Cisco AMP for Endpoints API

GET /v1/computers/activity

Description

Description
This endpoint provides you with the ability to search all computers across your organization for any events or activities associated with a file or network operation, and returns computers matching that criteria. You can then query the /computers/{connector-guid}/trajectory endpoint for specific details.

This endpoint requires a q parameter which is a freeform query string. It currently accepts:

  • an IPv4 address: 1.0.0.0. Note for this search CIDR addresses are not supported
  • a SHA256
  • a filename
  • a URL fragment

There is a hard limit of 5000 historical entries searched for this endpoint.

Query Parameters

Name Type Example Values Description
q String sovereutilizeignty.com, 814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e, 75.102.25.76, SearchProtocolHost.exe
offset Integer 0
limit Integer 5

Show Response Fields

Name Type Description
version String
metadata.links.self String
metadata.results.total Integer
metadata.results.current_item_count Integer
metadata.results.index Integer
metadata.results.items_per_page Integer
data Array
data[].connector_guid GUID
data[].hostname String
data[].active Boolean
data[].links.computer String
data[].links.trajectory String
data[].links.group String
Write
Preview

Examples

Fetch list of computers that have observed files with given SHA-256 value
Fetches list of computers that have connected to given URL
Fetch a list of computers that have connected to given IP address
Fetch list of computers that have observed files with given file name

Fetch list of computers that have observed files with given SHA-256 value

Request

Requires Authorization
GET /v1/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5'

Response

Actual Response

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 2483
x-ratelimit-remaining: 2826
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2018-09-17T21:58:25Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5"
    },
    "results": {
      "total": 0,
      "current_item_count": 0,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [

  ]
}

Fetches list of computers that have connected to given URL

Request

Requires Authorization
GET /v1/computers/activity?q=sovereutilizeignty.com&offset=0&limit=5
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/computers/activity?q=sovereutilizeignty.com&offset=0&limit=5'

Response

Actual Response

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 2482
x-ratelimit-remaining: 2824
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2018-09-17T21:58:25Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/computers/activity?q=sovereutilizeignty.com&offset=0&limit=5"
    },
    "results": {
      "total": 0,
      "current_item_count": 0,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [

  ]
}

Fetch a list of computers that have connected to given IP address

Request

Requires Authorization
GET /v1/computers/activity?q=75.102.25.76&offset=0&limit=5
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/computers/activity?q=75.102.25.76&offset=0&limit=5'

Response

Actual Response

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 1265
x-ratelimit-remaining: 2672
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2018-09-17T21:58:25Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/computers/activity?q=75.102.25.76&offset=0&limit=5"
    },
    "results": {
      "total": 2,
      "current_item_count": 2,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "connector_guid": "8c7c18d3-c1b4-4fa8-8d46-b6e467cdbae8",
      "hostname": "Demo_Upatre",
      "active": true,
      "links": {
        "computer": "https://api.eu.amp.cisco.com/v1/computers/8c7c18d3-c1b4-4fa8-8d46-b6e467cdbae8",
        "trajectory": "https://api.eu.amp.cisco.com/v1/computers/8c7c18d3-c1b4-4fa8-8d46-b6e467cdbae8/trajectory?q=75.102.25.76",
        "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
      }
    },
    {
      "connector_guid": "d8775b6a-3f59-433e-b1ab-3a54d8ccbc46",
      "hostname": "Demo_Stabuniq",
      "active": true,
      "links": {
        "computer": "https://api.eu.amp.cisco.com/v1/computers/d8775b6a-3f59-433e-b1ab-3a54d8ccbc46",
        "trajectory": "https://api.eu.amp.cisco.com/v1/computers/d8775b6a-3f59-433e-b1ab-3a54d8ccbc46/trajectory?q=75.102.25.76",
        "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
      }
    }
  ]
}

Fetch list of computers that have observed files with given file name

Request

Requires Authorization
GET /v1/computers/activity?q=SearchProtocolHost.exe&limit=5
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/computers/activity?q=SearchProtocolHost.exe&limit=5'

Response

Actual Response

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 2213
x-ratelimit-remaining: 2842
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2018-10-02T17:50:12Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/computers/activity?q=SearchProtocolHost.exe&limit=5",
      "next": "https://api.eu.amp.cisco.com/v1/computers/activity?q=SearchProtocolHost.exe&limit=5&offset=5"
    },
    "results": {
      "total": 15,
      "current_item_count": 5,
      "index": 0,
      "items_per_page": 5
    }
  },
  "data": [
    {
      "connector_guid": "0df31cae-120d-4fbc-ad7f-b0e7e96c01e5",
      "hostname": "Demo_Dyre",
      "active": true,
      "links": {
        "computer": "https://api.eu.amp.cisco.com/v1/computers/0df31cae-120d-4fbc-ad7f-b0e7e96c01e5",
        "trajectory": "https://api.eu.amp.cisco.com/v1/computers/0df31cae-120d-4fbc-ad7f-b0e7e96c01e5/trajectory?q=SearchProtocolHost.exe",
        "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
      }
    },
    {
      "connector_guid": "1accdb11-0b2a-44e1-a1e0-c20fe98f5c6c",
      "hostname": "Demo_AMP",
      "active": false,
      "links": {
        "computer": "https://api.eu.amp.cisco.com/v1/computers/1accdb11-0b2a-44e1-a1e0-c20fe98f5c6c",
        "trajectory": "https://api.eu.amp.cisco.com/v1/computers/1accdb11-0b2a-44e1-a1e0-c20fe98f5c6c/trajectory?q=SearchProtocolHost.exe",
        "group": "https://api.eu.amp.cisco.com/v1/groups/68665863-74d5-4bc1-ac7f-5477b2b6406e"
      }
    },
    {
      "connector_guid": "639f6a30-3ef3-46f6-82c7-d3a447d25f67",
      "hostname": "Demo_Qakbot_1",
      "active": true,
      "links": {
        "computer": "https://api.eu.amp.cisco.com/v1/computers/639f6a30-3ef3-46f6-82c7-d3a447d25f67",
        "trajectory": "https://api.eu.amp.cisco.com/v1/computers/639f6a30-3ef3-46f6-82c7-d3a447d25f67/trajectory?q=SearchProtocolHost.exe",
        "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
      }
    },
    {
      "connector_guid": "8c7c18d3-c1b4-4fa8-8d46-b6e467cdbae8",
      "hostname": "Demo_Upatre",
      "active": true,
      "links": {
        "computer": "https://api.eu.amp.cisco.com/v1/computers/8c7c18d3-c1b4-4fa8-8d46-b6e467cdbae8",
        "trajectory": "https://api.eu.amp.cisco.com/v1/computers/8c7c18d3-c1b4-4fa8-8d46-b6e467cdbae8/trajectory?q=SearchProtocolHost.exe",
        "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
      }
    },
    {
      "connector_guid": "a1a4dba0-062a-4d52-9a2c-8c8e6c224141",
      "hostname": "Demo_Command_Line_Arguments_Kovter",
      "active": true,
      "links": {
        "computer": "https://api.eu.amp.cisco.com/v1/computers/a1a4dba0-062a-4d52-9a2c-8c8e6c224141",
        "trajectory": "https://api.eu.amp.cisco.com/v1/computers/a1a4dba0-062a-4d52-9a2c-8c8e6c224141/trajectory?q=SearchProtocolHost.exe",
        "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      }
    }
  ]
}