02-11-2019 03:56 PM - edited 02-20-2020 09:07 PM
Is there a way to initiate an endpoint scan with Cisco AMP from the API?
02-11-2019 04:17 PM
There is currently no way to initiate a scan via the API. Please have your Account Manager put in/add you to a Feature Request for that functionality.
Thanks,
Matt
02-11-2019 04:21 PM
02-12-2019 03:22 PM
Well, it gets quite a bit less embarrassing when you consider that a triggered scan, after the initial install, is basically not necessary with AMP. Because we're continually monitoring the activity on the endpoint, anything bad should get picked up. Stuff that initially passed muster and later is identified as malicious is handled by AMP's retrospection feature.
AMP does an initial scan at install time (by default) to pick up anything that was already lurking on the endpoint prior to AMP installation. Once you've done that the first time, there is very little benefit in continually re-scanning clean files over and over. All it really does is chew up system resources.
For customers who need to scan because of overly-restrictively-written policy requirements, scans can be scheduled via the admin console. But we pretty much never recommend doing so unless you absolutely have to.
What's the scenario you have in mind for API-initiated scans?
03-15-2019 01:34 AM
A good example could be in case of a quarantaine failed. The malware was seen but not catch what ever the reason is, so running a full scan will let us know that the endpoint is clean
08-17-2020 06:06 AM - edited 08-17-2020 06:11 AM
I completely agree with Orlith. We've had numerous cases of failed quarantines and we must use a follow-up scan to determine what our next steps will be-- If the threat is removed on the follow-up scan, we are good to go. If not, and we can't manually remove the threat either, then it's time to re-image the machine.
We are moving to a SOAR based approach and having the ability to initiate a scan via API would help in multiple ways-
1. Reduce the manual workload for our Service Desk Team.
2. Speed up our MTTR when it comes to endpoint infections/threats.
01-12-2021 08:13 AM
I agree with Orlith as well, I can tell you definitively that the install scan misses things that should have been caught if it were truly doing a full system scan. Things got picked up and quarantined on endpoints after scheduling a full system scan (they were false positives though) that should have also triggered on the install scan if the install scan was truly scanning the entire endpoint.
Triaging things needs the ability to force a manual scan instead of having to use a separate policy and set the scheduled scan settings on the separate policy. That's too cumbersome when you are trying to investigate something immediately due to alerts from other security products.
03-04-2023 05:27 PM
Is this still not a feature 3/4 Years Later?? And why do they go from V0/V1 to V3? What happened to V2?
03-13-2023 11:50 AM - edited 03-14-2023 07:19 AM
As far as V0/V1 and now V3. There were some internal things that were used for automation testing that are called v2.
08-28-2023 10:18 AM
Any plans of adding this "scan computer" feature to the API?
05-23-2024 09:38 AM
Pinging this thread in 2024. Would love to have this feature for SOAR..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide