GET /v1/events
Description
This is a general query interface for events. This is analogous to the Events view on the FireAMP Console.
Events can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria; each selection of a criteria is logically ORed. For example: with the query string: connector_guid[]=ead39d47-93bd-4230-b692-454b433faf96&event_type[]=2164260868&event_type[]=1090519054, it will return any events that match the connector guid ad39d47-93bd-4230-b692-454b433faf96 AND any events with type (1090519054 OR 2164260868).
The arguments passed to the event_type and group_guid parameters can be retrieved from their respective endpoints.
Query Parameters
| Name | Type | Example Values | Description |
|---|---|---|---|
limit |
Integer | 2, 1, 10 | |
detection_sha256 |
String | f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5 | |
application_sha256 |
String | 80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2 | |
connector_guid[] |
GUID | af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01 | |
group_guid[] |
GUID | b077d6bc-bbdf-42f7-8838-a06053fbd98a | |
start_date |
String (Time ISO8601) | 2015-10-01T00:00:00+00:00 | |
offset |
Integer | 10 | |
event_type[] |
Array | 1090519054, 1090519084 |
| Name | Type | Description |
|---|---|---|
| version | String | |
| metadata.links.self | String | |
| metadata.links.prev | String | |
| metadata.links.next | String | |
| metadata.results.total | Integer | |
| metadata.results.current_item_count | Integer | |
| metadata.results.index | Integer | |
| metadata.results.items_per_page | Integer | |
| data | Array | |
| data[].id | Integer | |
| data[].timestamp | Integer | |
| data[].timestamp_nanoseconds | Integer | |
| data[].date | String (Time ISO8601) | |
| data[].event_type | String | |
| data[].event_type_id | Integer | |
| data[].detection | String | |
| data[].detection_id | String | |
| data[].group_guids | Array | |
| data[].group_guids[] | GUID | |
| data[].computer.connector_guid | GUID | |
| data[].computer.hostname | String | |
| data[].computer.external_ip | String | |
| data[].computer.user | String | |
| data[].computer.active | Boolean | |
| data[].computer.network_addresses | Array | |
| data[].computer.network_addresses[].ip | String | |
| data[].computer.network_addresses[].mac | String | |
| data[].computer.links.computer | String | |
| data[].computer.links.trajectory | String | |
| data[].computer.links.group | String | |
| data[].file.disposition | String | |
| data[].file.file_name | String | |
| data[].file.file_path | String | |
| data[].file.identity.sha256 | String | |
| data[].file.identity.sha1 | String | |
| data[].file.identity.md5 | String | |
| data[].file.parent.process_id | Integer | |
| data[].file.parent.disposition | String | |
| data[].file.parent.file_name | String | |
| data[].file.parent.identity.sha256 | String | |
| data[].file.parent.identity.sha1 | String | |
| data[].file.parent.identity.md5 | String |
Examples
- Fetch list of events sorted in descending order by timestamp
- Fetch list of events filtered by connector_guid
- Fetch list of events filtered by group_guid
- Fetch list of events filtered by detection_sha256
- Fetch list of events filtered by application_sha256
- Fetch list of events filtered by detection_sha256 and application_sha256
- Fetch list of events filtered by event_type
- Fetch events that are newer than a given timestamp
Fetch list of events sorted in descending order by timestamp
Request
Requires AuthorizationGET /v1/events?limit=2
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?limit=2'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?limit=2'
Shortened for readability
x-ratelimit-limit: 3000 x-ratelimit-reset: 3321 x-ratelimit-remaining: 2876 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2017-08-18T03:52:38Z strict-transport-security: max-age=31536000 status: 200 OK transfer-encoding: chunked content-type: application/json; charset=utf-8
