Cisco AMP for Endpoints API

GET /v1/computers/{:connector_guid}/trajectory

Description

Provides list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP Console.

Using the q parameter, you can search for an IP Address, SHA256 or URL.

Query Parameters

Name Type Example Values Description
q String 37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7
limit Integer 5

Show Response Fields

Name Type Description
version String
metadata.links.self String
data.computer.connector_guid GUID
data.computer.hostname String
data.computer.active Boolean
data.computer.links.computer String
data.computer.links.trajectory String
data.computer.links.group String
data.computer.connector_version String
data.computer.operating_system String
data.computer.internal_ips Array
data.computer.internal_ips[] String
data.computer.external_ip String
data.computer.group_guid GUID
data.computer.install_date String (Time ISO8601)
data.computer.network_addresses Array
data.computer.network_addresses[].mac String
data.computer.network_addresses[].ip String
data.computer.policy.guid GUID
data.computer.policy.name String
data.events Array
data.events[].timestamp Integer
data.events[].timestamp_nanoseconds Integer
data.events[].date String (Time ISO8601)
data.events[].event_type String
data.events[].detection String
data.events[].group_guids Array
data.events[].group_guids[] GUID
data.events[].file.disposition String
data.events[].file.file_name String
data.events[].file.file_path String
data.events[].file.file_type String
data.events[].file.identity.sha256 String
data.events[].file.parent.disposition String
data.events[].file.parent.identity.sha256 String
Write
Preview

Examples

Fetch a specific computer's trajectory with given connector_guid
Fetch a specific computer's trajectory with given connector_guid and filter for files with a SHA-...

Fetch a specific computer's trajectory with given connector_guid

Request

Requires Authorization
GET /v1/computers/bad2c522-3052-4d75-93a0-832d6283c299/trajectory
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.consumer.amp.cisco.com/v1/computers/bad2c522-3052-4d75-93a0-832d6283c299/trajectory'

Response

Shortened for readability

content-type: application/json
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 896
strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2846
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"974ef31fa9f7946fb3aad5ac1a5c0bc6"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2022-03-18T11:55:11Z
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.consumer.amp.cisco.com/v1/computers/bad2c522-3052-4d75-93a0-832d6283c299/trajectory"
    }
  },
  "data": {
    "computer": {
      "connector_guid": "bad2c522-3052-4d75-93a0-832d6283c299",
      "hostname": "Demo_AMP",
      "windows_processor_id": "195b0d8736e2af4",
      "active": true,
      "links": {
        "computer": "https://api.consumer.amp.cisco.com/v1/computers/bad2c522-3052-4d75-93a0-832d6283c299",
        "trajectory": "https://api.consumer.amp.cisco.com/v1/computers/bad2c522-3052-4d75-93a0-832d6283c299/trajectory",
        "group": "https://api.consumer.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      },
      "connector_version": "99.0.99.20946",
      "operating_system": "Windows 10",
      "os_version": "10.0.19044.1466",
      "internal_ips": [
        "74.177.148.86"
      ],
      "external_ip": "78.127.198.189",
      "group_guid": "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03",
      "install_date": "2022-02-16T11:40:01Z",
      "is_compromised": true,
      "demo": true,
      "network_addresses": [
        {
          "mac": "31:5e:f7:d7:d3:31",
          "ip": "74.177.148.86"
        }
      ],
      "policy": {
        "guid": "520c7c68-a637-43b1-b851-7830b0b336b6",
        "name": "Protect Policy"
      },
      "groups": [
        {
          "guid": "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03",
          "name": "Protect"
        }
      ],
      "faults": [

      ],
      "isolation": {
        "available": false,
        "status": "not_isolated"
      },
      "orbital": {
        "status": "not_enabled"
      }
    },
    "events": [
      {
        "id": "6508397899087348001",
        "timestamp": 1647551836,
        "timestamp_nanoseconds": 189474725,
        "date": "2022-03-17T21:17:16+00:00",
        "event_type": "Retrospective Quarantine Successful",
        "event_type_id": 553648155,
        "detection_id": "6508397899087347713",
        "group_guids": [
          "55ca1f58-1ee7-4720-8125-87539e7156cc"
        ],
        "severity": "High",
        "file": {
          "disposition": "Malicious",
          "identity": {
            "sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"
          }
        }
      },
      {
        "id": "6508397899087348000",
        "timestamp": 1647551836,
        "timestamp_nanoseconds": 295927133,
        "date": "2022-03-17T21:17:16+00:00",
        "event_type": "Retrospective Detection",
        "event_type_id": 553648147,
        "detection": "W32.6A37D750F0-100.SBX.TG",
        "detection_id": "6508397899087347713",
        "group_guids": [
          "55ca1f58-1ee7-4720-8125-87539e7156cc"
        ],
        "severity": "High",
        "file": {
          "disposition": "Malicious",
          "file_name": "resume.exe",
          "file_path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe",
          "identity": {
            "sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
            "sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b",
            "md5": "41476df3138717868118d8542cf3d1d6"
          }
        }
      }
    ]
  }
}

Fetch a specific computer's trajectory with given connector_guid and filter for files with a SHA-256 value

Request

Requires Authorization
GET /v1/computers/bad2c522-3052-4d75-93a0-832d6283c299/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.consumer.amp.cisco.com/v1/computers/bad2c522-3052-4d75-93a0-832d6283c299/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5'

Response

Shortened for readability

content-type: application/json
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 895
strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2845
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"1499f1b52e70f5d7bd17122a9fcfcff8"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2022-03-18T11:55:11Z
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.consumer.amp.cisco.com/v1/computers/bad2c522-3052-4d75-93a0-832d6283c299/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5"
    }
  },
  "data": {
    "computer": {
      "connector_guid": "bad2c522-3052-4d75-93a0-832d6283c299",
      "hostname": "Demo_AMP",
      "windows_processor_id": "195b0d8736e2af4",
      "active": true,
      "links": {
        "computer": "https://api.consumer.amp.cisco.com/v1/computers/bad2c522-3052-4d75-93a0-832d6283c299",
        "trajectory": "https://api.consumer.amp.cisco.com/v1/computers/bad2c522-3052-4d75-93a0-832d6283c299/trajectory",
        "group": "https://api.consumer.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      },
      "connector_version": "99.0.99.20946",
      "operating_system": "Windows 10",
      "os_version": "10.0.19044.1466",
      "internal_ips": [
        "74.177.148.86"
      ],
      "external_ip": "78.127.198.189",
      "group_guid": "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03",
      "install_date": "2022-02-16T11:40:01Z",
      "is_compromised": true,
      "demo": true,
      "network_addresses": [
        {
          "mac": "31:5e:f7:d7:d3:31",
          "ip": "74.177.148.86"
        }
      ],
      "policy": {
        "guid": "520c7c68-a637-43b1-b851-7830b0b336b6",
        "name": "Protect Policy"
      },
      "groups": [
        {
          "guid": "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03",
          "name": "Protect"
        }
      ],
      "faults": [

      ],
      "isolation": {
        "available": false,
        "status": "not_isolated"
      },
      "orbital": {
        "status": "not_enabled"
      }
    },
    "events": [

    ]
  }
}