GET /v1/computers/{:connector_guid}/trajectory
Description
Provides list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP Console.
Using the q parameter, you can search for an IP Address, SHA256 or URL.
Query Parameters
| Name | Type | Example Values | Description |
|---|---|---|---|
q |
String | 37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7 | |
limit |
Integer | 5 |
| Name | Type | Description |
|---|---|---|
| version | String | |
| metadata.links.self | String | |
| data.computer.connector_guid | GUID | |
| data.computer.hostname | String | |
| data.computer.active | Boolean | |
| data.computer.links.computer | String | |
| data.computer.links.trajectory | String | |
| data.computer.links.group | String | |
| data.computer.connector_version | String | |
| data.computer.operating_system | String | |
| data.computer.internal_ips | Array | |
| data.computer.internal_ips[] | String | |
| data.computer.external_ip | String | |
| data.computer.group_guid | GUID | |
| data.computer.install_date | String (Time ISO8601) | |
| data.computer.network_addresses | Array | |
| data.computer.network_addresses[].mac | String | |
| data.computer.network_addresses[].ip | String | |
| data.computer.policy.guid | GUID | |
| data.computer.policy.name | String | |
| data.events | Array | |
| data.events[].timestamp | Integer | |
| data.events[].timestamp_nanoseconds | Integer | |
| data.events[].date | String (Time ISO8601) | |
| data.events[].event_type | String | |
| data.events[].detection | String | |
| data.events[].group_guids | Array | |
| data.events[].group_guids[] | GUID | |
| data.events[].file.disposition | String | |
| data.events[].file.file_name | String | |
| data.events[].file.file_path | String | |
| data.events[].file.file_type | String | |
| data.events[].file.identity.sha256 | String | |
| data.events[].file.parent.disposition | String | |
| data.events[].file.parent.identity.sha256 | String |
Examples
- Fetch a specific computer's trajectory with given connector_guid
- Fetch a specific computer's trajectory with given connector_guid and filter for files with a SHA-...
Fetch a specific computer's trajectory with given connector_guid
Request
Requires AuthorizationGET /v1/computers/e714d352-f682-47ba-baa7-a1d574bc8fe4/trajectory
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.apjc.amp.cisco.com/v1/computers/e714d352-f682-47ba-baa7-a1d574bc8fe4/trajectory'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.apjc.amp.cisco.com/v1/computers/e714d352-f682-47ba-baa7-a1d574bc8fe4/trajectory'
Shortened for readability
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 2196 x-ratelimit-remaining: 2656 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2018-10-03T17:33:35Z transfer-encoding: chunked
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.apjc.amp.cisco.com/v1/computers/e714d352-f682-47ba-baa7-a1d574bc8fe4/trajectory"
}
},
"data": {
"computer": {
"connector_guid": "e714d352-f682-47ba-baa7-a1d574bc8fe4",
"hostname": "Demo_AMP_Threat_Audit",
"active": true,
"links": {
"computer": "https://api.apjc.amp.cisco.com/v1/computers/e714d352-f682-47ba-baa7-a1d574bc8fe4",
"trajectory": "https://api.apjc.amp.cisco.com/v1/computers/e714d352-f682-47ba-baa7-a1d574bc8fe4/trajectory",
"group": "https://api.apjc.amp.cisco.com/v1/groups/68665863-74d5-4bc1-ac7f-5477b2b6406e"
},
"connector_version": "6.2.1.10782(AVC)",
"operating_system": "Windows 7, SP 1.0",
"internal_ips": [
"77.189.252.203"
],
"external_ip": "225.73.247.232",
"group_guid": "68665863-74d5-4bc1-ac7f-5477b2b6406e",
"install_date": "2018-09-18T18:56:52Z",
"network_addresses": [
{
"mac": "3d:21:d6:d4:33:17",
"ip": "77.189.252.203"
}
],
"policy": {
"guid": "75f5a2b7-2875-41c1-9a11-0b212f347a08",
"name": "Triage Policy"
}
},
"events": [
{
"id": "6533671385032556606",
"timestamp": 1538494059,
"timestamp_nanoseconds": 14000000,
"date": "2018-10-02T15:27:39+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.File.MalParent",
"detection_id": "6533671380737589309",
"file": {
"disposition": "Malicious",
"file_name": "ekjrngjker.exe",
"file_path": "C:\\ekjrngjker.exe",
"identity": {
"sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
"sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
"md5": "b99e0a8c56f963246b6464b9fffbf7a2"
}
}
},
{
"id": "6533671385032556607",
"timestamp": 1538494059,
"timestamp_nanoseconds": 25000000,
"date": "2018-10-02T15:27:39+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.File.MalParent",
"detection_id": "6533671385032556606",
"file": {
"disposition": "Malicious",
"file_name": "ekjrngjker.exe",
"file_path": "\\\\?\\C:\\ekjrngjker.exe",
"identity": {
"sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
"sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
"md5": "b99e0a8c56f963246b6464b9fffbf7a2"
}
}
}
]
}
}
Fetch a specific computer's trajectory with given connector_guid and filter for files with a SHA-256 value
Request
Requires AuthorizationGET /v1/computers/e714d352-f682-47ba-baa7-a1d574bc8fe4/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.apjc.amp.cisco.com/v1/computers/e714d352-f682-47ba-baa7-a1d574bc8fe4/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.apjc.amp.cisco.com/v1/computers/e714d352-f682-47ba-baa7-a1d574bc8fe4/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5'
Shortened for readability
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 2195 x-ratelimit-remaining: 2654 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2018-10-03T17:33:35Z transfer-encoding: chunked
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.apjc.amp.cisco.com/v1/computers/e714d352-f682-47ba-baa7-a1d574bc8fe4/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5"
}
},
"data": {
"computer": {
"connector_guid": "e714d352-f682-47ba-baa7-a1d574bc8fe4",
"hostname": "Demo_AMP_Threat_Audit",
"active": true,
"links": {
"computer": "https://api.apjc.amp.cisco.com/v1/computers/e714d352-f682-47ba-baa7-a1d574bc8fe4",
"trajectory": "https://api.apjc.amp.cisco.com/v1/computers/e714d352-f682-47ba-baa7-a1d574bc8fe4/trajectory",
"group": "https://api.apjc.amp.cisco.com/v1/groups/68665863-74d5-4bc1-ac7f-5477b2b6406e"
},
"connector_version": "6.2.1.10782(AVC)",
"operating_system": "Windows 7, SP 1.0",
"internal_ips": [
"77.189.252.203"
],
"external_ip": "225.73.247.232",
"group_guid": "68665863-74d5-4bc1-ac7f-5477b2b6406e",
"install_date": "2018-09-18T18:56:52Z",
"network_addresses": [
{
"mac": "3d:21:d6:d4:33:17",
"ip": "77.189.252.203"
}
],
"policy": {
"guid": "75f5a2b7-2875-41c1-9a11-0b212f347a08",
"name": "Triage Policy"
}
},
"events": [
]
}
}