GET /v1/events
Description
This is a general query interface for events. This is analogous to the Events view on the FireAMP Console.
Events can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria; each selection of a criteria is logically ORed. For example: with the query string: connector_guid[]=ead39d47-93bd-4230-b692-454b433faf96&event_type[]=2164260868&event_type[]=1090519054, it will return any events that match the connector guid ad39d47-93bd-4230-b692-454b433faf96 AND any events with type (1090519054 OR 2164260868).
The arguments passed to the event_type and group_guid parameters can be retrieved from their respective endpoints.
Query Parameters
| Name | Type | Example Values | Description |
|---|---|---|---|
limit |
Integer | 2, 1, 10 | |
detection_sha256 |
String | f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5 | |
application_sha256 |
String | 80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2 | |
connector_guid[] |
GUID | af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01 | |
group_guid[] |
GUID | b077d6bc-bbdf-42f7-8838-a06053fbd98a | |
start_date |
String (Time ISO8601) | 2015-10-01T00:00:00+00:00 | |
offset |
Integer | 10 | |
event_type[] |
Array | 1090519054, 1090519084 |
| Name | Type | Description |
|---|---|---|
| version | String | |
| metadata.links.self | String | |
| metadata.links.prev | String | |
| metadata.links.next | String | |
| metadata.results.total | Integer | |
| metadata.results.current_item_count | Integer | |
| metadata.results.index | Integer | |
| metadata.results.items_per_page | Integer | |
| data | Array | |
| data[].id | Integer | |
| data[].timestamp | Integer | |
| data[].timestamp_nanoseconds | Integer | |
| data[].date | String (Time ISO8601) | |
| data[].event_type | String | |
| data[].event_type_id | Integer | |
| data[].detection | String | |
| data[].detection_id | String | |
| data[].group_guids | Array | |
| data[].group_guids[] | GUID | |
| data[].computer.connector_guid | GUID | |
| data[].computer.hostname | String | |
| data[].computer.external_ip | String | |
| data[].computer.user | String | |
| data[].computer.active | Boolean | |
| data[].computer.network_addresses | Array | |
| data[].computer.network_addresses[].ip | String | |
| data[].computer.network_addresses[].mac | String | |
| data[].computer.links.computer | String | |
| data[].computer.links.trajectory | String | |
| data[].computer.links.group | String | |
| data[].file.disposition | String | |
| data[].file.file_name | String | |
| data[].file.file_path | String | |
| data[].file.identity.sha256 | String | |
| data[].file.identity.sha1 | String | |
| data[].file.identity.md5 | String | |
| data[].file.parent.process_id | Integer | |
| data[].file.parent.disposition | String | |
| data[].file.parent.file_name | String | |
| data[].file.parent.identity.sha256 | String | |
| data[].file.parent.identity.sha1 | String | |
| data[].file.parent.identity.md5 | String |
Examples
- Fetch list of events sorted in descending order by timestamp
- Fetch list of events filtered by connector_guid
- Fetch list of events filtered by group_guid
- Fetch list of events filtered by detection_sha256
- Fetch list of events filtered by application_sha256
- Fetch list of events filtered by detection_sha256 and application_sha256
- Fetch list of events filtered by event_type
- Fetch events that are newer than a given timestamp
Fetch list of events sorted in descending order by timestamp
Request
Requires AuthorizationGET /v1/events?limit=2
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?limit=2'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?limit=2'
Shortened for readability
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1837 x-ratelimit-remaining: 2858 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2019-01-09T17:44:06Z transfer-encoding: chunked
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?limit=2",
"next": "https://api.eu.amp.cisco.com/v1/events?limit=2&offset=2"
},
"results": {
"total": 1457,
"current_item_count": 2,
"index": 0,
"items_per_page": 2
}
},
"data": [
{
"id": 6180352115244794000,
"timestamp": 1546993238,
"timestamp_nanoseconds": 279000000,
"date": "2019-01-09T00:20:38+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.GenericKD:ZVETJ.18gs.1201",
"detection_id": "6180352115244793858",
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"group_guids": [
"6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
],
"severity": "Medium",
"computer": {
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"hostname": "Demo_Upatre",
"external_ip": "128.70.53.134",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "211.20.66.104",
"mac": "de:8e:84:2f:bd:0e"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "wsymqyv90.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
"identity": {
"sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
"sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
"md5": "e2f5dcd966e26d54329e8d79c7201652"
},
"parent": {
"process_id": 4040,
"disposition": "Clean",
"file_name": "iexplore.exe",
"identity": {
"sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
"sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
"md5": "b3581f426dc500a51091cdd5bacf0454"
}
}
}
},
{
"id": 6180351977805840000,
"timestamp": 1546993206,
"timestamp_nanoseconds": 548000000,
"date": "2019-01-09T00:20:06+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.GenericKD:ZVETJ.18gs.1201",
"detection_id": "6180351977805840385",
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"group_guids": [