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?limit=2",
"next": "https://api.eu.amp.cisco.com/v1/events?limit=2&offset=2"
},
"results": {
"total": 917,
"current_item_count": 2,
"index": 0,
"items_per_page": 2
}
},
"data": [
{
"id": 6455442249407791000,
"timestamp": 1503024774,
"timestamp_nanoseconds": 98000000,
"date": "2017-08-18T02:52:54+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "benign_qa_testware7",
"detection_id": "6455442249407791109",
"group_guids": [
"b077d6bc-bbdf-42f7-8838-a06053fbd98a"
],
"computer": {
"connector_guid": "af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"hostname": "WIN-S1AC1PI6L5L",
"external_ip": "10.200.65.31",
"user": "johndoe@WIN-S1AC1PI6L5L",
"active": true,
"network_addresses": [
{
"ip": "10.0.2.15",
"mac": "08:00:27:85:28:61"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Unknown",
"file_name": "☂.zip",
"file_path": "\\\\?\\C:\\Users\\johndoe\\Downloads\\☂.zip",
"identity": {
"sha256": "f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5",
"sha1": "20eeee16345e0c1283f7b500126350cb938b8570",
"md5": "6853839cde69359049ae6f7bd3ae86d7"
},
"archived_file": {
"disposition": "Malicious",
"identity": {
"sha256": "46679a50632d05b99683a14b91a69ce908de1673fbb71e9cd325e5685fcd7e49"
}
},
"parent": {
"process_id": 3416,
"disposition": "Clean",
"file_name": "explorer.exe",
"identity": {
"sha256": "80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2",
"sha1": "ea97227d34b8526055a543ade7d18587a927f6a3",
"md5": "15bc38a7492befe831966adb477cf76f"
}
}
}
},
{
"id": 6455442249407791000,
"timestamp": 1503024774,
"timestamp_nanoseconds": 98000000,
"date": "2017-08-18T02:52:54+00:00",
"event_type": "Threat Quarantined",
"event_type_id": 553648143,
"detection_id": "6455442249407791109",
"group_guids": [
"b077d6bc-bbdf-42f7-8838-a06053fbd98a"
],
"computer": {
"connector_guid": "af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"hostname": "WIN-S1AC1PI6L5L",
"external_ip": "10.200.65.31",
"active": true,
"network_addresses": [
{
"ip": "10.0.2.15",
"mac": "08:00:27:85:28:61"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Unknown",
"identity": {
"sha256": "f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5"
}
}
}
]
}
Fetch list of events filtered by connector_guid
Request
Requires AuthorizationGET /v1/events?connector_guid[]=af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?connector_guid[]=af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?connector_guid[]=af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01&limit=1'
Shortened for readability
x-ratelimit-limit: 3000 x-ratelimit-reset: 3321 x-ratelimit-remaining: 2875 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2017-08-18T03:52:38Z strict-transport-security: max-age=31536000 status: 200 OK transfer-encoding: chunked content-type: application/json; charset=utf-8
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?connector_guid[]=af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01&limit=1",
"next": "https://api.eu.amp.cisco.com/v1/events?connector_guid%5B%5D=af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01&limit=1&offset=1"
},
"results": {
"total": 41,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6455442249407791000,
"timestamp": 1503024774,
"timestamp_nanoseconds": 98000000,
"date": "2017-08-18T02:52:54+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "benign_qa_testware7",
"detection_id": "6455442249407791109",
"group_guids": [
"b077d6bc-bbdf-42f7-8838-a06053fbd98a"
],
"computer": {
"connector_guid": "af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"hostname": "WIN-S1AC1PI6L5L",
"external_ip": "10.200.65.31",
"user": "johndoe@WIN-S1AC1PI6L5L",
"active": true,
"network_addresses": [
{
"ip": "10.0.2.15",
