The current version 2.0.1of Cisco AMP for Endpoints Events seems to cut off the "VulnerableApplicationDetected" JSON. It appears if there is a large amount of CVE info, it tends to leave the event incomplete and does not format the JSON correctly. I don't know if it is the behavior of the response or not. When running the python manually, it appears to do the same thing from api.amp.cisco.com. A limitation of the size of the JSON response. Would this be correct?