Pulling Allowed Applications from Application Control via API

dylan.mills — Thu, 10 Mar 2022 14:19:25 GMT

I see that there is a documented method of pulling the Application Control blocklist (GET /v1/file_lists/application_blocking), however I cannot find the equivalent for the allowlist. Is this supported and I am not seeing the documentation or is there currently no way to pull the hash values in this list?

Re: Pulling Allowed Applications from Application Control via API

johnosn — Fri, 11 Mar 2022 13:57:55 GMT

Nope.
Even if you pull the policy (https://api.amp.cisco.com/v1/policies/{:policy_guid}) and locate the guid for the "allowed_applications" list.

...
        "file_lists": [
            {
                "name": "Block and Quarantine",
                "guid": "12345678-90ab-cdef-1234-567890abcdef",
                "type": "simple_custom_detections"
            },
            {
                "name": "Block",
                "guid": "fedcab09-8765-4321-fedc-ba0987654321",
                "type": "application_blocking"
            },
            {
                "name": "Allow",
                "guid": "88888888-4444-4444-4444-cccccccccccc",
                "type": "allowed_applications"
            }
        ],
...

Then use that guid to try and pull the file list (https://api.amp.cisco.com/v1/file_lists/88888888-4444-4444-4444-cccccccccccc) you will be met with a message that this is not allowed.

{
    "version": "v1.2.0",
    "metadata": {
        "links": {
            "self": "https://api.amp.cisco.com/v1/file_lists/88888888-4444-4444-4444-cccccccccccc"
        }
    },
    "data": {},
    "errors": [
        {
            "error_code": 400,
            "description": "Bad Request",
            "details": [
                "File List of type: allowed_applications is not supported"            ]
        }
    ]
}

topic Pulling Allowed Applications from Application Control via API in Endpoint Security

Pulling Allowed Applications from Application Control via API

Re: Pulling Allowed Applications from Application Control via API