"mac": "08:00:27:85:28:61"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Unknown",
"file_name": "☂.zip",
"file_path": "\\\\?\\C:\\Users\\johndoe\\Downloads\\☂.zip",
"identity": {
"sha256": "f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5",
"sha1": "20eeee16345e0c1283f7b500126350cb938b8570",
"md5": "6853839cde69359049ae6f7bd3ae86d7"
},
"archived_file": {
"disposition": "Malicious",
"identity": {
"sha256": "46679a50632d05b99683a14b91a69ce908de1673fbb71e9cd325e5685fcd7e49"
}
},
"parent": {
"process_id": 3416,
"disposition": "Clean",
"file_name": "explorer.exe",
"identity": {
"sha256": "80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2",
"sha1": "ea97227d34b8526055a543ade7d18587a927f6a3",
"md5": "15bc38a7492befe831966adb477cf76f"
}
}
}
}
]
}
Fetch list of events filtered by group_guid
Request
Requires AuthorizationGET /v1/events?group_guid[]=b077d6bc-bbdf-42f7-8838-a06053fbd98a&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?group_guid[]=b077d6bc-bbdf-42f7-8838-a06053fbd98a&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?group_guid[]=b077d6bc-bbdf-42f7-8838-a06053fbd98a&limit=1'
Shortened for readability
x-ratelimit-limit: 3000 x-ratelimit-reset: 3320 x-ratelimit-remaining: 2874 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2017-08-18T03:52:38Z strict-transport-security: max-age=31536000 status: 200 OK transfer-encoding: chunked content-type: application/json; charset=utf-8
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?group_guid[]=b077d6bc-bbdf-42f7-8838-a06053fbd98a&limit=1",
"next": "https://api.eu.amp.cisco.com/v1/events?group_guid%5B%5D=b077d6bc-bbdf-42f7-8838-a06053fbd98a&limit=1&offset=1"
},
"results": {
"total": 914,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6455442249407791000,
"timestamp": 1503024774,
"timestamp_nanoseconds": 98000000,
"date": "2017-08-18T02:52:54+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "benign_qa_testware7",
"detection_id": "6455442249407791109",
"group_guids": [
"b077d6bc-bbdf-42f7-8838-a06053fbd98a"
],
"computer": {
"connector_guid": "af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"hostname": "WIN-S1AC1PI6L5L",
"external_ip": "10.200.65.31",
"user": "johndoe@WIN-S1AC1PI6L5L",
"active": true,
"network_addresses": [
{
"ip": "10.0.2.15",
"mac": "08:00:27:85:28:61"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Unknown",
"file_name": "☂.zip",
"file_path": "\\\\?\\C:\\Users\\johndoe\\Downloads\\☂.zip",
"identity": {
"sha256": "f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5",
"sha1": "20eeee16345e0c1283f7b500126350cb938b8570",
"md5": "6853839cde69359049ae6f7bd3ae86d7"
},
"archived_file": {
"disposition": "Malicious",
"identity": {
"sha256": "46679a50632d05b99683a14b91a69ce908de1673fbb71e9cd325e5685fcd7e49"
}
},
"parent": {
"process_id": 3416,
"disposition": "Clean",
"file_name": "explorer.exe",
"identity": {
"sha256": "80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2",
"sha1": "ea97227d34b8526055a543ade7d18587a927f6a3",
"md5": "15bc38a7492befe831966adb477cf76f"
}
}
}
}
]
}
Fetch list of events filtered by detection_sha256
Request
Requires AuthorizationGET /v1/events?detection_sha256=f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?detection_sha256=f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?detection_sha256=f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5&limit=1'
Shortened for readability
x-ratelimit-limit: 3000 x-ratelimit-reset: 3319 x-ratelimit-remaining: 2873 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2017-08-18T03:52:38Z strict-transport-security: max-age=31536000 status: 200 OK transfer-encoding: chunked content-type: application/json; charset=utf-8
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5&limit=1",
"next": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5&limit=1&offset=1"
},
"results": {
"total": 2,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6455442249407791000,
