GET /v0/computers/activity
Description
This endpoint provides you with the ability to search all computers across your organization for any events or activities associated with a file or network operation, and returns computers matching that criteria. You can then query the /computers/{connector-guid}/trajectory endpoint for specific details.
This endpoint requires a q parameter which is a freeform query string. It currently accepts:
- an IPv4 address: 1.0.0.0. Note for this search CIDR addresses are not supported
- a SHA256
- a filename
- a URL fragment
There is a hard limit of 5000 historical entries searched for this endpoint.
Query Parameters
| Name | Type | Example Values | Description |
|---|---|---|---|
q |
String | SearchProtocolHost.exe, 814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e, 75.102.25.76, sovereutilizeignty.com | |
limit |
Integer | 5 | |
offset |
Integer | 0 |
| Name | Type | Description |
|---|---|---|
| version | String | |
| metadata.links.self | String | |
| metadata.results.total | Integer | |
| metadata.results.current_item_count | Integer | |
| metadata.results.index | Integer | |
| metadata.results.items_per_page | Integer | |
| data | Array | |
| data[].connector_guid | GUID | |
| data[].hostname | String | |
| data[].active | Boolean | |
| data[].links.computer | String | |
| data[].links.trajectory | String | |
| data[].links.group | String |
Examples
- Fetch list of computers that have observed files with given file name
- Fetch list of computers that have observed files with given SHA-256 value
- Fetch list of computers that have connected to a given IP address
- Fetch list of computers that have connected to a given URL
Fetch list of computers that have observed files with given file name
Request
Requires AuthorizationGET /v0/computers/activity?q=SearchProtocolHost.exe&limit=5
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/computers/activity?q=SearchProtocolHost.exe&limit=5'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v0/computers/activity?q=SearchProtocolHost.exe&limit=5'
Actual Response
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 3597 x-ratelimit-remaining: 2990 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2020-02-20T19:42:33Z transfer-encoding: chunked
{
"version": "v0.2.2",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v0/computers/activity?q=SearchProtocolHost.exe&limit=5",
"next": "https://api.eu.amp.cisco.com/v0/computers/activity?q=SearchProtocolHost.exe&limit=5&offset=5"
},
"results": {
"total": 10,
"current_item_count": 5,
"index": 0,
"items_per_page": 5
}
},
"data": [
{
"connector_guid": "043a414d-5520-4374-b545-dff6a0e74195",
"hostname": "Demo_CozyDuke",
"windows_processor_id": "d83597eb420f61a",
"active": true,
"links": {
"computer": "https://api.eu.amp.cisco.com/v0/computers/043a414d-5520-4374-b545-dff6a0e74195",
"trajectory": "https://api.eu.amp.cisco.com/v0/computers/043a414d-5520-4374-b545-dff6a0e74195/trajectory?q=SearchProtocolHost.exe",
"group": "https://api.eu.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
{
"connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
"hostname": "Demo_Upatre",
"windows_processor_id": "70bd6284e15af93",
"active": true,
"links": {
"computer": "https://api.eu.amp.cisco.com/v0/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
"trajectory": "https://api.eu.amp.cisco.com/v0/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory?q=SearchProtocolHost.exe",
"group": "https://api.eu.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
{
"connector_guid": "3e2cd1ab-1f23-4ee9-a787-c2b4a33e3d19",
"hostname": "Demo_Qakbot_3",
"windows_processor_id": "51274d0f89b36ea",
"active": true,
"links": {
"computer": "https://api.eu.amp.cisco.com/v0/computers/3e2cd1ab-1f23-4ee9-a787-c2b4a33e3d19",
"trajectory": "https://api.eu.amp.cisco.com/v0/computers/3e2cd1ab-1f23-4ee9-a787-c2b4a33e3d19/trajectory?q=SearchProtocolHost.exe",
"group": "https://api.eu.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
{
"connector_guid": "552c40f8-afc1-4eae-85cf-b70c9644a3fe",
"hostname": "Demo_Qakbot_1",
"windows_processor_id": "5b9ea4367210f8d",
"active": true,
"links": {
"computer": "https://api.eu.amp.cisco.com/v0/computers/552c40f8-afc1-4eae-85cf-b70c9644a3fe",
"trajectory": "https://api.eu.amp.cisco.com/v0/computers/552c40f8-afc1-4eae-85cf-b70c9644a3fe/trajectory?q=SearchProtocolHost.exe",
"group": "https://api.eu.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
{
"connector_guid": "aa450051-7dfc-48a5-b44d-835056ca317b",
"hostname": "Demo_WannaCry_Ransomware",
