelligence +- Updated the Docker image to: *demisto/python3:3.10.10.48392*. diff --git a/Packs/ARIAPacketIntelligence/pack_metadata.json b/Packs/ARIAPacketIntelligence/pack_metadata.json index b431bbe0717c..faea3a70c93f 100755 --- a/Packs/ARIAPacketIntelligence/pack_metadata.json +++ b/Packs/ARIAPacketIntelligence/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ARIAPacketIntelligence", "description": "Manage Packet Intelligence rules in response to incidents. Instantly block conversations, redirect packets, generate alerts, or perform other actions.", "support": "partner", - "currentVersion": "2.0.9", + "currentVersion": "2.0.11", "author": "ARIA Cybersecurity Solutions", "url": "https://www.ariacybersecurity.com/cybersecurity-products/aria-packet-intelligence", "email": "ARIA_support@ariacybersecurity.com", diff --git a/Packs/AWS-ACM/Integrations/AWS-ACM/AWS-ACM.yml b/Packs/AWS-ACM/Integrations/AWS-ACM/AWS-ACM.yml index f75971e06e46..471a5b8e9b9e 100644 --- a/Packs/AWS-ACM/Integrations/AWS-ACM/AWS-ACM.yml +++ b/Packs/AWS-ACM/Integrations/AWS-ACM/AWS-ACM.yml @@ -536,7 +536,7 @@ script: in that order. The certificate and certificate chain are base64 encoded. If you want to decode the certificate to see the individual fields, you can use OpenSSL. - dockerimage: demisto/boto3py3:1.0.0.41082 + dockerimage: demisto/boto3py3:1.0.0.45936 runonce: false subtype: python3 tests: diff --git a/Packs/AWS-ACM/ReleaseNotes/1_1_28.md b/Packs/AWS-ACM/ReleaseNotes/1_1_28.md new file mode 100644 index 000000000000..149b2a205aef --- /dev/null +++ b/Packs/AWS-ACM/ReleaseNotes/1_1_28.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - ACM +- Fixed an issue where the **region** argument was not being taken into account in some commands. diff --git a/Packs/AWS-ACM/ReleaseNotes/1_1_29.md b/Packs/AWS-ACM/ReleaseNotes/1_1_29.md new file mode 100644 index 000000000000..167d43916dea --- /dev/null +++ b/Packs/AWS-ACM/ReleaseNotes/1_1_29.md @@ -0,0 +1,4 @@ + +#### Integrations +##### AWS - ACM +- Fixed a typo in **AWSApiModule**. diff --git a/Packs/AWS-ACM/ReleaseNotes/1_1_30.md b/Packs/AWS-ACM/ReleaseNotes/1_1_30.md new file mode 100644 index 000000000000..c8142ab04149 --- /dev/null +++ b/Packs/AWS-ACM/ReleaseNotes/1_1_30.md @@ -0,0 +1,3 @@ +#### Integrations +##### AWS - ACM +- Updated the Docker image to: *demisto/boto3py3:1.0.0.43484*. diff --git a/Packs/AWS-ACM/ReleaseNotes/1_1_31.md b/Packs/AWS-ACM/ReleaseNotes/1_1_31.md new file mode 100644 index 000000000000..6990f05dbed1 --- /dev/null +++ b/Packs/AWS-ACM/ReleaseNotes/1_1_31.md @@ -0,0 +1,3 @@ +#### Integrations +##### AWS - ACM +- Updated the Docker image to: *demisto/boto3py3:1.0.0.45936*. diff --git a/Packs/AWS-ACM/pack_metadata.json b/Packs/AWS-ACM/pack_metadata.json index 29d5c4d28fe8..21e93e8675af 100644 --- a/Packs/AWS-ACM/pack_metadata.json +++ b/Packs/AWS-ACM/pack_metadata.json @@ -2,7 +2,7 @@ "name": "AWS - ACM", "description": "Amazon Web Services Certificate Manager Service (acm)", "support": "xsoar", - "currentVersion": "1.1.27", + "currentVersion": "1.1.31", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.py b/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.py index 404d50f6ed57..2b9aacdcd8ad 100755 --- a/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.py +++ b/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.py @@ -3,124 +3,20 @@ from CommonServerUserPython import * """IMPORTS""" -import boto3 import json -from datetime import datetime, date, timedelta -from botocore.config import Config - - -"""GLOBAL VARIABLES""" -AWS_DEFAULT_REGION = demisto.params().get('defaultRegion') -AWS_ROLE_ARN = demisto.params().get('roleArn') -AWS_ROLE_SESSION_NAME = demisto.params().get('roleSessionName') -AWS_ROLE_SESSION_DURATION = demisto.params().get('sessionDuration') -AWS_ROLE_POLICY = None -AWS_ACCESS_KEY_ID = demisto.params().get('credentials', {}).get('identifier') or demisto.params().get('access_key') -AWS_SECRET_ACCESS_KEY = demisto.params().get('credentials', {}).get('password') or demisto.params().get('secret_key') -VERIFY_CERTIFICATE = not demisto.params().get('insecure', True) -TIME_FORMAT = "%Y-%m-%dT%H:%M:%S" -proxies = handle_proxy(proxy_param_name='proxy', checkbox_default_value=False) -config = Config( - connect_timeout=1, - retries=dict( - max_attempts=5 - ), - proxies=proxies -) - - -def aws_session(service='accessanalyzer', region=None, roleArn=None, roleSessionName=None, roleSessionDuration=None, - rolePolicy=None): - kwargs = {} - if roleArn and roleSessionName is not None: - kwargs.update({ - 'RoleArn': roleArn, - 'RoleSessionName': roleSessionName, - }) - elif AWS_ROLE_ARN and AWS_ROLE_SESSION_NAME is not None: - kwargs.update({ - 'RoleArn': AWS_ROLE_ARN, - 'RoleSessionName': AWS_ROLE_SESSION_NAME, - }) - - if roleSessionDuration is not None: - kwargs.update({'DurationSeconds': int(roleSessionDuration)}) - elif AWS_ROLE_SESSION_DURATION is not None: - kwargs.update({'DurationSeconds': int(AWS_ROLE_SESSION_DURATION)}) - - if rolePolicy is not None: - kwargs.update({'Policy': rolePolicy}) - elif AWS_ROLE_POLICY is not None: - kwargs.update({'Policy': AWS_ROLE_POLICY}) - if kwargs and not AWS_ACCESS_KEY_ID: - - if not AWS_ACCESS_KEY_ID: - sts_client = boto3.client('sts', config=config, verify=VERIFY_CERTIFICATE, - region_name=AWS_DEFAULT_REGION) - sts_response = sts_client.assume_role(**kwargs) - if region is not None: - client = boto3.client( - service_name=service, - region_name=region, - aws_access_key_id=sts_response['Credentials']['AccessKeyId'], - aws_secret_access_key=sts_response['Credentials']['SecretAccessKey'], - aws_session_token=sts_response['Credentials']['SessionToken'], - verify=VERIFY_CERTIFICATE, - config=config - ) - else: - client = boto3.client( - service_name=service, - region_name=AWS_DEFAULT_REGION, - aws_access_key_id=sts_response['Credentials']['AccessKeyId'], - aws_secret_access_key=sts_response['Credentials']['SecretAccessKey'], - aws_session_token=sts_response['Credentials']['SessionToken'], - verify=VERIFY_CERTIFICATE, - config=config - ) - elif AWS_ACCESS_KEY_ID and AWS_ROLE_ARN: - sts_client = boto3.client( - service_name='sts', - aws_access_key_id=AWS_ACCESS_KEY_ID, - aws_secret_access_key=AWS_SECRET_ACCESS_KEY, - verify=VERIFY_CERTIFICATE, - config=config - ) - kwargs.update({ - 'RoleArn': AWS_ROLE_ARN, - 'RoleSessionName': AWS_ROLE_SESSION_NAME, - }) - sts_response = sts_client.assume_role(**kwargs) - client = boto3.client( - service_name=service, - region_name=AWS_DEFAULT_REGION, - aws_access_key_id=sts_response['Credentials']['AccessKeyId'], - aws_secret_access_key=sts_response['Credentials']['SecretAccessKey'], - aws_session_token=sts_response['Credentials']['SessionToken'], - verify=VERIFY_CERTIFICATE, - config=config - ) - else: - if region is not None: - client = boto3.client( - service_name=service, - region_name=region, - aws_access_key_id=AWS_ACCESS_KEY_ID, - aws_secret_access_key=AWS_SECRET_ACCESS_KEY, - verify=VERIFY_CERTIFICATE, - config=config - ) - else: - client = boto3.client( - service_name=service, - region_name=AWS_DEFAULT_REGION, - aws_access_key_id=AWS_ACCESS_KEY_ID, - aws_secret_access_key=AWS_SECRET_ACCESS_KEY, - verify=VERIFY_CERTIFICATE, - config=config - ) +from datetime import datetime, date +import dateparser + + +def get_aws_session(aws_client, args, **kwargs): - return client + return aws_client.aws_session( + service='accessanalyzer', + region=args.get('region'), + role_arn=args.get('roleArn'), + role_session_name=args.get('roleSessionName'), + role_session_duration=args.get('roleSessionDuration'), + **kwargs) class DatetimeEncoder(json.JSONEncoder): @@ -134,298 +30,266 @@ def default(self, obj): return json.JSONEncoder.default(self, obj) -def list_analyzers_command(args): - client = aws_session( - region=args.get('region'), - roleArn=args.get('roleArn'), - roleSessionName=args.get('roleSessionName'), - roleSessionDuration=args.get('roleSessionDuration') - ) - - data = [] +def list_analyzers_command(aws_client, args): + client = get_aws_session(aws_client, args) response = client.list_analyzers() - for analyzer in response['analyzers']: - data.append(analyzer) - data = json.loads(json.dumps(data, cls=DatetimeEncoder)) - - ec = {'AWS.AccessAnalyzer.Analyzers(val.arn === obj.arn)': data} - human_readable = tableToMarkdown("AWS Access Analyzer Analyzers", data) - return_outputs(human_readable, ec) - - -def list_analyzed_resource_command(args): - client = aws_session( - region=args.get('region'), - roleArn=args.get('roleArn'), - roleSessionName=args.get('roleSessionName'), - roleSessionDuration=args.get('roleSessionDuration'), + rew_response = json.loads(json.dumps(response, cls=DatetimeEncoder)) + analyzers = rew_response['analyzers'] + return CommandResults( + outputs_prefix='AWS.AccessAnalyzer.Analyzers', + outputs_key_field='arn', + outputs=analyzers, + readable_output=tableToMarkdown("AWS Access Analyzer Analyzers", analyzers, headerTransform=pascalToSpace), + raw_response=rew_response ) + +def list_analyzed_resource_command(aws_client, args): + analyzer_arn = args.get('analyzerArn') kwargs = { - 'analyzerArn': args.get('analyzerArn') + 'analyzerArn': analyzer_arn, } - if args.get('maxResults'): kwargs['maxResults'] = int(args.get('maxResults')) if args.get('resourceType'): kwargs['resourceType'] = args.get('resourceType') + client = get_aws_session(aws_client, args) response = client.list_analyzed_resources(**kwargs) - data = [] - for resource in response['analyzedResources']: - resource['analyzerArn'] = args.get('analyzerArn') - data.append(resource) - - ec = {'AWS.AccessAnalyzer.Analyzers(val.analyzerArn === obj.analyzerArn)': data} - human_readable = tableToMarkdown("AWS Access Analyzer Resource", data) - return_outputs(human_readable, ec) - - -def get_findings_command(args): - client = aws_session( - region=args.get('region'), - roleArn=args.get('roleArn'), - roleSessionName=args.get('roleSessionName'), - roleSessionDuration=args.get('roleSessionDuration'), + analyzed_resources = [ + resource | {'analyzerArn': analyzer_arn} + for resource in response['analyzedResources'] + ] + headers = ['resourceArn', 'resourceOwnerAccount', 'resourceType'] + return CommandResults( + outputs_prefix='AWS.AccessAnalyzer.Resource', + outputs_key_field='resourceArn', + outputs=analyzed_resources, + readable_output=tableToMarkdown("AWS Access Analyzer Resources", + analyzed_resources, + headers=headers, + headerTransform=pascalToSpace), + raw_response=response ) - kwargs = { - 'analyzerArn': args.get('analyzerArn') - } - - if args.get('maxResults'): - kwargs['maxResults'] = int(args.get('maxResults')) - - filters = {} - if args.get('resourceType'): - filters['resourceType'] = {"eq": [args.get('resourceType')]} - - if args.get('status'): - filters['status'] = {"eq": [args.get('status')]} - - if args.get('nextToken'): - kwargs['nextToken'] = args.get('nextToken') - - kwargs['sort'] = { - 