GET /v1/forensic_snapshots/{:forensic_snapshot-id}
Description
Returns details for a specific available forensic snapshot. The details are under data.snapshot.
| Name | Type | Description |
|---|---|---|
| version | String | |
| metadata.links.self | String | |
| data.snapshot.version | Integer | |
| data.snapshot.format | String | |
| data.snapshot.query.id | String | |
| data.snapshot.query.osquery | Array | |
| data.snapshot.query.osquery[].types | Array | |
| data.snapshot.query.osquery[].types[] | String | |
| data.snapshot.query.osquery[].sql | String | |
| data.snapshot.query.osquery[].label | String | |
| data.snapshot.query.osquery[].name | String | |
| data.snapshot.results | Array | |
| data.snapshot.results[].nodeinfo.id | String | |
| data.snapshot.results[].nodeinfo.ampuuid | GUID | |
| data.snapshot.results[].nodeinfo.os | String | |
| data.snapshot.results[].id | String | |
| data.snapshot.results[].creator | GUID | |
| data.snapshot.results[].organization | GUID | |
| data.snapshot.results[].endpoint_organization | GUID | |
| data.snapshot.results[].endpoint_type | String | |
| data.snapshot.results[].reported | String (Time ISO8601) | |
| data.snapshot.results[].error | String | |
| data.snapshot.results[].node | String | |
| data.snapshot.results[].query | String | |
| data.snapshot.results[].osQuery | Array | |
| data.snapshot.results[].osQuery[].types | Array | |
| data.snapshot.results[].osQuery[].types[] | String | |
| data.snapshot.results[].osQuery[].columns | Array | |
| data.snapshot.results[].osQuery[].columns[] | String | |
| data.snapshot.results[].osQuery[].values | ||
| data.snapshot.results[].osQuery[].error | String | |
| data.snapshot.results[].osQuery[].secs | Float | |
| data.snapshot.results[].osQuery[].label | String | |
| data.snapshot.results[].osQuery[].name | String | |
| data.snapshot.results[].resultsCompressed | Boolean | |
| data.snapshot.results[].hostinfo.osinfo.os | String | |
| data.snapshot.results[].hostinfo.osinfo.osname | String | |
| data.snapshot.results[].hostinfo.osinfo.release | String | |
| data.snapshot.results[].hostinfo.osinfo.version | String | |
| data.snapshot.results[].hostinfo.osinfo.arch | String | |
| data.snapshot.results[].hostinfo.hostname | String | |
| data.snapshot.results[].hostinfo.fqdn.10.85.207.122 | String | |
| data.snapshot.results[].hostinfo.fqdn.2001:420:2852:2011:8470:e4bd:1120:c02c | String | |
| data.snapshot.results[].hostinfo.fqdn.2001:420:2852:2011:d037:c002:9245:ed02 | String | |
| data.snapshot.results[].hostinfo.fqdn.fe80::8470:e4bd:1120:c02c | String | |
| data.snapshot.results[].hostinfo.interfaces.Ethernet0.name | String | |
| data.snapshot.results[].hostinfo.interfaces.Ethernet0.mac | String | |
| data.snapshot.results[].hostinfo.interfaces.Ethernet0.ipv4 | String | |
| data.snapshot.results[].hostinfo.interfaces.Ethernet0.ipv6 | String | |
| data.snapshot.results[].hostinfo.interfaces.Ethernet0.active | Boolean | |
| data.snapshot.results[].hostinfo.external.name | String | |
| data.snapshot.results[].hostinfo.external.mac | String | |
| data.snapshot.results[].hostinfo.external.ipv4 | String | |
| data.snapshot.results[].hostinfo.external.active | Boolean | |
| data.snapshot.results[].hostinfo.updated | String (Time ISO8601) | |
| data.snapshot.results[].hostinfo.version | String | |
| data.snapshot.results[].rowcount | Integer | |
| data.snapshot.results[].seconds | Float | |
| data.snapshot.results[].source_uri | String | |
| data.connector_guid | GUID | |
| data.user_email | String | |
| data.url | String | |
| data.triggered_by | String |
Examples
Fetch the details of a specific forensic snapshot
Request