"windows_processor_id": "690f4ea1b5d3287",
"active": true,
"links": {
"computer": "https://api.eu.amp.cisco.com/v0/computers/aa450051-7dfc-48a5-b44d-835056ca317b",
"trajectory": "https://api.eu.amp.cisco.com/v0/computers/aa450051-7dfc-48a5-b44d-835056ca317b/trajectory?q=SearchProtocolHost.exe",
"group": "https://api.eu.amp.cisco.com/v0/groups/68665863-74d5-4bc1-ac7f-5477b2b6406e"
}
}
]
}
Fetch list of computers that have observed files with given SHA-256 value
Request
Requires AuthorizationGET /v0/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v0/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5'
Actual Response
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 3597 x-ratelimit-remaining: 2989 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2020-02-20T19:42:33Z transfer-encoding: chunked
{
"version": "v0.2.2",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v0/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5"
},
"results": {
"total": 1,
"current_item_count": 1,
"index": 0,
"items_per_page": 5
}
},
"data": [
{
"connector_guid": "367a2c23-d0e7-464b-ac3f-9a209868b31d",
"hostname": "Demo_Stabuniq",
"windows_processor_id": "83f976a0db415e2",
"active": true,
"links": {
"computer": "https://api.eu.amp.cisco.com/v0/computers/367a2c23-d0e7-464b-ac3f-9a209868b31d",
"trajectory": "https://api.eu.amp.cisco.com/v0/computers/367a2c23-d0e7-464b-ac3f-9a209868b31d/trajectory?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e",
"group": "https://api.eu.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
}
]
}
Fetch list of computers that have connected to a given IP address
Request
Requires AuthorizationGET /v0/computers/activity?q=75.102.25.76&offset=0&limit=5
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/computers/activity?q=75.102.25.76&offset=0&limit=5'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v0/computers/activity?q=75.102.25.76&offset=0&limit=5'
Actual Response
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 3597 x-ratelimit-remaining: 2988 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2020-02-20T19:42:33Z transfer-encoding: chunked
{
"version": "v0.2.2",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v0/computers/activity?q=75.102.25.76&offset=0&limit=5"
},
"results": {
"total": 2,
"current_item_count": 2,
"index": 0,
"items_per_page": 5
}
},
"data": [
{
"connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
"hostname": "Demo_Upatre",
"windows_processor_id": "70bd6284e15af93",
"active": true,
"links": {
"computer": "https://api.eu.amp.cisco.com/v0/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
"trajectory": "https://api.eu.amp.cisco.com/v0/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory?q=75.102.25.76",
"group": "https://api.eu.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
{
"connector_guid": "367a2c23-d0e7-464b-ac3f-9a209868b31d",
"hostname": "Demo_Stabuniq",
"windows_processor_id": "83f976a0db415e2",
"active": true,
"links": {
"computer": "https://api.eu.amp.cisco.com/v0/computers/367a2c23-d0e7-464b-ac3f-9a209868b31d",
"trajectory": "https://api.eu.amp.cisco.com/v0/computers/367a2c23-d0e7-464b-ac3f-9a209868b31d/trajectory?q=75.102.25.76",
"group": "https://api.eu.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
}
]
}
Fetch list of computers that have connected to a given URL
Request
Requires AuthorizationGET /v0/computers/activity?q=sovereutilizeignty.com&offset=0&limit=5
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/computers/activity?q=sovereutilizeignty.com&offset=0&limit=5'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v0/computers/activity?q=sovereutilizeignty.com&offset=0&limit=5'
Actual Response
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 3597 x-ratelimit-remaining: 2987 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2020-02-20T19:42:33Z transfer-encoding: chunked
{
"version": "v0.2.2",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v0/computers/activity?q=sovereutilizeignty.com&offset=0&limit=5"
},
"results": {
"total": 1,
"current_item_count": 1,
"index": 0,
"items_per_page": 5
}
},
"data": [
{
"connector_guid": "367a2c23-d0e7-464b-ac3f-9a209868b31d",
"hostname": "Demo_Stabuniq",
"windows_processor_id": "83f976a0db415e2",
"active": true,
"links": {
"computer": "https://api.eu.amp.cisco.com/v0/computers/367a2c23-d0e7-464b-ac3f-9a209868b31d",
"trajectory": "https://api.eu.amp.cisco.com/v0/computers/367a2c23-d0e7-464b-ac3f-9a209868b31d/trajectory?q=sovereutilizeignty.com",
"group": "https://api.eu.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
}
]
}