Cisco AMP for Endpoints API

GET /v1/forensic_snapshots/{:forensic_snapshot-id}

Description

Returns details for a specific available forensic snapshot. The details are under data.snapshot.

Show Response Fields

Name Type Description
version String
metadata.links.self String
data.snapshot.version Integer
data.snapshot.format String
data.snapshot.query.id String
data.snapshot.query.osquery Array
data.snapshot.query.osquery[].types Array
data.snapshot.query.osquery[].types[] String
data.snapshot.query.osquery[].sql String
data.snapshot.query.osquery[].label String
data.snapshot.query.osquery[].name String
data.snapshot.results Array
data.snapshot.results[].nodeinfo.id String
data.snapshot.results[].nodeinfo.ampuuid GUID
data.snapshot.results[].nodeinfo.os String
data.snapshot.results[].id String
data.snapshot.results[].creator GUID
data.snapshot.results[].organization GUID
data.snapshot.results[].endpoint_organization GUID
data.snapshot.results[].endpoint_type String
data.snapshot.results[].reported String (Time ISO8601)
data.snapshot.results[].error String
data.snapshot.results[].node String
data.snapshot.results[].query String
data.snapshot.results[].osQuery Array
data.snapshot.results[].osQuery[].types Array
data.snapshot.results[].osQuery[].types[] String
data.snapshot.results[].osQuery[].columns Array
data.snapshot.results[].osQuery[].columns[] String
data.snapshot.results[].osQuery[].values
data.snapshot.results[].osQuery[].error String
data.snapshot.results[].osQuery[].secs Float
data.snapshot.results[].osQuery[].label String
data.snapshot.results[].osQuery[].name String
data.snapshot.results[].resultsCompressed Boolean
data.snapshot.results[].hostinfo.osinfo.os String
data.snapshot.results[].hostinfo.osinfo.osname String
data.snapshot.results[].hostinfo.osinfo.release String
data.snapshot.results[].hostinfo.osinfo.version String
data.snapshot.results[].hostinfo.osinfo.arch String
data.snapshot.results[].hostinfo.hostname String
data.snapshot.results[].hostinfo.fqdn.10.85.207.122 String
data.snapshot.results[].hostinfo.fqdn.2001:420:2852:2011:8470:e4bd:1120:c02c String
data.snapshot.results[].hostinfo.fqdn.2001:420:2852:2011:d037:c002:9245:ed02 String
data.snapshot.results[].hostinfo.fqdn.fe80::8470:e4bd:1120:c02c String
data.snapshot.results[].hostinfo.interfaces.Ethernet0.name String
data.snapshot.results[].hostinfo.interfaces.Ethernet0.mac String
data.snapshot.results[].hostinfo.interfaces.Ethernet0.ipv4 String
data.snapshot.results[].hostinfo.interfaces.Ethernet0.ipv6 String
data.snapshot.results[].hostinfo.interfaces.Ethernet0.active Boolean
data.snapshot.results[].hostinfo.external.name String
data.snapshot.results[].hostinfo.external.mac String
data.snapshot.results[].hostinfo.external.ipv4 String
data.snapshot.results[].hostinfo.external.active Boolean
data.snapshot.results[].hostinfo.updated String (Time ISO8601)
data.snapshot.results[].hostinfo.version String
data.snapshot.results[].rowcount Integer
data.snapshot.results[].seconds Float
data.snapshot.results[].source_uri String
data.connector_guid GUID
data.user_email String
data.url String
data.triggered_by String
Write
Preview

Examples

Fetch the details of a specific forensic snapshot

Fetch the details of a specific forensic snapshot

Request

Requires Authorization
GET /v1/forensic_snapshots/11221
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED

cURL Edit, then copy and paste on your terminal

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.amp.cisco.com/v1/forensic_snapshots/11221'

