Cisco AMP for Endpoints API

GET /v0/computers/{:connector_guid}/trajectory

Description

Provides a list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP Console.

Using the q parameter, you can search for an IP Address, SHA256 or URL.

Query Parameters

Name Type Example Values Description
q String 37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7
limit Integer 5

Show Response Fields

Name Type Description
version String
metadata.links.self String
data.computer.connector_guid GUID
data.computer.hostname String
data.computer.active Boolean
data.computer.links.computer String
data.computer.links.trajectory String
data.computer.links.group String
data.computer.connector_version String
data.computer.operating_system String
data.computer.internal_ips Array
data.computer.internal_ips[] String
data.computer.external_ip String
data.computer.group_guid GUID
data.computer.install_date String (Time ISO8601)
data.computer.network_addresses Array
data.computer.network_addresses[].mac String
data.computer.network_addresses[].ip String
data.computer.policy.guid GUID
data.computer.policy.name String
data.events Array
data.events[].timestamp Integer
data.events[].timestamp_nanoseconds Integer
data.events[].date String (Time ISO8601)
data.events[].event_type String
data.events[].detection String
data.events[].group_guids Array
data.events[].group_guids[] GUID
data.events[].file.disposition String
data.events[].file.file_name String
data.events[].file.file_path String
data.events[].file.file_type String
data.events[].file.identity.sha256 String
data.events[].file.parent.disposition String
data.events[].file.parent.identity.sha256 String
Write
Preview
Auto Generate

Examples

Fetch a specific computer's trajectory with given connector_guid and filter for files with a SHA-...
Fetch a specific computer's trajectory with given connector_guid

Fetch a specific computer's trajectory with given connector_guid and filter for files with a SHA-256 value

Request

Requires Authorization 
GET /v0/computers/ad29d359-dac9-4940-9c7e-c50e6d32ee6f/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v0/computers/ad29d359-dac9-4940-9c7e-c50e6d32ee6f/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5'

Response

Shortened for readability 

x-ratelimit-limit: 3000
x-ratelimit-reset: 3335
x-ratelimit-remaining: 2903
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2017-08-18T03:52:38Z
strict-transport-security: max-age=31536000
status: 200 OK
transfer-encoding: chunked
content-type: application/json; charset=utf-8

{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v0/computers/ad29d359-dac9-4940-9c7e-c50e6d32ee6f/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5"
    }
  },
  "data": {
    "computer": {
      "connector_guid": "ad29d359-dac9-4940-9c7e-c50e6d32ee6f",
      "hostname": "Demo_CozyDuke",
      "active": true,
      "links": {
        "computer": "https://api.amp.cisco.com/v0/computers/ad29d359-dac9-4940-9c7e-c50e6d32ee6f",
        "trajectory": "https://api.amp.cisco.com/v0/computers/ad29d359-dac9-4940-9c7e-c50e6d32ee6f/trajectory",
        "group": "https://api.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
      },
      "connector_version": "4.1.7.10201",
      "operating_system": "Windows 7, SP 1.0",
      "internal_ips": [
        "87.27.44.37"
      ],
      "external_ip": "93.111.140.204",
      "group_guid": "b077d6bc-bbdf-42f7-8838-a06053fbd98a",
      "install_date": "2016-05-20T19:20:00Z",
      "network_addresses": [
        {
          "mac": "09:de:6b:a8:74:10",
          "ip": "87.27.44.37"
        }
      ],
      "policy": {
        "guid": "89912c9e-8dbd-4c2b-a1d8-dee8a0c2bb29",
        "name": "Audit Policy"
      }
    },
    "events": [
      {
        "timestamp": 1502989276,
        "timestamp_nanoseconds": 194928129,
        "date": "2017-08-17T17:01:16+00:00",
        "event_type": "Created by",
        "detection": "W32.Generic:KCX.18fv.1201",
        "group_guids": [
          "b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        ],
        "file": {
          "disposition": "Malicious",
          "file_name": "amdhcp32.dll",
          "file_path": "/c:/users/administrator/appdata/roaming/ati_subsystem/amdhcp32.dll",
          "file_type": "PE Executable",
          "identity": {
            "sha256": "37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7"
          },
          "parent": {
            "disposition": "Malicious",
            "identity": {
              "sha256": "01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9"
            }
          }
        }
      },
      {
        "id": "6156292803669262359",
        "timestamp": 1502989272,
        "timestamp_nanoseconds": 35000000,
        "date": "2017-08-17T17:01:12+00:00",
        "event_type": "Threat Detected",
        "event_type_id": 1090519054,
        "detection": "W32.Generic:KCX.18fv.1201",
        "detection_id": "6156292803669262359",
        "file": {
          "disposition": "Malicious",
          "file_name": "amdhcp32.dll",
          "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\ATI_Subsystem\\amdhcp32.dll",
          "identity": {
            "sha256": "37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7",
            "sha1": "00f67deb6e435c68f8a39336c9effc45d395b134",
            "md5": "6761106f816313394a653db5172dc487"
          }
        }
      }
    ]
  }
}