"6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
],
"severity": "Medium",
"computer": {
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"hostname": "Demo_Upatre",
"external_ip": "128.70.53.134",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "211.20.66.104",
"mac": "de:8e:84:2f:bd:0e"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "wsymqyv90.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
"identity": {
"sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
"sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
"md5": "e2f5dcd966e26d54329e8d79c7201652"
},
"parent": {
"process_id": 4040,
"disposition": "Clean",
"file_name": "iexplore.exe",
"identity": {
"sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
"sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
"md5": "b3581f426dc500a51091cdd5bacf0454"
}
}
}
}
]
}
Fetch list of events filtered by connector_guid
Request
Requires AuthorizationGET /v1/events?connector_guid[]=876b375f-737b-4a8f-9e45-eb625f046604&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?connector_guid[]=876b375f-737b-4a8f-9e45-eb625f046604&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?connector_guid[]=876b375f-737b-4a8f-9e45-eb625f046604&limit=1'
Shortened for readability
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1837 x-ratelimit-remaining: 2856 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2019-01-09T17:44:06Z transfer-encoding: chunked
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?connector_guid[]=876b375f-737b-4a8f-9e45-eb625f046604&limit=1",
"next": "https://api.eu.amp.cisco.com/v1/events?connector_guid%5B%5D=876b375f-737b-4a8f-9e45-eb625f046604&limit=1&offset=1"
},
"results": {
"total": 68,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6180352115244794000,
"timestamp": 1546993238,
"timestamp_nanoseconds": 279000000,
"date": "2019-01-09T00:20:38+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.GenericKD:ZVETJ.18gs.1201",
"detection_id": "6180352115244793858",
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"group_guids": [
"6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
],
"severity": "Medium",
"computer": {
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"hostname": "Demo_Upatre",
"external_ip": "128.70.53.134",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "211.20.66.104",
"mac": "de:8e:84:2f:bd:0e"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "wsymqyv90.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
"identity": {
"sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
"sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
"md5": "e2f5dcd966e26d54329e8d79c7201652"
},
"parent": {
"process_id": 4040,
"disposition": "Clean",
"file_name": "iexplore.exe",
"identity": {
"sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
"sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
"md5": "b3581f426dc500a51091cdd5bacf0454"
}
}
}
}
]
}
Fetch list of events filtered by group_guid
Request
Requires AuthorizationGET /v1/events?group_guid[]=6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?group_guid[]=6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?group_guid[]=6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03&limit=1'
Shortened for readability
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1836 x-ratelimit-remaining: 2854 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2019-01-09T17:44:06Z transfer-encoding: chunked
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?group_guid[]=6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03&limit=1",
"next": "https://api.eu.amp.cisco.com/v1/events?group_guid%5B%5D=6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03&limit=1&offset=1"
},
"results": {
"total": 350,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6180352115244794000,
"timestamp": 1546993238,
"timestamp_nanoseconds": 279000000,
"date": "2019-01-09T00:20:38+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.GenericKD:ZVETJ.18gs.1201",
"detection_id": "6180352115244793858",
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"group_guids": [
"6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
],
"severity": "Medium",
"computer": {
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"hostname": "Demo_Upatre",
"external_ip": "128.70.53.134",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "211.20.66.104",
"mac": "de:8e:84:2f:bd:0e"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "wsymqyv90.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
"identity": {
"sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
"sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
"md5": "e2f5dcd966e26d54329e8d79c7201652"
},
"parent": {
"process_id": 4040,
"disposition": "Clean",
"file_name": "iexplore.exe",
"identity": {
"sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
"sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
"md5": "b3581f426dc500a51091cdd5bacf0454"
}
}
}
}
]
}
Fetch list of events filtered by detection_sha256
Request
Requires AuthorizationGET /v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1'
Shortened for readability
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1836 x-ratelimit-remaining: 2852 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2019-01-09T17:44:06Z transfer-encoding: chunked
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1",
"next": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1&offset=1"
},
"results": {
"total": 4,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6180352115244794000,
"timestamp": 1546993238,
"timestamp_nanoseconds": 279000000,
