Cisco AMP for Endpoints API

GET /v1/events

Description

This is a general query interface for events. This is analogous to the Events view on the FireAMP Console.

Events can be filtered by a variety of criteria. Each criteria type is logically ANDed with the other criteria; each selection of a criteria is logically ORed. For example: with the query string: connector_guid[]=ead39d47-93bd-4230-b692-454b433faf96&event_type[]=2164260868&event_type[]=1090519054, it will return any events that match the connector guid ad39d47-93bd-4230-b692-454b433faf96 AND any events with type (1090519054 OR 2164260868).

The arguments passed to the event_type and group_guid parameters can be retrieved from their respective endpoints.

Query Parameters

Name Type Example Values Description
limit Integer 2, 1, 10
detection_sha256 String f8a6a244138cb1e2f044f63f3dc42beeb555da892bbd7a121274498cbdfc9ad5
application_sha256 String 80ef843fa78c33b511394a9c7535a9cbace1deb2270e86ee4ad2faffa5b1e7d2
connector_guid[] GUID af73d9d5-ddc5-4c93-9c6d-d5e6b5c5eb01
group_guid[] GUID b077d6bc-bbdf-42f7-8838-a06053fbd98a
start_date String (Time ISO8601) 2015-10-01T00:00:00+00:00 Inclusive (The list will include events that match start_date)
offset Integer 10
event_type[] Array 1090519054, 1090519084

Show Response Fields

Name Type Description
version String
metadata.links.self String
metadata.links.prev String
metadata.links.next String
metadata.results.total Integer
metadata.results.current_item_count Integer
metadata.results.index Integer
metadata.results.items_per_page Integer
data Array
data[].id Integer
data[].timestamp Integer
data[].timestamp_nanoseconds Integer
data[].date String (Time ISO8601)
data[].event_type String
data[].event_type_id Integer
data[].detection String
data[].detection_id String
data[].group_guids Array
data[].group_guids[] GUID
data[].computer.connector_guid GUID
data[].computer.hostname String
data[].computer.external_ip String
data[].computer.user String
data[].computer.active Boolean
data[].computer.network_addresses Array
data[].computer.network_addresses[].ip String
data[].computer.network_addresses[].mac String
data[].computer.links.computer String
data[].computer.links.trajectory String
data[].computer.links.group String
data[].file.disposition String
data[].file.file_name String
data[].file.file_path String
data[].file.identity.sha256 String
data[].file.identity.sha1 String
data[].file.identity.md5 String
data[].file.parent.process_id Integer
data[].file.parent.disposition String
data[].file.parent.file_name String
data[].file.parent.identity.sha256 String
data[].file.parent.identity.sha1 String
data[].file.parent.identity.md5 String
Write
Preview

Examples

Fetch list of events sorted in descending order by timestamp
Fetch list of events filtered by connector_guid
Fetch list of events filtered by group_guid
Fetch list of events filtered by detection_sha256
Fetch list of events filtered by application_sha256
Fetch list of events filtered by detection_sha256 and application_sha256
Fetch list of events filtered by event_type
Fetch events that are newer than a given timestamp

Fetch list of events sorted in descending order by timestamp

Request

Requires Authorization
GET /v1/events?limit=2
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?limit=2'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3279
x-ratelimit-remaining: 2671
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-08-02T18:40:25Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?limit=2",
      "next": "https://api.eu.amp.cisco.com/v1/events?limit=2&offset=2"
    },
    "results": {
      "total": 8896,
      "current_item_count": 2,
      "index": 0,
      "items_per_page": 2
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1564766438,
      "timestamp_nanoseconds": 279000000,
      "date": "2019-08-02T17:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    },
    {
      "id": 6180351977805840000,
      "timestamp": 1564766406,
      "timestamp_nanoseconds": 548000000,
      "date": "2019-08-02T17:20:06+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180351977805840385",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}

Fetch list of events filtered by connector_guid

Request

Requires Authorization
GET /v1/events?connector_guid[]=20a0ce9f-44d1-4cbb-ab04-8a0705448b72&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?connector_guid[]=20a0ce9f-44d1-4cbb-ab04-8a0705448b72&limit=1'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3278
x-ratelimit-remaining: 2668
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-08-02T18:40:25Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?connector_guid[]=20a0ce9f-44d1-4cbb-ab04-8a0705448b72&limit=1",
      "next": "https://api.eu.amp.cisco.com/v1/events?connector_guid%5B%5D=20a0ce9f-44d1-4cbb-ab04-8a0705448b72&limit=1&offset=1"
    },
    "results": {
      "total": 612,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1564766438,
      "timestamp_nanoseconds": 279000000,
      "date": "2019-08-02T17:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}

Fetch list of events filtered by group_guid

Request

Requires Authorization
GET /v1/events?group_guid[]=6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?group_guid[]=6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03&limit=1'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3274
x-ratelimit-remaining: 2665
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-08-02T18:40:25Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?group_guid[]=6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03&limit=1",
      "next": "https://api.eu.amp.cisco.com/v1/events?group_guid%5B%5D=6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03&limit=1&offset=1"
    },
    "results": {
      "total": 2889,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1564766438,
      "timestamp_nanoseconds": 279000000,
      "date": "2019-08-02T17:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}

Fetch list of events filtered by detection_sha256

Request

Requires Authorization
GET /v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3271
x-ratelimit-remaining: 2662
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-08-02T18:40:25Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1",
      "next": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1&offset=1"
    },
    "results": {
      "total": 36,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1564766438,
      "timestamp_nanoseconds": 279000000,
      "date": "2019-08-02T17:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}

