Cisco AMP for Endpoints API

GET /v1/computers/{:connector_guid}/trajectory

Description

Provides list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP Console.

Using the q parameter, you can search for an IP Address, SHA256 or URL.

Query Parameters

Name	Type	Example Values	Description
`q`	String	37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7
`limit`	Integer	5

Show Response Fields

Name	Type	Description
version	String
metadata.links.self	String
data.computer.connector_guid	GUID
data.computer.hostname	String
data.computer.active	Boolean
data.computer.links.computer	String
data.computer.links.trajectory	String
data.computer.links.group	String
data.computer.connector_version	String
data.computer.operating_system	String
data.computer.internal_ips	Array
data.computer.internal_ips[]	String
data.computer.external_ip	String
data.computer.group_guid	GUID
data.computer.install_date	String (Time ISO8601)
data.computer.network_addresses	Array
data.computer.network_addresses[].mac	String
data.computer.network_addresses[].ip	String
data.computer.policy.guid	GUID
data.computer.policy.name	String
data.events	Array
data.events[].timestamp	Integer
data.events[].timestamp_nanoseconds	Integer
data.events[].date	String (Time ISO8601)
data.events[].event_type	String
data.events[].detection	String
data.events[].group_guids	Array
data.events[].group_guids[]	GUID
data.events[].file.disposition	String
data.events[].file.file_name	String
data.events[].file.file_path	String
data.events[].file.file_type	String
data.events[].file.identity.sha256	String
data.events[].file.parent.disposition	String
data.events[].file.parent.identity.sha256	String

Write

Preview

Describe this action in markdown

Provides list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP Console.

Using the `q` parameter, you can search for an IP Address, SHA256 or URL.

### Query Parameters

|Name|Type|Example Values|Description|
|----|----|----|----|
|`q`|String|37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7||
|`limit`|Integer|5||
[Show Response Fields](response-fields)

|Name|Type|Description|
|---|---|---|
|version|String||
|metadata.links.self|String||
|data.computer.connector_guid|GUID||
|data.computer.hostname|String||
|data.computer.active|Boolean||
|data.computer.links.computer|String||
|data.computer.links.trajectory|String||
|data.computer.links.group|String||
|data.computer.connector_version|String||
|data.computer.operating_system|String||
|data.computer.internal_ips|Array||
|data.computer.internal_ips[]|String||
|data.computer.external_ip|String||
|data.computer.group_guid|GUID||
|data.computer.install_date|String (Time ISO8601)||
|data.computer.network_addresses|Array||
|data.computer.network_addresses[].mac|String||
|data.computer.network_addresses[].ip|String||
|data.computer.policy.guid|GUID||
|data.computer.policy.name|String||
|data.events|Array||
|data.events[].timestamp|Integer||
|data.events[].timestamp_nanoseconds|Integer||
|data.events[].date|String (Time ISO8601)||
|data.events[].event_type|String||
|data.events[].detection|String||
|data.events[].group_guids|Array||
|data.events[].group_guids[]|GUID||
|data.events[].file.disposition|String||
|data.events[].file.file_name|String||
|data.events[].file.file_path|String||
|data.events[].file.file_type|String||
|data.events[].file.identity.sha256|String||
|data.events[].file.parent.disposition|String||
|data.events[].file.parent.identity.sha256|String||

Auto Generate

Examples

Fetch a specific computer's trajectory with given connector_guid

Fetch a specific computer's trajectory with given connector_guid and filter for files with a SHA-...

Fetch a specific computer's trajectory with given connector_guid

Request

Requires Authorization

GET /v1/computers/d821e2d9-9280-489c-a6c3-be02d85ba8a0/trajectory

Headers

accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.apjc.amp.cisco.com/v1/computers/d821e2d9-9280-489c-a6c3-be02d85ba8a0/trajectory'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3577
x-ratelimit-remaining: 2963
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2020-02-20T19:42:33Z
transfer-encoding: chunked

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.apjc.amp.cisco.com/v1/computers/d821e2d9-9280-489c-a6c3-be02d85ba8a0/trajectory"
    }
  },
  "data": {
    "computer": {
      "connector_guid": "d821e2d9-9280-489c-a6c3-be02d85ba8a0",
      "hostname": "Demo_Command_Line_Arguments_Kovter",
      "windows_processor_id": "1937b8e046adf25",
      "active": true,
      "links": {
        "computer": "https://api.apjc.amp.cisco.com/v1/computers/d821e2d9-9280-489c-a6c3-be02d85ba8a0",
        "trajectory": "https://api.apjc.amp.cisco.com/v1/computers/d821e2d9-9280-489c-a6c3-be02d85ba8a0/trajectory",
        "group": "https://api.apjc.amp.cisco.com/v1/groups/68665863-74d5-4bc1-ac7f-5477b2b6406e"
      },
      "connector_version": "99.0.99.11594",
      "operating_system": "Windows 10, SP 0.0",
      "internal_ips": [
        "48.228.237.163"
      ],
      "external_ip": "87.18.29.150",
      "group_guid": "68665863-74d5-4bc1-ac7f-5477b2b6406e",
      "install_date": "2020-02-17T08:47:17Z",
      "network_addresses": [
        {
          "mac": "cd:e0:30:42:21:f7",
          "ip": "48.228.237.163"
        }
      ],
      "policy": {
        "guid": "75f5a2b7-2875-41c1-9a11-0b212f347a08",
        "name": "Triage Policy"
      },
      "faults": [

      ],
      "isolation": {
        "available": false,
        "status": "not_isolated"
      },
      "orbital": {
        "status": "not_enabled"
      }
    },
    "events": [
      {
        "timestamp": 1581940174,
        "timestamp_nanoseconds": 842009819,
        "date": "2020-02-17T11:49:34+00:00",
        "event_type": "Executed by",
        "group_guids": [
          "68665863-74d5-4bc1-ac7f-5477b2b6406e"
        ],
        "file": {
          "disposition": "Clean",
          "file_name": "taskmgr.exe",
          "file_path": "/c:/windows/system32/taskmgr.exe",
          "file_type": "PE Executable",
          "identity": {
            "sha256": "292106dfdfacdc0ab33e3cb580ae23f0506cb2402b9b3ca2811a0a1c2f6ebf6c"
          },
          "parent": {
            "disposition": "Clean",
            "identity": {
              "sha256": "438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7"
            }
          }
        }
      },
      {
        "timestamp": 1581940173,
        "timestamp_nanoseconds": 543023082,
        "date": "2020-02-17T11:49:33+00:00",
        "event_type": "Executed by",
        "group_guids": [
          "68665863-74d5-4bc1-ac7f-5477b2b6406e"
        ],
        "file": {
          "disposition": "Clean",
          "file_name": "taskmgr.exe",
          "file_path": "/c:/windows/system32/taskmgr.exe",
          "file_type": "PE Executable",
          "identity": {
            "sha256": "292106dfdfacdc0ab33e3cb580ae23f0506cb2402b9b3ca2811a0a1c2f6ebf6c"
          },
          "parent": {
            "disposition": "Unknown",
            "identity": {
              "sha256": "0bd0a04d7b32648f627387894a165b321ac277bd8103a4ca6790607458adf778"
            }
          }
        }
      }
    ]
  }
}

Fetch a specific computer's trajectory with given connector_guid and filter for files with a SHA-256 value