"date": "2019-01-09T00:20:38+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.GenericKD:ZVETJ.18gs.1201",
"detection_id": "6180352115244793858",
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"group_guids": [
"6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
],
"severity": "Medium",
"computer": {
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"hostname": "Demo_Upatre",
"external_ip": "128.70.53.134",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "211.20.66.104",
"mac": "de:8e:84:2f:bd:0e"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "wsymqyv90.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
"identity": {
"sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
"sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
"md5": "e2f5dcd966e26d54329e8d79c7201652"
},
"parent": {
"process_id": 4040,
"disposition": "Clean",
"file_name": "iexplore.exe",
"identity": {
"sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
"sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
"md5": "b3581f426dc500a51091cdd5bacf0454"
}
}
}
}
]
}
Fetch list of events filtered by application_sha256
Request
Requires AuthorizationGET /v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1'
Shortened for readability
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1835 x-ratelimit-remaining: 2850 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2019-01-09T17:44:06Z transfer-encoding: chunked
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1",
"next": "https://api.eu.amp.cisco.com/v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1&offset=1"
},
"results": {
"total": 28,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6180352115244794000,
"timestamp": 1546993238,
"timestamp_nanoseconds": 279000000,
"date": "2019-01-09T00:20:38+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.GenericKD:ZVETJ.18gs.1201",
"detection_id": "6180352115244793858",
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"group_guids": [
"6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
],
"severity": "Medium",
"computer": {
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"hostname": "Demo_Upatre",
"external_ip": "128.70.53.134",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "211.20.66.104",
"mac": "de:8e:84:2f:bd:0e"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "wsymqyv90.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
"identity": {
"sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
"sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
"md5": "e2f5dcd966e26d54329e8d79c7201652"
},
"parent": {
"process_id": 4040,
"disposition": "Clean",
"file_name": "iexplore.exe",
"identity": {
"sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
"sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
"md5": "b3581f426dc500a51091cdd5bacf0454"
}
}
}
}
]
}
Fetch list of events filtered by detection_sha256 and application_sha256
Request
Requires AuthorizationGET /v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1'
Shortened for readability
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1834 x-ratelimit-remaining: 2848 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2019-01-09T17:44:06Z transfer-encoding: chunked
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1",
"next": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1&offset=1"
},
"results": {
"total": 4,
"current_item_count": 1,
"index": 0,
"items_per_page": 1
}
},
"data": [
{
"id": 6180352115244794000,
"timestamp": 1546993238,
"timestamp_nanoseconds": 279000000,
"date": "2019-01-09T00:20:38+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.GenericKD:ZVETJ.18gs.1201",
"detection_id": "6180352115244793858",
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"group_guids": [
"6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
],
"severity": "Medium",
"computer": {
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"hostname": "Demo_Upatre",
"external_ip": "128.70.53.134",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "211.20.66.104",
"mac": "de:8e:84:2f:bd:0e"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "wsymqyv90.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
"identity": {
"sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
"sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
"md5": "e2f5dcd966e26d54329e8d79c7201652"
},
"parent": {
"process_id": 4040,
"disposition": "Clean",
"file_name": "iexplore.exe",
"identity": {
"sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
"sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
"md5": "b3581f426dc500a51091cdd5bacf0454"
}
}
}
}
]
}
Fetch list of events filtered by event_type
Request
Requires AuthorizationGET /v1/events?event_type[]=1090519054&event_type[]=1090519084&offset=10&limit=10
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?event_type[]=1090519054&event_type[]=1090519084&offset=10&limit=10'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?event_type[]=1090519054&event_type[]=1090519084&offset=10&limit=10'
Shortened for readability
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1834 x-ratelimit-remaining: 2847 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2019-01-09T17:44:06Z transfer-encoding: chunked
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?event_type[]=1090519054&event_type[]=1090519084&offset=10&limit=10",
"prev": "https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&limit=10&offset=0",
"next": "https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&limit=10&offset=20"
},
"results": {
"total": 873,