"timestamp": 1503024774,
"timestamp_nanoseconds": 98000000,
"date": "2017-08-18T02:52:54+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "benign_qa_testware7",
"detection_id": "6455442249407791109",
"group_guids": [
"b077d6bc-bbdf-42f7-8838-a06053fbd98a"
],
"computer": {
"connector_guid": "af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"hostname": "WIN-S1AC1PI6L5L",
"external_ip": "10.200.65.31",
"user": "johndoe@WIN-S1AC1PI6L5L",
"active": true,
"network_addresses": [
{
"ip": "10.0.2.15",
"mac": "08:00:27:85:28:61"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Unknown",
"file_name": "☂.zip",
"file_path": "\\\\?\\C:\\Users\\johndoe\\Downloads\\☂.zip",
"identity": {
"sha256": "f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5",
"sha1": "20eeee16345e0c1283f7b500126350cb938b8570",
"md5": "6853839cde69359049ae6f7bd3ae86d7"
},
"archived_file": {
"disposition": "Malicious",
"identity": {
"sha256": "46679a50632d05b99683a14b91a69ce908de1673fbb71e9cd325e5685fcd7e49"
}
},
"parent": {
"process_id": 3416,
"disposition": "Clean",
"file_name": "explorer.exe",
"identity": {
"sha256": "80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2",
"sha1": "ea97227d34b8526055a543ade7d18587a927f6a3",
"md5": "15bc38a7492befe831966adb477cf76f"
}
}
}
}
]
}
Fetch list of events filtered by application_sha256
Request
Requires AuthorizationGET /v1/events?application_sha256=80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?application_sha256=80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?application_sha256=80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2&limit=1'
Shortened for readability
x-ratelimit-limit: 3000 x-ratelimit-reset: 3319 x-ratelimit-remaining: 2872 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2017-08-18T03:52:38Z strict-transport-security: max-age=31536000 status: 200 OK transfer-encoding: chunked content-type: application/json; charset=utf-8
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?application_sha256=80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2&limit=1",
"next": "https://api.eu.amp.cisco.com/v1/events?application_sha256=80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2&limit=1&offset=1"
},
"results": {
"total": 23,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6455442249407791000,
"timestamp": 1503024774,
"timestamp_nanoseconds": 98000000,
"date": "2017-08-18T02:52:54+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "benign_qa_testware7",
"detection_id": "6455442249407791109",
"group_guids": [
"b077d6bc-bbdf-42f7-8838-a06053fbd98a"
],
"computer": {
"connector_guid": "af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"hostname": "WIN-S1AC1PI6L5L",
"external_ip": "10.200.65.31",
"user": "johndoe@WIN-S1AC1PI6L5L",
"active": true,
"network_addresses": [
{
"ip": "10.0.2.15",
"mac": "08:00:27:85:28:61"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Unknown",
"file_name": "☂.zip",
"file_path": "\\\\?\\C:\\Users\\johndoe\\Downloads\\☂.zip",
"identity": {
"sha256": "f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5",
"sha1": "20eeee16345e0c1283f7b500126350cb938b8570",
"md5": "6853839cde69359049ae6f7bd3ae86d7"
},
"archived_file": {
"disposition": "Malicious",
"identity": {
"sha256": "46679a50632d05b99683a14b91a69ce908de1673fbb71e9cd325e5685fcd7e49"
}
},
"parent": {
"process_id": 3416,
"disposition": "Clean",
"file_name": "explorer.exe",
"identity": {
"sha256": "80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2",
"sha1": "ea97227d34b8526055a543ade7d18587a927f6a3",
"md5": "15bc38a7492befe831966adb477cf76f"
}
}
}
}
]
}
Fetch list of events filtered by detection_sha256 and application_sha256
Request