'attributeName': 'UpdatedAt', - 'orderBy': 'DESC' - } - - if len(filters) > 0: - kwargs['filter'] = filters - - response = client.list_findings(**kwargs) - data = json.loads(json.dumps(response, cls=DatetimeEncoder)) - - return [data] if isinstance(data, dict) else data - -def list_findings_command(args): - client = aws_session( - region=args.get('region'), - roleArn=args.get('roleArn'), - roleSessionName=args.get('roleSessionName'), - roleSessionDuration=args.get('roleSessionDuration'), +def list_findings_command(aws_client, args): + response = get_findings(aws_client, args) + findings = [ + finding | {'analyzerArn': args.get('analyzerArn')} + for finding in response['findings'] + ] + headers = ['id', 'resource', 'principal', 'condition', 'updatedAt', 'status'] + return CommandResults( + outputs_prefix='AWS.AccessAnalyzer.Finding', + outputs_key_field='id', + outputs=findings, + readable_output=tableToMarkdown("AWS Access Analyzer Findings", + findings, + headers=headers, + headerTransform=pascalToSpace), + raw_response=response ) - kwargs = { - 'analyzerArn': args.get('analyzerArn') - } - if args.get('maxResults'): - kwargs['maxResults'] = int(args.get('maxResults')) +def get_analyzed_resource_command(aws_client, args): - filters = {} - if args.get('resourceType'): - filters['resourceType'] = {"eq": [args.get('resourceType')]} + client = get_aws_session(aws_client, args) + response = client.get_analyzed_resource(analyzerArn=args.get('analyzerArn'), resourceArn=args.get('resourceArn')) - if args.get('status'): - filters['status'] = {"eq": [args.get('status')]} + response = json.loads(json.dumps(response, cls=DatetimeEncoder)) + resource = response['resource'] + resource['analyzerArn'] = args.get('analyzerArn') - if len(filters) > 0: - kwargs['filter'] = filters + return CommandResults( + outputs_prefix='AWS.AccessAnalyzer.Resource', + outputs_key_field='id', + outputs=resource, + readable_output=tableToMarkdown("AWS Access Analyzer Resource", resource, headerTransform=pascalToSpace), + raw_response=response + ) - response = client.list_findings(**kwargs) - data = json.loads(json.dumps(response['findings'], cls=DatetimeEncoder)) - ec = {'AWS.AccessAnalyzer.Findings(val.id === obj.id)': data} - human_readable = tableToMarkdown("AWS Access Analyzer Findings", data) - return_outputs(human_readable, ec) +def get_finding_command(aws_client, args): + client = get_aws_session(aws_client, args) + response = client.get_finding(analyzerArn=args.get('analyzerArn'), id=args.get('findingId')) + response = json.loads(json.dumps(response, cls=DatetimeEncoder)) + finding = response['finding'] + finding['analyzerArn'] = args.get('analyzerArn') -def get_analyzed_resource_command(args): - client = aws_session( - region=args.get('region'), - roleArn=args.get('roleArn'), - roleSessionName=args.get('roleSessionName'), - roleSessionDuration=args.get('roleSessionDuration'), + return CommandResults( + outputs_prefix='AWS.AccessAnalyzer.Finding', + outputs_key_field='id', + outputs=finding, + readable_output=tableToMarkdown("AWS Access Analyzer Finding", finding, headerTransform=pascalToSpace), + raw_response=response ) - kwargs = { - 'analyzerArn': args.get('analyzerArn'), - 'resourceArn': args.get('resourceArn') - } - response = client.get_analyzed_resource(**kwargs) - data = json.loads(json.dumps(response['resource'], cls=DatetimeEncoder)) - data['analyzerArn'] = args.get('analyzerArn') +def start_resource_scan_command(aws_client, args): + client = get_aws_session(aws_client, args) + client.start_resource_scan(analyzerArn=args.get('analyzerArn'), resourceArn=args.get('resourceArn')) + return "Resource