"current_item_count": 10,
"index": 10,
"items_per_page": 10
}
},
"data": [
{
"id": 6159251520740131000,
"timestamp": 1546989460,
"timestamp_nanoseconds": 3000000,
"date": "2019-01-08T23:17:40+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.DFC.MalParent",
"detection_id": "6159251520740130915",
"connector_guid": "0ec7e0e2-2e77-496b-8f48-773de62bdaca",
"group_guids": [
"6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
],
"severity": "Medium",
"computer": {
"connector_guid": "0ec7e0e2-2e77-496b-8f48-773de62bdaca",
"hostname": "Demo_TeslaCrypt",
"external_ip": "11.244.179.99",
"active": true,
"network_addresses": [
{
"ip": "63.211.127.60",
"mac": "ca:d2:9b:de:78:4b"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/0ec7e0e2-2e77-496b-8f48-773de62bdaca",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/0ec7e0e2-2e77-496b-8f48-773de62bdaca/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "rjtsbks.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
"identity": {
"sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
"sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
"md5": "209a288c68207d57e0ce6e60ebf60729"
}
}
},
{
"id": 6159251516445164000,
"timestamp": 1546989459,
"timestamp_nanoseconds": 988000000,
"date": "2019-01-08T23:17:39+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.DFC.MalParent",
"detection_id": "6159251516445163618",
"connector_guid": "0ec7e0e2-2e77-496b-8f48-773de62bdaca",
"group_guids": [
"6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
],
"severity": "Medium",
"computer": {
"connector_guid": "0ec7e0e2-2e77-496b-8f48-773de62bdaca",
"hostname": "Demo_TeslaCrypt",
"external_ip": "11.244.179.99",
"active": true,
"network_addresses": [
{
"ip": "63.211.127.60",
"mac": "ca:d2:9b:de:78:4b"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/0ec7e0e2-2e77-496b-8f48-773de62bdaca",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/0ec7e0e2-2e77-496b-8f48-773de62bdaca/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "rjtsbks.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
"identity": {
"sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
"sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
"md5": "209a288c68207d57e0ce6e60ebf60729"
}
}
}
]
}
Fetch events that are newer than a given timestamp
Request
Requires AuthorizationGET /v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10'
Shortened for readability
strict-transport-security: max-age=31536000 content-type: application/json; charset=utf-8 status: 200 OK x-ratelimit-limit: 3000 x-ratelimit-reset: 1834 x-ratelimit-remaining: 2846 x-frame-options: SAMEORIGIN x-ratelimit-resetdate: 2019-01-09T17:44:06Z transfer-encoding: chunked
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10",
"prev": "https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&limit=10&offset=0",
"next": "https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&limit=10&offset=20"
},
"results": {
"total": 1457,
"current_item_count": 10,
"index": 10,
"items_per_page": 10
}
},
"data": [
{
"id": 6180335966167761000,
"timestamp": 1546989478,
"timestamp_nanoseconds": 875000000,
"date": "2019-01-08T23:17:58+00:00",
"event_type": "Threat Detected",
"event_type_id": 1090519054,
"detection": "W32.File.MalParent",
"detection_id": "6180335966167760897",
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"group_guids": [
"6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
],
"severity": "Medium",
"computer": {
"connector_guid": "876b375f-737b-4a8f-9e45-eb625f046604",
"hostname": "Demo_Upatre",
"external_ip": "128.70.53.134",
"user": "A@TEMPLATE-W7X86",
"active": true,
"network_addresses": [
{
"ip": "211.20.66.104",
"mac": "de:8e:84:2f:bd:0e"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/876b375f-737b-4a8f-9e45-eb625f046604/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"file_name": "Fax.exe",
"file_path": "\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe",
"identity": {
"sha256": "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc",
"sha1": "f9b02ad8d25157eebdb284631ff646316dc606d5",
"md5": "b2e15a06b0cca8a926c94f8a8eae3d88"
},
"parent": {
"process_id": 3164,
"disposition": "Blocklisted",
"file_name": "explorer.exe",
"identity": {
"sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
"sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9",
"md5": "8b88ebbb05a0e56b7dcc708498c02b3e"
}
}
}
},
{
"id": 1489955900291000600,
"timestamp": 1546989461,
"timestamp_nanoseconds": 291000000,
"date": "2019-01-08T23:17:41+00:00",
"event_type": "Executed malware",
"event_type_id": 1107296272,
"detection": "W32.3372C1EDAB-100.SBX.TG",
"connector_guid": "0ec7e0e2-2e77-496b-8f48-773de62bdaca",
"group_guids": [
"6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
],
"severity": "High",
"start_timestamp": 1546989461,
"start_date": "2019-01-08T23:17:41+00:00",
"computer": {
"connector_guid": "0ec7e0e2-2e77-496b-8f48-773de62bdaca",
"hostname": "Demo_TeslaCrypt",
"external_ip": "11.244.179.99",
"active": true,
"network_addresses": [
{
"ip": "63.211.127.60",
"mac": "ca:d2:9b:de:78:4b"
}
],
"links": {
"computer": "https://api.eu.amp.cisco.com/v1/computers/0ec7e0e2-2e77-496b-8f48-773de62bdaca",
"trajectory": "https://api.eu.amp.cisco.com/v1/computers/0ec7e0e2-2e77-496b-8f48-773de62bdaca/trajectory",
"group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
}
},
"file": {
"disposition": "Malicious",
"identity": {
"sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
},
"parent": {
"disposition": "Blocklisted",
"identity": {
"sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"
}
}
}
}
]
}