Solved: Secure Endpoint API PATCH methods

Matthieu Ramond · ‎06-19-2025

Hi everyone,

I'm trying to make some API calls on Secure Endpoint, particularly regarding the /v1/groups/ route.
I'm able to perform GET, POST, and DELETE requests without any issues, but I'm struggling with the PATCH methods.

The one I'm especially interested in right now is the method to modify the policies assigned to a group.
I've tried sending payloads like this:

{
  "policies": [
    {
      "guid": "b173a158-a24d-43c9-8cd3-93fb69759e64"
    }
  ]
}

But I keep getting the same error in response:

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/groups/50044d8c-c2u5-4c2e-94e1-094eb19ddad4"
    }
  },
  "data": {},
  "errors": [
    {
      "error_code": 400,
      "description": "Bad Request",
      "details": [
        "Following query parameter(s) are invalid: policies"
      ]
    }
  ]
}

I’ve made sure the GUIDs are correct, and the request is being sent as JSON in the body of the request. I’m using Insomnia to test it.

Could you please confirm whether PATCH works to update policies on a group, and if so, what the correct format and method should be?

bigevilbeard · ‎06-23-2025

@Matthieu Ramond if you are getting "query parameter" errors for every single field you send, to me this would suggest the API endpoint does not accept request bodies at all. Taking a really long assumption here ... if i am wrong, i am, as i dont have a way to test my theory. Let me show my work ...

I searched GH and found this https://github.com/CiscoSecurity/amp-01-basics/blob/b032c917b4a7793c9705826d5aad0225ca6d1259/05d_set_policy_for_group.py

As this is in the Cisco Security repo, i am going to assume this works.

So it is the same API endpoint and operation you showed, but here its looks like the correct way to send the data is as form-encoded parameters rather than JSON, and using the specific policy type parameter names instead of a generic "policies" array. The documentation shows JSON response structures, which might lead us to assume the request should also be JSON. However, the GH Python example, this clearly shows that the API expects:

• **Content-Type**: application/x-www-form-urlencoded (form data)
• **Parameters**: Platform-specific like windows_policy_guid, not JSON with policies array

Can yuo try in Insomnia:

1. Method: PATCH
2. URL: https://api.eu.amp.cisco.com/v1/groups/50044d8c-c2a5-4b2e-94e1-093eb19ddad4
3. Body Type: Change from "JSON" to "Form URL Encoded"
4. Body Content: Instead of JSON, use form parameters like

This i suspected based on the example is what this would look like in python

import requests

amp_client_id = 'your_client_id_here'
amp_api_key = 'your_api_key_here'
group_guid = '50044d8c-c2a5-4b2e-94e1-093eb19ddad4'
windows_policy_guid = 'b173a158-a24d-43c9-8cd3-93fb69759e64'

# For other platforms, try these parameter names:
# mac_policy_guid - for Mac policies
# inux_policy_guid - for Linux policies
# android_policy_guid - for Android policies
# ios_policy_guid - for iOS policies

url = f'https://api.eu.amp.cisco.com/v1/groups/{group_guid}'
data = {'windows_policy_guid': windows_policy_guid}

response = requests.patch(url, auth=(amp_client_id, amp_api_key), data=data)
print(response.json())

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

View solution in original post

bigevilbeard · ‎06-19-2025

By no means an expert here, i do not see the patch here https://developer.cisco.com/docs/secure-endpoint/policies/ - is this the right API doc i am looking at?

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Ken Stieers · ‎06-19-2025

This is V1, its page is here https://developer.cisco.com/docs/secure-endpoint/v1-api-reference-group/
Patch is valid.
It may be how the Body is set...

bigevilbeard · ‎06-19-2025

Thanks @Ken Stieers - if this valid then i would agree, based on the error show "policies" is being interpreted as a query parameter, i guess if you wrapped this in the data object should resolve the issue?

{
  "data": {
    "policies": [
      {
        "guid": "b173a158-a24d-43c9-8cd3-93fb69759e64"
      }
    ]
  }
}

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Matthieu Ramond · ‎06-19-2025

@Ken Stieers yes, this is the right doc. Sorry, I should have added a link to it.

Yes, I did try to wrap policies in the data object. However, I get the same error.