Response

Shortened for readability

content-type: application/json; charset=utf-8
transfer-encoding: chunked
status: 200 OK
etag: W/"101964d8994697ccc7d55e916b6b4c78"
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=31536000
{
  "version": "v1.2.0",
  "metadata": {
    "links": {
      "self": "https://api.amp.cisco.com/v1/forensic_snapshots/11221"
    }
  },
  "data": {
    "snapshot": {
      "version": 3,
      "format": "compact",
      "query": {
        "id": "sZ9uJIOQuDMAhslsq_r6OA",
        "osquery": [
          {
            "types": [
              "ip",
              "hostname"
            ],
            "sql": "SELECT address, hostnames \nFROM etc_hosts \nWHERE hostnames NOT IN (\"localhost\", \"::1\", \"fe00::0\", \"ff00::0\", \"ff02::1\", \"ff02::2\");\n",
            "label": "hosts_file",
            "name": "Hosts File Data"
          },
          {
            "types": [
              "pid",
              "file_name"
            ],
            "sql": "SELECT p.pid, p.name, p.path, h.sha256 \nFROM processes p INNER JOIN hash h ON p.path=h.path;\n",
            "label": "sha256_hash_of_running_processes",
            "name": "SHA256 Hash Of Running Processes"
          }
        ]
      },
      "results": [
        {
          "nodeinfo": {
            "id": "vQ3gouAFpi-ly_q7_ovHHg",
            "ampuuid": "3efa64c9-3ded-45c0-b320-5d017952906b",
            "os": "windows"
          },
          "id": "0oc8fBSGNQP-LsWn-lYVrA",
          "creator": "385501d4-017e-477c-8af6-8d096f95545d",
          "organization": "e83482af-9af1-4e11-af47-f741660381a8",
          "endpoint_organization": "e83482af-9af1-4e11-af47-f741660381a8",
          "endpoint_type": "amp",
          "reported": "2021-03-25T22:40:08.492558563Z",
          "error": "",
          "node": "vQ3gouAFpi-ly_q7_ovHHg",
          "query": "sZ9uJIOQuDMAhslsq_r6OA",
          "osQuery": [
            {
              "types": [
                "ip",
                "hostname"
              ],
              "columns": [
                "address",
                "hostnames"
              ],
              "values": null,
              "error": "",
              "secs": 0.002001299988478422,
              "label": "hosts_file",
              "name": "Hosts File Data"
            },
            {
              "types": [
                "",
                "file_name"
              ],
              "columns": [
                "pid",
                "name"
              ],
              "values": [
                "324",
                "smss.exe"
              ],
              "error": "",
              "secs": 1.5193556547164917,
              "label": "sha256_hash_of_running_processes",
              "name": "SHA256 Hash Of Running Processes"
            }
          ],
          "resultsCompressed": false,
          "hostinfo": {
            "osinfo": {
              "os": "windows",
              "osname": "Windows 10 Enterprise",
              "release": "6.3",
              "version": "10.0.17763",
              "arch": "amd64"
            },
            "hostname": "win-fss-vsphere-1",
            "fqdn": {
              "10.85.207.122": "win-fss-vsphere-1.cisco.com",
              "2001:420:2852:2011:8470:e4bd:1120:c02c": "win-fss-vsphere-1.cisco.com",
              "2001:420:2852:2011:d037:c002:9245:ed02": "win-fss-vsphere-1.cisco.com",
              "fe80::8470:e4bd:1120:c02c": "win-fss-vsphere-1.cisco.com"
            },
            "interfaces": {
              "Ethernet0": {
                "name": "Ethernet0",
                "mac": "00:50:56:a9:e8:91",
                "ipv4": "10.85.207.122/23",
                "ipv6": "fe80::8470:e4bd:1120:c02c/64",
                "active": true
              }
            },
            "external": {
              "name": "",
              "mac": "",
              "ipv4": "173.38.117.79",
              "active": true
            },
            "updated": "2021-03-25T21:57:29.2252899Z",
            "version": "v1.10.7"
          },
          "rowcount": 9729,
          "seconds": 107.54796755721327,
          "source_uri": "https://test.orbital.threatgrid.com/jobs/sZ9uJIOQuDMAhslsq_r6OA/results"
        }
      ]
    },
    "connector_guid": "3efa64c9-3ded-45c0-b320-5d017952906b",
    "user_email": "amp_api_docs@cisco.com",
    "url": "https://api.amp.cisco.com/v1/forensic_snapshots/11221",
    "triggered_by": "User"
  }
}