Requires AuthorizationGET /v1/events?detection_sha256=f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5&application_sha256=80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?detection_sha256=f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5&application_sha256=80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?detection_sha256=f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5&application_sha256=80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2&limit=1'
Shortened for readability
x-ratelimit-limit: 3000 x-ratelimit-reset: 3318 x-ratelimit-remaining: 2871 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2017-08-18T03:52:38Z strict-transport-security: max-age=31536000 status: 200 OK transfer-encoding: chunked content-type: application/json; charset=utf-8
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5&application_sha256=80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2&limit=1"
},
"results": {
"total": 1,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6455442249407791000,
"timestamp": 1503024774,
"timestamp_nanoseconds": 98000000,
"date": "2017-08-18T02:52:54+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "benign_qa_testware7",
"detection_id": "6455442249407791109",
"group_guids": [
"b077d6bc-bbdf-42f7-8838-a06053fbd98a"
],
"computer": {
"connector_guid": "af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"hostname": "WIN-S1AC1PI6L5L",
"external_ip": "10.200.65.31",
"user": "johndoe@WIN-S1AC1PI6L5L",
"active": true,
"network_addresses": [
{
"ip": "10.0.2.15",
"mac": "08:00:27:85:28:61"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Unknown",
"file_name": "☂.zip",
"file_path": "\\\\?\\C:\\Users\\johndoe\\Downloads\\☂.zip",
"identity": {
"sha256": "f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5",
"sha1": "20eeee16345e0c1283f7b500126350cb938b8570",
"md5": "6853839cde69359049ae6f7bd3ae86d7"
},
"archived_file": {
"disposition": "Malicious",
"identity": {
"sha256": "46679a50632d05b99683a14b91a69ce908de1673fbb71e9cd325e5685fcd7e49"
}
},
"parent": {
"process_id": 3416,
"disposition": "Clean",
"file_name": "explorer.exe",
"identity": {
"sha256": "80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2",
"sha1": "ea97227d34b8526055a543ade7d18587a927f6a3",
"md5": "15bc38a7492befe831966adb477cf76f"
}
}
}
}
]
}
Fetch list of events filtered by event_type
Request
Requires AuthorizationGET /v1/events?event_type[]=1090519054&event_type[]=1090519084&offset=10&limit=10
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?event_type[]=1090519054&event_type[]=1090519084&offset=10&limit=10'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?event_type[]=1090519054&event_type[]=1090519084&offset=10&limit=10'
Shortened for readability
x-ratelimit-limit: 3000 x-ratelimit-reset: 3318 x-ratelimit-remaining: 2870 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2017-08-18T03:52:38Z strict-transport-security: max-age=31536000 status: 200 OK transfer-encoding: chunked content-type: application/json; charset=utf-8
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?event_type[]=1090519054&event_type[]=1090519084&offset=10&limit=10",
"prev": "https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&limit=10&offset=0",
"next": "https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&limit=10&offset=20"
},
"results": {
"total": 793,
"current_item_count": 10,
"index": 10,
"items_per_page": 10
}
},
"data": [
{
"id": 6455315887174975000,
"timestamp": 1502995353,
"timestamp_nanoseconds": 360000000,
"date": "2017-08-17T18:42:33+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "benign_qa_testware-1",
"detection_id": "6455315887174975489",
"group_guids": [
"b077d6bc-bbdf-42f7-8838-a06053fbd98a"
],
"computer": {
"connector_guid": "af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"hostname": "WIN-S1AC1PI6L5L",
"external_ip": "10.200.65.31",
"user": "Owner@WIN-S1AC1PI6L5L",
"active": true,
"network_addresses": [
{
"ip": "10.0.2.15",
"mac": "08:00:27:85:28:61"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Malicious",
