Cisco AMP for Endpoints API

GET /v1/computers/{:connector_guid}/trajectory

Description

Provides list of all activities associated with a particular computer. This is analogous to the Device Trajectory on the FireAMP Console.

Using the q parameter, you can search for an IP Address, SHA256 or URL.

Query Parameters

Name Type Example Values Description
q String 37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7
limit Integer 5

Show Response Fields

Name Type Description
version String
metadata.links.self String
data.computer.connector_guid GUID
data.computer.hostname String
data.computer.active Boolean
data.computer.links.computer String
data.computer.links.trajectory String
data.computer.links.group String
data.computer.connector_version String
data.computer.operating_system String
data.computer.internal_ips Array
data.computer.internal_ips[] String
data.computer.external_ip String
data.computer.group_guid GUID
data.computer.install_date String (Time ISO8601)
data.computer.network_addresses Array
data.computer.network_addresses[].mac String
data.computer.network_addresses[].ip String
data.computer.policy.guid GUID
data.computer.policy.name String
data.events Array
data.events[].timestamp Integer
data.events[].timestamp_nanoseconds Integer
data.events[].date String (Time ISO8601)
data.events[].event_type String
data.events[].detection String
data.events[].group_guids Array
data.events[].group_guids[] GUID
data.events[].file.disposition String
data.events[].file.file_name String
data.events[].file.file_path String
data.events[].file.file_type String
data.events[].file.identity.sha256 String
data.events[].file.parent.disposition String
data.events[].file.parent.identity.sha256 String
Write
Preview

Examples

Fetch a specific computer's trajectory with given connector_guid
Fetch a specific computer's trajectory with given connector_guid and filter for files with a SHA-...

Fetch a specific computer's trajectory with given connector_guid

Request

Requires Authorization
GET /v1/computers/d2abab43-7507-45fc-a8da-1a65c917b9a7/trajectory
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/computers/d2abab43-7507-45fc-a8da-1a65c917b9a7/trajectory'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3578
x-ratelimit-remaining: 2963
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-11-22T19:40:39Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/computers/d2abab43-7507-45fc-a8da-1a65c917b9a7/trajectory"
    }
  },
  "data": {
    "computer": {
      "connector_guid": "d2abab43-7507-45fc-a8da-1a65c917b9a7",
      "hostname": "Demo_AMP_MAP_FriedEx",
      "active": true,
      "links": {
        "computer": "https://api.eu.amp.cisco.com/v1/computers/d2abab43-7507-45fc-a8da-1a65c917b9a7",
        "trajectory": "https://api.eu.amp.cisco.com/v1/computers/d2abab43-7507-45fc-a8da-1a65c917b9a7/trajectory",
        "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      },
      "connector_version": "6.3.1.10893",
      "operating_system": "Windows 7, SP 1.0",
      "internal_ips": [
        "212.143.221.79"
      ],
      "external_ip": "102.141.238.162",
      "group_guid": "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03",
      "install_date": "2019-10-31T11:49:06Z",
      "network_addresses": [
        {
          "mac": "27:4c:6c:a7:b3:04",
          "ip": "212.143.221.79"
        }
      ],
      "policy": {
        "guid": "520c7c68-a637-43b1-b851-7830b0b336b6",
        "name": "Protect Policy"
      },
      "faults": [

      ],
      "isolation": {
        "available": false,
        "status": "not_isolated"
      }
    },
    "events": [
      {
        "timestamp": 1572617961,
        "timestamp_nanoseconds": 358466618,
        "date": "2019-11-01T14:19:21+00:00",
        "event_type": "Created by",
        "group_guids": [
          "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        ],
        "file": {
          "disposition": "Unknown",
          "file_name": "mpavdlta.vdm",
          "file_path": "/c:/windows/temp/e73b0a83-cec0-4324-8c0a-8ddfcbbda3082d40.1d42864b3cfa19e/mpavdlta.vdm",
          "file_type": "PE Executable",
          "identity": {
            "sha256": "eddf5650f96a06a4c40b161f23a2d206e0e7dad569c121c157ac26af794bb965"
          },
          "parent": {
            "disposition": "Unknown",
            "identity": {
              "sha256": "c3aa060dd90d2bf91d7901771bd7a5b978b812cd16375fcd2a3f697ffaf281f3"
            }
          }
        }
      },
      {
        "timestamp": 1572617950,
        "timestamp_nanoseconds": 232665831,
        "date": "2019-11-01T14:19:10+00:00",
        "event_type": "Created by",
        "group_guids": [
          "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        ],
        "file": {
          "disposition": "Unknown",
          "file_name": "mpavdlta.vdm",
          "file_path": "/c:/windows/temp/e73b0a83-cec0-4324-8c0a-8ddfcbbda3082d40.1d42864b3cfa19e/mpavdlta.vdm",
          "file_type": "PE Executable",
          "identity": {
            "sha256": "eddf5650f96a06a4c40b161f23a2d206e0e7dad569c121c157ac26af794bb965"
          },
          "parent": {
            "disposition": "Unknown",
            "identity": {
              "sha256": "c3aa060dd90d2bf91d7901771bd7a5b978b812cd16375fcd2a3f697ffaf281f3"
            }
          }
        }
      }
    ]
  }
}

Fetch a specific computer's trajectory with given connector_guid and filter for files with a SHA-256 value

Request

Requires Authorization
GET /v1/computers/d2abab43-7507-45fc-a8da-1a65c917b9a7/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/computers/d2abab43-7507-45fc-a8da-1a65c917b9a7/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3576
x-ratelimit-remaining: 2962
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-11-22T19:40:39Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/computers/d2abab43-7507-45fc-a8da-1a65c917b9a7/trajectory?q=37ceea0922d1177a9de74f4858678acf6afd22706489fcca35a509bca9688cb7&limit=5"
    }
  },
  "data": {
    "computer": {
      "connector_guid": "d2abab43-7507-45fc-a8da-1a65c917b9a7",
      "hostname": "Demo_AMP_MAP_FriedEx",
      "active": true,
      "links": {
        "computer": "https://api.eu.amp.cisco.com/v1/computers/d2abab43-7507-45fc-a8da-1a65c917b9a7",
        "trajectory": "https://api.eu.amp.cisco.com/v1/computers/d2abab43-7507-45fc-a8da-1a65c917b9a7/trajectory",
        "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      },
      "connector_version": "6.3.1.10893",
      "operating_system": "Windows 7, SP 1.0",
      "internal_ips": [
        "212.143.221.79"
      ],
      "external_ip": "102.141.238.162",
      "group_guid": "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03",
      "install_date": "2019-10-31T11:49:06Z",
      "network_addresses": [
        {
          "mac": "27:4c:6c:a7:b3:04",
          "ip": "212.143.221.79"
        }
      ],
      "policy": {
        "guid": "520c7c68-a637-43b1-b851-7830b0b336b6",
        "name": "Protect Policy"
      },
      "faults": [

      ],
      "isolation": {
        "available": false,
        "status": "not_isolated"
      }
    },
    "events": [

    ]
  }
}