Cisco AMP for Endpoints API

GET /v0/computers/activity

Description

This endpoint provides you with the ability to search all computers across your organization for any events or activities associated with a file or network operation, and returns computers matching that criteria. You can then query the /computers/{connector-guid}/trajectory endpoint for specific details.

This endpoint requires a q parameter which is a freeform query string. It currently accepts:

  • an IPv4 address: 1.0.0.0. Note for this search CIDR addresses are not supported
  • a SHA256
  • a filename
  • a URL fragment

There is a hard limit of 5000 historical entries searched for this endpoint.

Query Parameters

Name Type Example Values Description
q String SearchProtocolHost.exe, 814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e, 75.102.25.76, sovereutilizeignty.com
limit Integer 5
offset Integer 0

Show Response Fields

Name Type Description
version String
metadata.links.self String
metadata.results.total Integer
metadata.results.current_item_count Integer
metadata.results.index Integer
metadata.results.items_per_page Integer
data Array
data[].connector_guid GUID
data[].hostname String
data[].active Boolean
data[].links.computer String
data[].links.trajectory String
data[].links.group String
Write
Preview
Auto Generate

Examples

Fetch list of computers that have observed files with given file name
Fetch list of computers that have observed files with given SHA-256 value
Fetch list of computers that have connected to a given IP address
Fetch list of computers that have connected to a given URL

Fetch list of computers that have observed files with given file name

Request

Requires Authorization 
GET /v0/computers/activity?q=SearchProtocolHost.exe&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/computers/activity?q=SearchProtocolHost.exe&limit=5'

Response

Actual Response 

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1993
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2873
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"3d60e5f2496990f5e8f88a4b4722b003"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000

{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v0/computers/activity?q=SearchProtocolHost.exe&limit=5",
      "next": "https://api.eu.amp.cisco.com/v0/computers/activity?q=SearchProtocolHost.exe&limit=5&offset=5"
    },
    "results": {
      "total": 74,
      "current_item_count": 0,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [

  ]
}

Fetch list of computers that have observed files with given SHA-256 value

Request

Requires Authorization 
GET /v0/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5'

Response

Actual Response 

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1993
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2872
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"8692d2c9aa1f5ad1b1a3f2da173366dc"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000

{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v0/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5"
    },
    "results": {
      "total": 4,
      "current_item_count": 0,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [

  ]
}

Fetch list of computers that have connected to a given IP address

Request

Requires Authorization 
GET /v0/computers/activity?q=75.102.25.76&offset=0&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/computers/activity?q=75.102.25.76&offset=0&limit=5'

Response

Actual Response 

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1993
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2871
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"996bd2eebee8b9deb08c67a3b186792d"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000

{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v0/computers/activity?q=75.102.25.76&offset=0&limit=5",
      "next": "https://api.eu.amp.cisco.com/v0/computers/activity?q=75.102.25.76&limit=5&offset=5"
    },
    "results": {
      "total": 9,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "connector_guid": "7173f0bd-15a5-4f4d-add1-ae6934a4e0cf",
      "hostname": "Demo_Upatre",
      "windows_processor_id": "712eb9d8a6453f0",
      "active": false,
      "links": {
        "group": "https://api.eu.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      }
    }
  ]
}

Fetch list of computers that have connected to a given URL

Request

Requires Authorization 
GET /v0/computers/activity?q=sovereutilizeignty.com&offset=0&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/computers/activity?q=sovereutilizeignty.com&offset=0&limit=5'

Response

Actual Response 

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1993
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2870
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"f1ff66174e8ee9d0adfb908f7c4a7817"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000

{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v0/computers/activity?q=sovereutilizeignty.com&offset=0&limit=5"
    },
    "results": {
      "total": 4,
      "current_item_count": 0,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [

  ]
}