"file_name": "tá¦péïpüƒpéüpü½.exe",
"file_path": "\\\\?\\C:\\Users\\Owner\\Downloads\\破るために.exe\\tá¦péïpüƒpéüpü½.exe",
"identity": {
"sha256": "0f30e6fdf92b512898b484a122d061fb89450c9f06e0c40c0f9112ca2816353c",
"sha1": "c756bd6e14d958e022143834f10f46e5d9349474",
"md5": "b5e183270ddffefd8fb26bd3f64dc313"
},
"parent": {
"process_id": 2124,
"disposition": "Clean",
"file_name": "explorer.exe",
"identity": {
"sha256": "80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2",
"sha1": "ea97227d34b8526055a543ade7d18587a927f6a3",
"md5": "15bc38a7492befe831966adb477cf76f"
}
}
}
},
{
"id": 6455314749008642000,
"timestamp": 1502995088,
"timestamp_nanoseconds": 152000000,
"date": "2017-08-17T18:38:08+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "eicar.FakeMal",
"detection_id": "6455314749008642059",
"group_guids": [
"b077d6bc-bbdf-42f7-8838-a06053fbd98a"
],
"computer": {
"connector_guid": "af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"hostname": "WIN-S1AC1PI6L5L",
"external_ip": "10.200.65.31",
"user": "u@WIN-S1AC1PI6L5L",
"active": true,
"network_addresses": [
{
"ip": "10.0.2.15",
"mac": "08:00:27:85:28:61"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"file": {
"disposition": "Malicious",
"file_name": "Fake_Mal1.exe",
"file_path": "\\\\?\\C:\\Users\\Owner\\Downloads\\Fake_Malware\\Fake_Mal1.exe",
"identity": {
"sha256": "858dee1d55c45d234345740de08e5af0e67c6cf9a3f9568b7ec3e4b82b0e29c9",
"sha1": "9b6004ded0f06db343db389b00344bead4dd7bc1",
"md5": "596a328e9651f79d7474562e432e4463"
},
"parent": {
"process_id": 280,
"disposition": "Clean",
"file_name": "explorer.exe",
"identity": {
"sha256": "80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2",
"sha1": "ea97227d34b8526055a543ade7d18587a927f6a3",
"md5": "15bc38a7492befe831966adb477cf76f"
}
}
}
}
]
}
Fetch events that are newer than a given timestamp
Request
Requires AuthorizationGET /v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10'
Shortened for readability
x-ratelimit-limit: 3000 x-ratelimit-reset: 3318 x-ratelimit-remaining: 2869 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2017-08-18T03:52:38Z strict-transport-security: max-age=31536000 status: 200 OK transfer-encoding: chunked content-type: application/json; charset=utf-8
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10",
"prev": "https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&limit=10&offset=0",
"next": "https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&limit=10&offset=20"
},
"results": {
"total": 917,
"current_item_count": 10,
"index": 10,
"items_per_page": 10
}
},
"data": [
{
"id": 6455439822751269000,
"timestamp": 1503024209,
"timestamp_nanoseconds": 891000000,
"date": "2017-08-18T02:43:29+00:00",
"event_type": "Scan Completed, No Detections",
"event_type_id": 554696715,
"group_guids": [
"b077d6bc-bbdf-42f7-8838-a06053fbd98a"
],
"computer": {
"connector_guid": "af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"hostname": "WIN-S1AC1PI6L5L",
"external_ip": "10.200.65.31",
"active": true,
"network_addresses": [
{
"ip": "10.0.2.15",
"mac": "08:00:27:85:28:61"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"scan": {
"description": "Flash Scan",
"clean": true,
"scanned_files": 1572,
"scanned_processes": 28,
"scanned_paths": 0,
"malicious_detections": 0
}
},
{
"id": 6455439818456302000,
"timestamp": 1503024208,
"timestamp_nanoseconds": 33000000,
"date": "2017-08-18T02:43:28+00:00",
"event_type": "Scan Started",
"event_type_id": 554696714,
"group_guids": [
"b077d6bc-bbdf-42f7-8838-a06053fbd98a"
],
"computer": {
"connector_guid": "af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"hostname": "WIN-S1AC1PI6L5L",
"external_ip": "10.200.65.31",
"active": true,
"network_addresses": [
{
"ip": "10.0.2.15",
"mac": "08:00:27:85:28:61"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
}
},
"scan": {
"description": "Flash Scan"
}
}
]
}