topic Re: Secure Endpoint API PATCH methods in Endpoint Security

Secure Endpoint API PATCH methods

Matthieu Ramond — Thu, 19 Jun 2025 15:53:50 GMT

Hi everyone,

I'm trying to make some API calls on Secure Endpoint, particularly regarding the /v1/groups/ route.
I'm able to perform GET, POST, and DELETE requests without any issues, but I'm struggling with the PATCH methods.

The one I'm especially interested in right now is the method to modify the policies assigned to a group.
I've tried sending payloads like this:

{
  "policies": [
    {
      "guid": "b173a158-a24d-43c9-8cd3-93fb69759e64"
    }
  ]
}

But I keep getting the same error in response:

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/groups/50044d8c-c2u5-4c2e-94e1-094eb19ddad4"
    }
  },
  "data": {},
  "errors": [
    {
      "error_code": 400,
      "description": "Bad Request",
      "details": [
        "Following query parameter(s) are invalid: policies"
      ]
    }
  ]
}

I’ve made sure the GUIDs are correct, and the request is being sent as JSON in the body of the request. I’m using Insomnia to test it.

Could you please confirm whether PATCH works to update policies on a group, and if so, what the correct format and method should be?

Re: Secure Endpoint API PATCH methods

bigevilbeard — Thu, 19 Jun 2025 16:16:23 GMT

By no means an expert here, i do not see the patch here https://developer.cisco.com/docs/secure-endpoint/policies/ - is this the right API doc i am looking at?

Re: Secure Endpoint API PATCH methods

Ken Stieers — Thu, 19 Jun 2025 16:29:23 GMT

This is V1, its page is here https://developer.cisco.com/docs/secure-endpoint/v1-api-reference-group/
Patch is valid.
It may be how the Body is set...

Re: Secure Endpoint API PATCH methods

bigevilbeard — Thu, 19 Jun 2025 16:37:07 GMT

Thanks @Ken Stieers - if this valid then i would agree, based on the error show "policies" is being interpreted as a query parameter, i guess if you wrapped this in the data object should resolve the issue?

{ "data": { "policies": [ { "guid": "b173a158-a24d-43c9-8cd3-93fb69759e64" } ] } }

Re: Secure Endpoint API PATCH methods

Matthieu Ramond — Thu, 19 Jun 2025 17:27:31 GMT

@Ken Stieers yes, this is the right doc. Sorry, I should have added a link to it.

Yes, I did try to wrap policies in the data object. However, I get the same error.

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/groups/50044d8c-c2u5-4c2e-94e1-094eb19ddad4"
    }
  },
  "data": {},
  "errors": [
    {
      "error_code": 400,
      "description": "Bad Request",
      "details": [
        "Following query parameter(s) are invalid: data"
      ]
    }
  ]
}

Re: Secure Endpoint API PATCH methods

Ken Stieers — Thu, 19 Jun 2025 18:37:18 GMT

So... looking at that doc, the example shows a LOT more data in the body...
So probably what it wants is the result of a get of the policy inserted into the get of the group... not just the one bit you've got.
Something like this?
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.amp.cisco.com/v1/groups/a4a983ef-91df-428f-9b08-1e88ec5357df"
}
},
"data": {
"name": "00-mar25-forensic-group",
"description": "",
"guid": "a4a983ef-91df-428f-9b08-1e88ec5357df",
"source": null,
"policies": [
{
"name": "00-cat-forensic-mar25",
"description": "",
"guid": "3dc1435d-bdc8-4a9d-9da5-e7371562378d",
"product": "windows",
"default": false,
"serial_number": 140,
"links": {
"policy_xml": "https://api.amp.cisco.com/v1/policies/3dc1435d-bdc8-4a9d-9da5-e7371562378d.xml"
}
]
}
}

Re: Secure Endpoint API PATCH methods

Matthieu Ramond — Mon, 23 Jun 2025 09:09:53 GMT

No, it doesn't work. It doesn't recognise any of the objects.

Result when I wrap it in the data object :

{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/groups/50044d8c-c2a5-4b2e-94e1-093eb19ddad4"
}
},
"data": {},
"errors": [
{
"error_code": 400,
"description": "Bad Request",
"details": [
"Following query parameter(s) are invalid: data"
]
}
]
}

When I don't wrap it :

{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/groups/50044d8c-c2a5-4b2e-94e1-093eb19ddad4"
}
},
"data": {},
"errors": [
{
"error_code": 400,
"description": "Bad Request",
"details": [
"Following query parameter(s) are invalid: description,guid,source,creator,created_at,computers_count,descendant_computers_count,policies"
]
}
]
}

Re: Secure Endpoint API PATCH methods

bigevilbeard — Mon, 23 Jun 2025 09:41:35 GMT

@Matthieu Ramond if you are getting "query parameter" errors for every single field you send, to me this would suggest the API endpoint does not accept request bodies at all. Taking a really long assumption here ... if i am wrong, i am, as i dont have a way to test my theory. Let me show my work ...

I searched GH and found this https://github.com/CiscoSecurity/amp-01-basics/blob/b032c917b4a7793c9705826d5aad0225ca6d1259/05d_set_policy_for_group.py

As this is in the Cisco Security repo, i am going to assume this works.

So it is the same API endpoint and operation you showed, but here its looks like the correct way to send the data is as form-encoded parameters rather than JSON, and using the specific policy type parameter names instead of a generic "policies" array. The documentation shows JSON response structures, which might lead us to assume the request should also be JSON. However, the GH Python example, this clearly shows that the API expects:

• **Content-Type**: application/x-www-form-urlencoded (form data)
• **Parameters**: Platform-specific like windows_policy_guid, not JSON with policies array

Can yuo try in Insomnia:

1. Method: PATCH
2. URL: https://api.eu.amp.cisco.com/v1/groups/50044d8c-c2a5-4b2e-94e1-093eb19ddad4
3. Body Type: Change from "JSON" to "Form URL Encoded"
4. Body Content: Instead of JSON, use form parameters like

This i suspected based on the example is what this would look like in python

import requests amp_client_id = 'your_client_id_here' amp_api_key = 'your_api_key_here' group_guid = '50044d8c-c2a5-4b2e-94e1-093eb19ddad4' windows_policy_guid = 'b173a158-a24d-43c9-8cd3-93fb69759e64' # For other platforms, try these parameter names: # mac_policy_guid - for Mac policies # inux_policy_guid - for Linux policies # android_policy_guid - for Android policies # ios_policy_guid - for iOS policies url = f'https://api.eu.amp.cisco.com/v1/groups/{group_guid}' data = {'windows_policy_guid': windows_policy_guid} response = requests.patch(url, auth=(amp_client_id, amp_api_key), data=data) print(response.json())

Re: Secure Endpoint API PATCH methods

Matthieu Ramond — Mon, 23 Jun 2025 11:37:26 GMT

It works ! Thank you so much.

Re: Secure Endpoint API PATCH methods

bigevilbeard — Mon, 23 Jun 2025 12:27:57 GMT

Ha! Lucky guess! Now all we need is for the team to update the documents. 😛

Re: Secure Endpoint API PATCH methods

Troja007 — Tue, 01 Jul 2025 07:57:40 GMT

Hello @Matthieu Ramond ,
maybe helpful, generated a comprehensive API collection for Secure Endpoint here on Postman: https://www.postman.com/ciscosecureendpoint/cisco-secure-endpoint/overview

Greetings,
Thorsten