Cisco AMP for Endpoints API

GET /v1/computers/{:connector_guid}/user_trajectory

Description

Query Parameters

Name	Type	Example Values	Description
`q`	String	johndoe
`limit`	Integer	5

Show Response Fields

Name	Type	Description
version	String
metadata.links.self	String
data.computer.connector_guid	GUID
data.computer.hostname	String
data.computer.active	Boolean
data.computer.links.computer	String
data.computer.links.trajectory	String
data.computer.links.group	String
data.events	Array
data.events[].id	String
data.events[].timestamp	Integer
data.events[].timestamp_nanoseconds	Integer
data.events[].date	String (Time ISO8601)
data.events[].event_type	String
data.events[].event_type_id	Integer
data.events[].detection	String
data.events[].detection_id	String
data.events[].group_guids	Array
data.events[].group_guids[]	GUID
data.events[].severity	String
data.events[].file.disposition	String
data.events[].file.file_name	String
data.events[].file.file_path	String
data.events[].file.identity.sha256	String
data.events[].file.identity.sha1	String
data.events[].file.identity.md5	String
data.events[].user_name	String

Write

Preview

Describe this action in markdown

### Query Parameters

|Name|Type|Example Values|Description|
|----|----|----|----|
|`q`|String|johndoe||
|`limit`|Integer|5||
[Show Response Fields](response-fields)

|Name|Type|Description|
|---|---|---|
|version|String||
|metadata.links.self|String||
|data.computer.connector_guid|GUID||
|data.computer.hostname|String||
|data.computer.active|Boolean||
|data.computer.links.computer|String||
|data.computer.links.trajectory|String||
|data.computer.links.group|String||
|data.events|Array||
|data.events[].id|String||
|data.events[].timestamp|Integer||
|data.events[].timestamp_nanoseconds|Integer||
|data.events[].date|String (Time ISO8601)||
|data.events[].event_type|String||
|data.events[].event_type_id|Integer||
|data.events[].detection|String||
|data.events[].detection_id|String||
|data.events[].group_guids|Array||
|data.events[].group_guids[]|GUID||
|data.events[].severity|String||
|data.events[].file.disposition|String||
|data.events[].file.file_name|String||
|data.events[].file.file_path|String||
|data.events[].file.identity.sha256|String||
|data.events[].file.identity.sha1|String||
|data.events[].file.identity.md5|String||
|data.events[].user_name|String||

Examples

Fetch a specific computer's trajectory with given connector_guid and filter for events with user ...

Fetch a specific computer's trajectory with given connector_guid and filter for events with user name activity

Request

Requires Authorization

GET /v1/computers/49868f17-a913-4bc3-b6a7-1afd39bf8b27/user_trajectory?q=johndoe&limit=5

Headers

accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/computers/49868f17-a913-4bc3-b6a7-1afd39bf8b27/user_trajectory?q=johndoe&limit=5'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3589
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2961
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"492554bc82e6b2619d95c9a8e50a1bf2"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2021-05-05T23:55:49Z
strict-transport-security: max-age=31536000

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/computers/49868f17-a913-4bc3-b6a7-1afd39bf8b27/user_trajectory?q=johndoe&limit=5"
    }
  },
  "data": {
    "computer": {
      "connector_guid": "49868f17-a913-4bc3-b6a7-1afd39bf8b27",
      "hostname": "Demo_AMP_Threat_Audit",
      "active": true,
      "links": {
        "computer": "https://api.amp.cisco.com/v1/computers/49868f17-a913-4bc3-b6a7-1afd39bf8b27",
        "trajectory": "https://api.amp.cisco.com/v1/computers/49868f17-a913-4bc3-b6a7-1afd39bf8b27/user_trajectory",
        "group": "https://api.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
      }
    },
    "events": [
      {
        "id": "6533671385032556606",
        "timestamp": 1620250059,
        "timestamp_nanoseconds": 14000000,
        "date": "2021-05-05T21:27:39+00:00",
        "event_type": "Threat Detected",
        "event_type_id": 1090519054,
        "detection": "W32.File.MalParent",
        "detection_id": "6533671380737589309",
        "group_guids": [
          "6a208a97-badf-4296-87c2-40779ffff0af"
        ],
        "severity": "Medium",
        "file": {
          "disposition": "Malicious",
          "file_name": "ekjrngjker.exe",
          "file_path": "C:\\ekjrngjker.exe",
          "identity": {
            "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
            "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
            "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
          }
        },
        "user_name": "johndoe"
      },
      {
        "id": "6533671385032556607",
        "timestamp": 1620250059,
        "timestamp_nanoseconds": 25000000,
        "date": "2021-05-05T21:27:39+00:00",
        "event_type": "Threat Detected",
        "event_type_id": 1090519054,
        "detection": "W32.File.MalParent",
        "detection_id": "6533671385032556606",
        "group_guids": [
          "6a208a97-badf-4296-87c2-40779ffff0af"
        ],
        "severity": "Medium",
        "file": {
          "disposition": "Malicious",
          "file_name": "ekjrngjker.exe",
          "file_path": "\\\\?\\C:\\ekjrngjker.exe",
          "identity": {
            "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
            "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
            "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
          }
        },
        "user_name": "johndoe"
      }
    ]
  }
}