Cisco AMP for Endpoints API

GET /v1/computers/{:connector_guid}/user_trajectory

Description

Query Parameters

Name Type Example Values Description
q String johndoe
limit Integer 5

Show Response Fields

Name Type Description
version String
metadata.links.self String
data.computer.connector_guid GUID
data.computer.hostname String
data.computer.active Boolean
data.computer.links.computer String
data.computer.links.trajectory String
data.computer.links.group String
data.events Array
data.events[].id String
data.events[].timestamp Integer
data.events[].timestamp_nanoseconds Integer
data.events[].date String (Time ISO8601)
data.events[].event_type String
data.events[].event_type_id Integer
data.events[].detection String
data.events[].detection_id String
data.events[].file.disposition String
data.events[].file.file_name String
data.events[].file.file_path String
data.events[].file.identity.sha256 String
data.events[].file.identity.sha1 String
data.events[].file.identity.md5 String
data.events[].file.archived_file.disposition String
data.events[].file.archived_file.identity.sha256 String
data.events[].file.parent.process_id Integer
data.events[].file.parent.disposition String
data.events[].file.parent.file_name String
data.events[].file.parent.identity.sha256 String
data.events[].file.parent.identity.sha1 String
data.events[].file.parent.identity.md5 String
data.events[].user_name String
Write
Preview

Examples

Fetch a specific computer's trajectory with given connector_guid and filter for events with user ...

Fetch a specific computer's trajectory with given connector_guid and filter for events with user name activity

Request

Requires Authorization
GET /v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/user_trajectory?q=johndoe&limit=5
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/user_trajectory?q=johndoe&limit=5'

Response

Shortened for readability

x-ratelimit-limit: 3000
x-ratelimit-reset: 3332
x-ratelimit-remaining: 2893
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2017-08-18T03:52:38Z
strict-transport-security: max-age=31536000
status: 200 OK
transfer-encoding: chunked
content-type: application/json; charset=utf-8
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/user_trajectory?q=johndoe&limit=5"
    }
  },
  "data": {
    "computer": {
      "connector_guid": "af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
      "hostname": "WIN-S1AC1PI6L5L",
      "active": true,
      "links": {
        "computer": "https://api.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
        "trajectory": "https://api.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/user_trajectory",
        "group": "https://api.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
      }
    },
    "events": [
      {
        "id": "6455442249407791115",
        "timestamp": 1503024774,
        "timestamp_nanoseconds": 98000000,
        "date": "2017-08-18T02:52:54+00:00",
        "event_type": "Threat Detected",
        "event_type_id": 1090519054,
        "detection": "benign_qa_testware7",
        "detection_id": "6455442249407791109",
        "file": {
          "disposition": "Unknown",
          "file_name": "☂.zip",
          "file_path": "\\\\?\\C:\\Users\\johndoe\\Downloads\\☂.zip",
          "identity": {
            "sha256": "f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5",
            "sha1": "20eeee16345e0c1283f7b500126350cb938b8570",
            "md5": "6853839cde69359049ae6f7bd3ae86d7"
          },
          "archived_file": {
            "disposition": "Malicious",
            "identity": {
              "sha256": "46679a50632d05b99683a14b91a69ce908de1673fbb71e9cd325e5685fcd7e49"
            }
          },
          "parent": {
            "process_id": 3416,
            "disposition": "Clean",
            "file_name": "explorer.exe",
            "identity": {
              "sha256": "80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2",
              "sha1": "ea97227d34b8526055a543ade7d18587a927f6a3",
              "md5": "15bc38a7492befe831966adb477cf76f"
            }
          }
        },
        "user_name": "johndoe@WIN-S1AC1PI6L5L"
      },
      {
        "id": "6455441867155701769",
        "timestamp": 1503024685,
        "timestamp_nanoseconds": 198000000,
        "date": "2017-08-18T02:51:25+00:00",
        "event_type": "Threat Detected",
        "event_type_id": 1090519054,
        "detection": "benign_qa_testware-1",
        "detection_id": "6455441867155701764",
        "file": {
          "disposition": "Unknown",
          "file_name": "qa_malicious_file_1404338951.zip",
          "file_path": "\\\\?\\C:\\Users\\johndoe\\Downloads\\qa_malicious_file_1404338951.zip",
          "identity": {
            "sha256": "7f923e203a137f839f4f01727db70214c074c29f04d4044da529f23aad0047f6",
            "sha1": "c96a5defe8a702b1132b1df53867373e0ec96495",
            "md5": "2fa6f0351f9ab090f88525ea7d30a0aa"
          },
          "archived_file": {
            "disposition": "Malicious",
            "identity": {
              "sha256": "0f30e6fdf92b512898b484a122d061fb89450c9f06e0c40c0f9112ca2816353c"
            }
          },
          "parent": {
            "process_id": 3416,
            "disposition": "Clean",
            "file_name": "explorer.exe",
            "identity": {
              "sha256": "80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2",
              "sha1": "ea97227d34b8526055a543ade7d18587a927f6a3",
              "md5": "15bc38a7492befe831966adb477cf76f"
            }
          }
        },
        "user_name": "johndoe@WIN-S1AC1PI6L5L"
      }
    ]
  }
}