Requires AuthorizationGET /v1/forensic_snapshots/11221
Headers
accept: application/json
content-type: application/json
accept-encoding: identity
authorization: Basic FILTERED
cURL Edit, then copy and paste on your terminal
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'accept-encoding: identity' \
--compressed -H 'Accept-Encoding: gzip, deflate' \
-u YOUR_API_CLIENT_ID \
'https://api.apjc.amp.cisco.com/v1/forensic_snapshots/11221'
Response
cURL Edit, then copy and paste on your terminal
curl -X GET \ -H 'accept: application/json' \ -H 'content-type: application/json' \ -H 'accept-encoding: identity' \ --compressed -H 'Accept-Encoding: gzip, deflate' \ -u YOUR_API_CLIENT_ID \ 'https://api.apjc.amp.cisco.com/v1/forensic_snapshots/11221'
Shortened for readability
content-type: application/json; charset=utf-8 transfer-encoding: chunked status: 200 OK etag: W/"101964d8994697ccc7d55e916b6b4c78" x-frame-options: SAMEORIGIN strict-transport-security: max-age=31536000
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.apjc.amp.cisco.com/v1/forensic_snapshots/11221"
}
},
"data": {
"snapshot": {
"version": 3,
"format": "compact",
"query": {
"id": "sZ9uJIOQuDMAhslsq_r6OA",
"osquery": [
{
"types": [
"ip",
"hostname"
],
"sql": "SELECT address, hostnames \nFROM etc_hosts \nWHERE hostnames NOT IN (\"localhost\", \"::1\", \"fe00::0\", \"ff00::0\", \"ff02::1\", \"ff02::2\");\n",
"label": "hosts_file",
"name": "Hosts File Data"
},
{
"types": [
"pid",
"file_name"
],
"sql": "SELECT p.pid, p.name, p.path, h.sha256 \nFROM processes p INNER JOIN hash h ON p.path=h.path;\n",
"label": "sha256_hash_of_running_processes",
"name": "SHA256 Hash Of Running Processes"
}
]
},
"results": [
{
"nodeinfo": {
"id": "vQ3gouAFpi-ly_q7_ovHHg",
"ampuuid": "3efa64c9-3ded-45c0-b320-5d017952906b",
"os": "windows"
},
"id": "0oc8fBSGNQP-LsWn-lYVrA",
"creator": "385501d4-017e-477c-8af6-8d096f95545d",
"organization": "e83482af-9af1-4e11-af47-f741660381a8",
"endpoint_organization": "e83482af-9af1-4e11-af47-f741660381a8",
"endpoint_type": "amp",
"reported": "2021-03-25T22:40:08.492558563Z",
"error": "",
"node": "vQ3gouAFpi-ly_q7_ovHHg",
"query": "sZ9uJIOQuDMAhslsq_r6OA",
"osQuery": [
{
"types": [
"ip",
"hostname"
],
"columns": [
"address",
"hostnames"
],
"values": null,
"error": "",
"secs": 0.002001299988478422,
"label": "hosts_file",
"name": "Hosts File Data"
},
{
"types": [
"",
"file_name"
],
"columns": [
"pid",
"name"
],
"values": [
"324",
"smss.exe"
],
"error": "",
"secs": 1.5193556547164917,
"label": "sha256_hash_of_running_processes",
"name": "SHA256 Hash Of Running Processes"
}
],
"resultsCompressed": false,
"hostinfo": {
"osinfo": {
"os": "windows",
"osname": "Windows 10 Enterprise",
"release": "6.3",
"version": "10.0.17763",
"arch": "amd64"
},
"hostname": "win-fss-vsphere-1",
"fqdn": {
"10.85.207.122": "win-fss-vsphere-1.cisco.com",
"2001:420:2852:2011:8470:e4bd:1120:c02c": "win-fss-vsphere-1.cisco.com",
"2001:420:2852:2011:d037:c002:9245:ed02": "win-fss-vsphere-1.cisco.com",
"fe80::8470:e4bd:1120:c02c": "win-fss-vsphere-1.cisco.com"
},
"interfaces": {
"Ethernet0": {
"name": "Ethernet0",
"mac": "00:50:56:a9:e8:91",
"ipv4": "10.85.207.122/23",
"ipv6": "fe80::8470:e4bd:1120:c02c/64",
"active": true
}
},
"external": {
"name": "",
"mac": "",
"ipv4": "173.38.117.79",
"active": true
},
"updated": "2021-03-25T21:57:29.2252899Z",
"version": "v1.10.7"
},
"rowcount": 9729,
"seconds": 107.54796755721327,
"source_uri": "https://test.orbital.threatgrid.com/jobs/sZ9uJIOQuDMAhslsq_r6OA/results"
}
]
},
"connector_guid": "3efa64c9-3ded-45c0-b320-5d017952906b",
"user_email": "amp_api_docs@cisco.com",
"url": "https://api.apjc.amp.cisco.com/v1/forensic_snapshots/11221",
"triggered_by": "User"
}
}