scan request sent." - ec = {'AWS.AccessAnalyzer.Analyzers(val.analyzerArn === obj.analyzerArn)': data} - human_readable = tableToMarkdown("AWS Access Analyzer Resource", data) - return_outputs(human_readable, ec) - - -def get_finding_command(args): - client = aws_session( - region=args.get('region'), - roleArn=args.get('roleArn'), - roleSessionName=args.get('roleSessionName'), - roleSessionDuration=args.get('roleSessionDuration'), - ) +def update_findings_command(aws_client, args): + client = get_aws_session(aws_client, args) kwargs = { 'analyzerArn': args.get('analyzerArn'), - 'id': args.get('findingId') + 'ids': argToList(args.get('findingIds')), + 'status': args.get('status') } - response = client.get_finding(**kwargs) - data = json.loads(json.dumps(response['finding'], cls=DatetimeEncoder)) - data['analyzerArn'] = args.get('analyzerArn') - - ec = {'AWS.AccessAnalyzer.Analyzers(val.analyzerArn === obj.analyzerArn)': data} - human_readable = tableToMarkdown("AWS Access Analyzer Resource", data) - return_outputs(human_readable, ec) + client.update_findings(**kwargs) + return "Findings updated." -def start_resource_scan_command(args): - client = aws_session( - region=args.get('region'), - roleArn=args.get('roleArn'), - roleSessionName=args.get('roleSessionName'), - roleSessionDuration=args.get('roleSessionDuration'), - ) +def test_function(aws_client, args) -> str: + err_msg = '' + try: + client = get_aws_session(aws_client, args) + response = client.list_analyzers() + if response['ResponseMetadata']['HTTPStatusCode'] == 200: + return 'ok' - kwargs = { - 'analyzerArn': args.get('analyzerArn'), - 'resourceArn': args.get('resourceArn') - } + err_msg = str(response) + except Exception as e: + err_msg = str(e) - response = client.start_resource_scan(**kwargs) - if response['ResponseMetadata']['HTTPStatusCode'] == 200: - demisto.results("Resource scan request sent.") + raise DemistoException(f'Failed to run test-module: {err_msg}') -def update_findings_command(args): - client = aws_session( - region=args.get('region'), - roleArn=args.get('roleArn'), - roleSessionName=args.get('roleSessionName'), - roleSessionDuration=args.get('roleSessionDuration'), - ) +def get_filters(args): + return { + field: {"eq": [args.get(field)]} + for field in ('resourceType', 'status') + if args.get(field) + } - ids = args.get('findingIds').split(',') +def get_findings(aws_client, args): kwargs = { 'analyzerArn': args.get('analyzerArn'), - 'ids': ids, - 'status': args.get('status') + 'sort': { + 'attributeName': 'UpdatedAt', + 'orderBy': 'DESC' + } } - response = client.update_findings(**kwargs) - if response['ResponseMetadata']['HTTPStatusCode'] == 200: - demisto.results("Findings updated") - + if args.get('maxResults'): + kwargs['maxResults'] = int(args.get('maxResults')) -def test_function(): - try: - client = aws_session() - response = client.list_analyzers() - if response['ResponseMetadata']['HTTPStatusCode'] == 200: - demisto.results('ok') - else: - return_error(str(response)) + if args.get('nextToken'): + kwargs['nextToken'] = args.get('nextToken') - except Exception as e: - return return_error(str(e)) + if filters := get_filters(args): + kwargs['filter'] = filters + client = get_aws_session(aws_client, args) + response = client.list_findings(**kwargs) + return json.loads(json.dumps(response, cls=DatetimeEncoder)) -def fetch_incidents(last_run: dict = None): - dParams = demisto.params() - # Get the last fetch time, if exists - last_fetch = last_run.get('time') if isinstance(last_run, dict) else None +def get_earliest_fetch_time(): + last_run = demisto.getLastRun() + params = demisto.params() + earliest_fetch_time = last_run and last_run.get('time') + demisto.debug(f'{last_run=}') # Handle first time fetch, fetch incidents retroactively - if last_fetch is None: - today = datetime.today() - delta = today - timedelta(days=50) - last_fetch = date_to_timestamp(delta) + if not earliest_fetch_time: + first_fetch = dateparser.parse(params.get('first_fetch', '3 days')) + earliest_fetch_time = date_to_timestamp(first_fetch) + return earliest_fetch_time + + +def fetch_incidents(aws_client): + params = demisto.params() + findings_args = { + 'roleArn': params.get('roleArn'), + 'region': params.get('region'), + 'roleSessionName': params.get('roleSessionName'), + 'roleSessionDuration': params.get('roleSessionDuration'), + 'analyzerArn': params.get('analyzerArn'), + 'maxResults': int(params.get('max_fetch', 25)) + } + latest_finding_time = earliest_fetch_time = get_earliest_fetch_time() incidents: list = [] - dArgs = {} - dArgs['roleArn'] = dParams.get('roleArn') - dArgs['region'] = dParams.get('region') - dArgs['roleSessionName'] = dParams.get('roleSessionName') - dArgs['roleSessionDuration'] = dParams.get('roleSessionDuration') - dArgs['analyzerArn'] = dParams.get('analyzerArn') - dArgs['maxResults'] = 25 - - nextToken = None - incidents = [] - tmp_last_fetch = last_fetch + should_stop_fetch = False + demisto.debug(f'{findings_args=}') + demisto.debug(f'{earliest_fetch_time=}') while True: + findings_response = get_findings(aws_client, findings_args) + for finding in findings_response['findings']: - if nextToken: - dArgs['nextToken'] = nextToken - raw_incidents = get_findings_command(dArgs) - - for raw_incident in raw_incidents[0]['findings']: - incident = { - 'name': f"AWS Access Analyzer Alert - {raw_incident['id']}", - 'occurred': raw_incident['updatedAt'] + 'Z', - 'rawJSON': json.dumps(raw_incident) - } + finding_timestamp = date_to_timestamp(finding['updatedAt']) + if finding_timestamp <= int(earliest_fetch_time): + demisto.debug(f'{finding_timestamp=} is less then {earliest_fetch_time=} - stop fetching') + should_stop_fetch = True + break - inc_timestamp = date_to_timestamp(raw_incident['updatedAt']) + latest_finding_time = max(finding_timestamp, int(latest_finding_time)) + incidents.append({ + 'name': f"AWS Access Analyzer Alert - {finding['id']}", + 'occurred': finding['updatedAt'] + 'Z', + 'rawJSON': json.dumps(finding) + }) - if inc_timestamp > int(last_fetch): - incidents.append(incident) - if inc_timestamp > tmp_last_fetch: - tmp_last_fetch = inc_timestamp - else: - break + if should_stop_fetch or 'nextToken' not in findings_response: + break - if 'nextToken' in raw_incidents[0]: - nextToken = raw_incidents[0]['nextToken'] + findings_args['nextToken'] = findings_response['nextToken'] + + demisto.debug(f'next last_run: {latest_finding_time=}') + demisto.setLastRun({"time": latest_finding_time}) + demisto.incidents(incidents) + + +def main(): + params = demisto.params() + aws_default_region = params.get('defaultRegion') + aws_role_arn = params.get('role_arn') + aws_role_session_name = params.get('role_session_name') + aws_role_session_duration = params.get('sessionDuration') + aws_role_policy = None + aws_access_key_id = params.get('credentials', {}).get('identifier') or params.get('access_key') + aws_secret_access_key = params.get('credentials', {}).get('password') or params.get('secret_key') + verify_certificate = not params.get('insecure', True) + timeout = demisto.params().get('timeout') + retries = demisto.params().get('retries', 5) + validate_params(aws_default_region, aws_role_arn, + aws_role_session_name, aws_access_key_id, + aws_secret_access_key) + + aws_client = AWSClient(aws_default_region, aws_role_arn, aws_role_session_name, aws_role_session_duration, + aws_role_policy, aws_access_key_id, aws_secret_access_key, verify_certificate, timeout, + retries) + + command = demisto.command() + args = demisto.args() + commands = { + 'test-module': test_function, + 'aws-access-analyzer-list-analyzers': list_analyzers_command, + 'aws-access-analyzer-list-analyzed-resource': list_analyzed_resource_command, + 'aws-access-analyzer-list-findings': list_findings_command, + 'aws-access-analyzer-get-analyzed-resource': get_analyzed_resource_command, + 'aws-access-analyzer-get-finding': get_finding_command, + 'aws-access-analyzer-start-resource-scan': start_resource_scan_command, + 'aws-access-analyzer-update-findings': update_findings_command, + } + try: + if command == 'fetch-incidents': + fetch_incidents(aws_client) else: - break + return_results(commands[command](aws_client, args)) + except Exception as e: + return_error(f"Error has occurred in AWS Access Analyzer Integration: {str(e)}") + + +from AWSApiModule import * # noqa: E402 - demisto.setLastRun({"time": tmp_last_fetch if tmp_last_fetch else last_fetch}) - return incidents - - -"""EXECUTION BLOCK""" -try: - if demisto.command() == 'test-module': - result = test_function() - elif demisto.command() == 'fetch-incidents': - incidents = fetch_incidents(demisto.getLastRun()) - demisto.incidents(incidents) - elif demisto.command() == 'aws-access-analyzer-list-analyzers': - list_analyzers_command(demisto.args()) - elif demisto.command() == 'aws-access-analyzer-list-analyzed-resource': - list_analyzed_resource_command(demisto.args()) - elif demisto.command() == 'aws-access-analyzer-list-findings': - list_findings_command(demisto.args()) - elif demisto.command() == 'aws-access-analyzer-get-analyzed-resource': - get_analyzed_resource_command(demisto.args()) - elif demisto.command() == 'aws-access-analyzer-get-finding': - get_finding_command(demisto.args()) - elif demisto.command() == 'aws-access-analyzer-start-resource-scan': - start_resource_scan_command(demisto.args()) - elif demisto.command() == 'aws-access-analyzer-update-findings': - update_findings_command(demisto.args()) - -except Exception as e: - return_error(f"Error has occured in AWS Access Analyzer Integration: {str(e)}") +if __name__ in ('__builtin__', 'builtins', '__main__'): + main() diff --git a/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.yml b/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.yml index b946c2284fbf..0e2b3b2e8fe9 100755 --- a/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.yml +++ b/Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.yml @@ -28,16 +28,20 @@ configuration: required: false type: 15 - display: Role Arn + additionalinfo: The Amazon Resource Name (ARN) role used for EC2 instance authentication. If this is used, an access key and secret key are not required. name: roleArn required: false type: 0 - display: Role Session Name + additionalinfo: A descriptive name for the assumed role session. For example, xsiam-IAM.integration-Role_SESSION name: roleSessionName required: false type: 0 - display: Role Session Duration + additionalinfo: The maximum length of each session in seconds. The integration will have the permissions assigned only when the session is initiated and for the defined duration. name: sessionDuration required: false + defaultvalue: 900 type: 0 - display: Fetch incidents name: isFetch @@ -62,6 +66,26 @@ configuration: required: false type: 4 hidden: true +- display: First fetch time interval + additionalinfo: The time range to consider for the initial data fetch. (