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/groups/50044d8c-c2u5-4c2e-94e1-094eb19ddad4"
    }
  },
  "data": {},
  "errors": [
    {
      "error_code": 400,
      "description": "Bad Request",
      "details": [
        "Following query parameter(s) are invalid: data"
      ]
    }
  ]
}

Ken Stieers · ‎06-19-2025

So... looking at that doc, the example shows a LOT more data in the body...
So probably what it wants is the result of a get of the policy inserted into the get of the group... not just the one bit you've got.
Something like this?
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.amp.cisco.com/v1/groups/a4a983ef-91df-428f-9b08-1e88ec5357df"
}
},
"data": {
"name": "00-mar25-forensic-group",
"description": "",
"guid": "a4a983ef-91df-428f-9b08-1e88ec5357df",
"source": null,
"policies": [
{
"name": "00-cat-forensic-mar25",
"description": "",
"guid": "3dc1435d-bdc8-4a9d-9da5-e7371562378d",
"product": "windows",
"default": false,
"serial_number": 140,
"links": {
"policy_xml": "https://api.amp.cisco.com/v1/policies/3dc1435d-bdc8-4a9d-9da5-e7371562378d.xml"
}
]
}
}

Matthieu Ramond · ‎06-23-2025

No, it doesn't work. It doesn't recognise any of the objects.

Result when I wrap it in the data object :

{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/groups/50044d8c-c2a5-4b2e-94e1-093eb19ddad4"
}
},
"data": {},
"errors": [
{
"error_code": 400,
"description": "Bad Request",
"details": [
"Following query parameter(s) are invalid: data"
]
}
]
}

When I don't wrap it :

{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/groups/50044d8c-c2a5-4b2e-94e1-093eb19ddad4"
}
},
"data": {},
"errors": [
{
"error_code": 400,
"description": "Bad Request",
"details": [
"Following query parameter(s) are invalid: description,guid,source,creator,created_at,computers_count,descendant_computers_count,policies"
]
}
]
}

bigevilbeard · ‎06-23-2025

@Matthieu Ramond if you are getting "query parameter" errors for every single field you send, to me this would suggest the API endpoint does not accept request bodies at all. Taking a really long assumption here ... if i am wrong, i am, as i dont have a way to test my theory. Let me show my work ...

I searched GH and found this https://github.com/CiscoSecurity/amp-01-basics/blob/b032c917b4a7793c9705826d5aad0225ca6d1259/05d_set_policy_for_group.py

As this is in the Cisco Security repo, i am going to assume this works.

So it is the same API endpoint and operation you showed, but here its looks like the correct way to send the data is as form-encoded parameters rather than JSON, and using the specific policy type parameter names instead of a generic "policies" array. The documentation shows JSON response structures, which might lead us to assume the request should also be JSON. However, the GH Python example, this clearly shows that the API expects:

• **Content-Type**: application/x-www-form-urlencoded (form data)
• **Parameters**: Platform-specific like windows_policy_guid, not JSON with policies array

Can yuo try in Insomnia:

1. Method: PATCH
2. URL: https://api.eu.amp.cisco.com/v1/groups/50044d8c-c2a5-4b2e-94e1-093eb19ddad4
3. Body Type: Change from "JSON" to "Form URL Encoded"
4. Body Content: Instead of JSON, use form parameters like

This i suspected based on the example is what this would look like in python

import requests

amp_client_id = 'your_client_id_here'
amp_api_key = 'your_api_key_here'
group_guid = '50044d8c-c2a5-4b2e-94e1-093eb19ddad4'
windows_policy_guid = 'b173a158-a24d-43c9-8cd3-93fb69759e64'

# For other platforms, try these parameter names:
# mac_policy_guid - for Mac policies
# inux_policy_guid - for Linux policies
# android_policy_guid - for Android policies
# ios_policy_guid - for iOS policies

url = f'https://api.eu.amp.cisco.com/v1/groups/{group_guid}'
data = {'windows_policy_guid': windows_policy_guid}

response = requests.patch(url, auth=(amp_client_id, amp_api_key), data=data)
print(response.json())

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Matthieu Ramond · ‎06-23-2025

It works ! Thank you so much.

bigevilbeard · ‎06-23-2025

Ha! Lucky guess! Now all we need is for the team to update the documents.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io