Fetch a specific computer's trajectory with given connector_guid

Request

Requires Authorization 
GET /v0/computers/be73f7dc-de27-48d9-b414-d3ea4186f027/trajectory
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v0/computers/be73f7dc-de27-48d9-b414-d3ea4186f027/trajectory'

Response

Shortened for readability 

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 2309
x-ratelimit-remaining: 2824
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2018-10-03T17:33:35Z
transfer-encoding: chunked

{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v0/computers/be73f7dc-de27-48d9-b414-d3ea4186f027/trajectory"
    }
  },
  "data": {
    "computer": {
      "connector_guid": "be73f7dc-de27-48d9-b414-d3ea4186f027",
      "hostname": "Demo_AMP_Intel",
      "active": true,
      "links": {
        "computer": "https://api.amp.cisco.com/v0/computers/be73f7dc-de27-48d9-b414-d3ea4186f027",
        "trajectory": "https://api.amp.cisco.com/v0/computers/be73f7dc-de27-48d9-b414-d3ea4186f027/trajectory",
        "group": "https://api.amp.cisco.com/v0/groups/68665863-74d5-4bc1-ac7f-5477b2b6406e"
      },
      "connector_version": "6.2.1.10782(AVC)",
      "operating_system": "Windows 7, SP 1.0",
      "internal_ips": [
        "231.217.149.199"
      ],
      "external_ip": "122.63.66.219",
      "group_guid": "68665863-74d5-4bc1-ac7f-5477b2b6406e",
      "install_date": "2018-09-18T18:56:52Z",
      "network_addresses": [
        {
          "mac": "87:db:3f:7d:3f:40",
          "ip": "231.217.149.199"
        }
      ],
      "policy": {
        "guid": "75f5a2b7-2875-41c1-9a11-0b212f347a08",
        "name": "Triage Policy"
      }
    },
    "events": [
      {
        "timestamp": 1538474780,
        "timestamp_nanoseconds": 337814426,
        "date": "2018-10-02T10:06:20+00:00",
        "event_type": "Created by",
        "group_guids": [
          "68665863-74d5-4bc1-ac7f-5477b2b6406e"
        ],
        "file": {
          "disposition": "Unknown",
          "file_type": "MS OLE2 CF",
          "identity": {
            "sha256": "7d56ad1ed9dd554dcd029be7a59d7491aeafac99dbc3f7a821efffe420316e8d"
          },
          "parent": {
            "disposition": "Unknown",
            "identity": {
              "sha256": "fe85234ced13d5b94e42af429a32a81276b5a22ad819e9f2ccf519d998f5e449"
            }
          }
        }
      },
      {
        "timestamp": 1538459949,
        "timestamp_nanoseconds": 499948795,
        "date": "2018-10-02T05:59:09+00:00",
        "event_type": "Executed by",
        "group_guids": [
          "68665863-74d5-4bc1-ac7f-5477b2b6406e"
        ],
        "file": {
          "disposition": "Unknown",
          "file_name": "updatetrustedsites.exe",
          "file_path": "/c:/windows/ccm/updatetrustedsites.exe",
          "file_type": "PE Executable",
          "identity": {
            "sha256": "580b482ae69e5c8e9e306a161e59af51aa166c2d782ac2a41db8fbaad9bea4d7"
          },
          "parent": {
            "disposition": "Unknown",
            "identity": {
              "sha256": "8f6b884035ebefa86763614ce7fe91bf8747f2e2498abdfe93170afcce0714bc"
            }
          }
        }
      }
    ]
  }
}