About TomML

TomML · 10-09-2024

Is there any additional documentation (blogs, webinars, etc) beyond Microsoft Windows Endpoint Target (cisco.com) on how to set up a Windows Endpoint target in XDR? Is it possible to target internal endpoints? I am under the impression that it woul...

TomML · 09-13-2024

The HTTP Request fails when trying to query our secure email appliance using the subjectfilterValue parameter of a subject that contains an &, i.e subject is "Foo & Bar." /sma/api/v2.0/message-tracking/messages?searchOption=messages&ciscoHost=All_H...

TomML · 06-13-2024

Hi, within XDR I can conduct message remediation by pivoting off of a Cisco Message ID (MID):However I cannot seem to find any documentation detailing how to conduct message remediation with the API (PUT or POST with a list of MIDs) so I can incorpor...

TomML · 08-22-2023

Curious if there is way to mark a potential compromise as resolved with the API. I would like to automate some known false positives that routinely appear.I didn't notice any POSTs in the current version of the documentation (Secure Endpoint API - C...

TomML · 08-07-2023

Is there a way to safelist or create an exclusion for this benign powershell command without safelisting cmd.exe or powerhell.exe - just the actual Command parameter? These events are classified as "Command Obfuscation With Symbols" compromises and ...

TomML · 10-10-2024

Tracking the XDR option/profile for NVM but looking for more guidance on configuring a Microsoft Windows Endpoint Target. Guessing it needs a public IP address?

TomML · 05-13-2024

Nevermind - I got it import requests import json url = "https://orbital.amp.cisco.com/v0/script/run" payload = json.dumps({ "name": "Execute Powershell Cmdlet via API", "nodes": [ "amp:235xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ], "expiry": ...

TomML · 05-13-2024

Thanks @eugechan , I created a new API client with Admin and Orbital options. I think I am making progress - I'll further review the API documentation. Appreciate your feedback!import requests import json url = "https://orbital.amp.cisco.com/v0/s...

TomML · 05-10-2024

I am a bit confused on the Orbital Script API document. I am hoping it is like using the Query body syntax where I can give it the name of the Script ("windows_exec_powershell_cmdlets" in this case) along with its arguments.import requests import js...

TomML · 11-20-2023

Thanks @UdupiKrishna @Robert Sherwin. Looks like we had some certificate issues in our environment. It's working as intended now.

Member Since	‎11-18-2022 08:11 AM
Date Last Visited	‎10-10-2024 01:56 PM
Posts	20
Total Helpful Votes Received	3

User Statistics

User Activity

XDR Microsoft Windows Endpoint Target

Escape & character in params using HTTP Request in XDR Workflow

Cisco Email and Web Message Remediation API

Secure Endpoint API Call to Resolve a Compromise

Safelist Command Obfuscation With Symbols in Secure Endpoint

Re: XDR Microsoft Windows Endpoint Target

Re: Orbital Scripts API

Re: Orbital Scripts API

Re: Orbital Scripts API

Re: Issue with remediating Messages in Mailboxes with SMA Message Trac