Fetch list of events filtered by application_sha256

Request

Requires Authorization
GET /v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3269
x-ratelimit-remaining: 2659
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-08-02T18:40:25Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1",
      "next": "https://api.eu.amp.cisco.com/v1/events?application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1&offset=1"
    },
    "results": {
      "total": 252,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1564766438,
      "timestamp_nanoseconds": 279000000,
      "date": "2019-08-02T17:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}

Fetch list of events filtered by detection_sha256 and application_sha256

Request

Requires Authorization
GET /v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3267
x-ratelimit-remaining: 2656
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-08-02T18:40:25Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1",
      "next": "https://api.eu.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&application_sha256=b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132&limit=1&offset=1"
    },
    "results": {
      "total": 36,
      "current_item_count": 1,
      "index": 0,
      "items_per_page": 1
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1564766438,
      "timestamp_nanoseconds": 279000000,
      "date": "2019-08-02T17:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}

Fetch list of events filtered by event_type

Request

Requires Authorization
GET /v1/events?event_type[]=1090519054&event_type[]=1090519084&offset=10&limit=10
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?event_type[]=1090519054&event_type[]=1090519084&offset=10&limit=10'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3267
x-ratelimit-remaining: 2655
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-08-02T18:40:25Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?event_type[]=1090519054&event_type[]=1090519084&offset=10&limit=10",
      "prev": "https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&limit=10&offset=0",
      "next": "https://api.eu.amp.cisco.com/v1/events?event_type%5B%5D=1090519054&event_type%5B%5D=1090519084&limit=10&offset=20"
    },
    "results": {
      "total": 5522,
      "current_item_count": 10,
      "index": 10,
      "items_per_page": 10
    }
  },
  "data": [
    {
      "id": 6180351977805840000,
      "timestamp": 1564762806,
      "timestamp_nanoseconds": 548000000,
      "date": "2019-08-02T16:20:06+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180351977805840385",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    },
    {
      "id": 6180335966167761000,
      "timestamp": 1564762678,
      "timestamp_nanoseconds": 875000000,
      "date": "2019-08-02T16:17:58+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.File.MalParent",
      "detection_id": "6180335966167760897",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "Fax.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe",
        "identity": {
          "sha256": "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc",
          "sha1": "f9b02ad8d25157eebdb284631ff646316dc606d5",
          "md5": "b2e15a06b0cca8a926c94f8a8eae3d88"
        },
        "parent": {
          "process_id": 3164,
          "disposition": "Blocklisted",
          "file_name": "explorer.exe",
          "identity": {
            "sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
            "sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9",
            "md5": "8b88ebbb05a0e56b7dcc708498c02b3e"
          }
        }
      }
    }
  ]
}

Fetch events that are newer than a given timestamp

Request

Requires Authorization
GET /v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10
Headers
accept: application/json
content-type: application/json
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10'

Response

Shortened for readability

strict-transport-security: max-age=31536000
content-type: application/json; charset=utf-8
status: 200 OK
x-ratelimit-limit: 3000
x-ratelimit-reset: 3266
x-ratelimit-remaining: 2654
x-frame-options: SAMEORIGIN
x-ratelimit-resetdate: 2019-08-02T18:40:25Z
transfer-encoding: chunked
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&offset=10&limit=10",
      "prev": "https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&limit=10&offset=0",
      "next": "https://api.eu.amp.cisco.com/v1/events?start_date=2015-10-01T00%3A00%3A00%2B00%3A00&limit=10&offset=20"
    },
    "results": {
      "total": 8896,
      "current_item_count": 10,
      "index": 10,
      "items_per_page": 10
    }
  },
  "data": [
    {
      "id": 6180352115244794000,
      "timestamp": 1564762838,
      "timestamp_nanoseconds": 279000000,
      "date": "2019-08-02T16:20:38+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180352115244793858",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    },
    {
      "id": 6180351977805840000,
      "timestamp": 1564762806,
      "timestamp_nanoseconds": 548000000,
      "date": "2019-08-02T16:20:06+00:00",
      "event_type": "Threat Detected",
      "event_type_id": 1090519054,
      "detection": "W32.GenericKD:ZVETJ.18gs.1201",
      "detection_id": "6180351977805840385",
      "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
      "group_guids": [
        "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
      ],
      "severity": "Medium",
      "computer": {
        "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
        "hostname": "Demo_Upatre",
        "external_ip": "69.226.122.127",
        "user": "A@TEMPLATE-W7X86",
        "active": true,
        "network_addresses": [
          {
            "ip": "230.122.135.241",
            "mac": "3f:1e:b2:28:25:24"
          }
        ],
        "links": {
          "computer": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72",
          "trajectory": "https://api.eu.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory",
          "group": "https://api.eu.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"
        }
      },
      "file": {
        "disposition": "Malicious",
        "file_name": "wsymqyv90.exe",
        "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
        "identity": {
          "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
          "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
          "md5": "e2f5dcd966e26d54329e8d79c7201652"
        },
        "parent": {
          "process_id": 4040,
          "disposition": "Clean",
          "file_name": "iexplore.exe",
          "identity": {
            "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
            "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
            "md5": "b3581f426dc500a51091cdd5bacf0454"
          }
        }
      }
    }
  ]
}