4. Query Events¶
4.1. Trajectory Events¶
Note
Cisco AMP for Endpoints uses the term trajectory to describe the execution timeline of activities on a computer (multi-file execution).
For example, if Computer A was under investigation and you wanted to review the SHA-256s of processes and files on the computer you would follow these steps:
First, query the Computer Activity endpoint:
GET /v1/computers/{:connector_guid}/trajectory
http
GET https://api.amp.cisco.com/v1/computers/{:connector_guid}/trajectory HTTP/1.1 Authorization: Basic MTIzNDphdGVzdA==
An example request:
GET /v1/computers/d821e2d9-9280-489c-a6c3-be02d85ba8a0/trajectory
http
GET https://api.amp.cisco.com/v1/computers/d821e2d9-9280-489c-a6c3-be02d85ba8a0/trajectory HTTP/1.1 Authorization: Basic MTIzNDphdGVzdA==
An example response:
{ "version": "v1.2.0", "metadata": { "links": { "self": "https://api.amp.cisco.com/v1/computers/d821e2d9-9280-489c-a6c3-be02d85ba8a0/trajectory" } }, "data": { "computer": { "connector_guid": "d821e2d9-9280-489c-a6c3-be02d85ba8a0", "hostname": "Demo_Command_Line_Arguments_Kovter", "windows_processor_id": "1937b8e046adf25", "active": true, "links": { "computer": "https://api.amp.cisco.com/v1/computers/d821e2d9-9280-489c-a6c3-be02d85ba8a0", "trajectory": "https://api.amp.cisco.com/v1/computers/d821e2d9-9280-489c-a6c3-be02d85ba8a0/trajectory", "group": "https://api.amp.cisco.com/v1/groups/68665863-74d5-4bc1-ac7f-5477b2b6406e" }, "connector_version": "99.0.99.11594", "operating_system": "Windows 10, SP 0.0", "internal_ips": [ "48.228.237.163" ], "external_ip": "87.18.29.150", "group_guid": "68665863-74d5-4bc1-ac7f-5477b2b6406e", "install_date": "2020-02-17T08:47:17Z", "network_addresses": [ { "mac": "cd:e0:30:42:21:f7", "ip": "48.228.237.163" } ], "policy": { "guid": "75f5a2b7-2875-41c1-9a11-0b212f347a08", "name": "Triage Policy" }, "faults": [ ], "isolation": { "available": false, "status": "not_isolated" }, "orbital": { "status": "not_enabled" } }, "events": [ { "timestamp": 1581940174, "timestamp_nanoseconds": 842009819, "date": "2020-02-17T11:49:34+00:00", "event_type": "Executed by", "group_guids": [ "68665863-74d5-4bc1-ac7f-5477b2b6406e" ], "file": { "disposition": "Clean", "file_name": "taskmgr.exe", "file_path": "/c:/windows/system32/taskmgr.exe", "file_type": "PE Executable", "identity": { "sha256": "292106dfdfacdc0ab33e3cb580ae23f0506cb2402b9b3ca2811a0a1c2f6ebf6c" }, "parent": { "disposition": "Clean", "identity": { "sha256": "438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7" } } } }, { "timestamp": 1581940173, "timestamp_nanoseconds": 543023082, "date": "2020-02-17T11:49:33+00:00", "event_type": "Executed by", "group_guids": [ "68665863-74d5-4bc1-ac7f-5477b2b6406e" ], "file": { "disposition": "Clean", "file_name": "taskmgr.exe", "file_path": "/c:/windows/system32/taskmgr.exe", "file_type": "PE Executable", "identity": { "sha256": "292106dfdfacdc0ab33e3cb580ae23f0506cb2402b9b3ca2811a0a1c2f6ebf6c" }, "parent": { "disposition": "Unknown", "identity": { "sha256": "0bd0a04d7b32648f627387894a165b321ac277bd8103a4ca6790607458adf778" } } } } ] } }
Next, you would parse the response for
.data.events[].file.identity.sha256and.data.events[].file.parent.identity.sha256.You would then evaluate these hashes with your product or a 3rd party observable service.
4.2. Detection Events¶
To hunt for computers that have seen a SHA-256 but have not created an event for that SHA-256 follow these steps:
1.First, query the Computer Activity to get a list of computers that have seen the SHA-256 observable:
GET /v1/computers/activityhttp
GET https://api.amp.cisco.com/v1/computers/activity HTTP/1.1 Authorization: Basic MTIzNDphdGVzdA==An example request:
GET /v1/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5http
GET https://api.amp.cisco.com/v1/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5 HTTP/1.1 Authorization: Basic MTIzNDphdGVzdA==An example response:
{ "version": "v1.2.0", "metadata": { "links": { "self": "https://api.amp.cisco.com/v1/computers/activity?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e&offset=0&limit=5" }, "results": { "total": 1, "current_item_count": 1, "index": 0, "items_per_page": 5 } }, "data": [ { "connector_guid": "367a2c23-d0e7-464b-ac3f-9a209868b31d", "hostname": "Demo_Stabuniq", "windows_processor_id": "83f976a0db415e2", "active": true, "links": { "computer": "https://api.amp.cisco.com/v1/computers/367a2c23-d0e7-464b-ac3f-9a209868b31d", "trajectory": "https://api.amp.cisco.com/v1/computers/367a2c23-d0e7-464b-ac3f-9a209868b31d/trajectory?q=814a37d89a79aa3975308e723bc1a3a67360323b7e3584de00896fe7c59bbb8e", "group": "https://api.amp.cisco.com/v1/groups/b077d6bc-bbdf-42f7-8838-a06053fbd98a" } } ] }
Store the values of
.data[].connector_guid.Query the Events Endpoint to see what events were generated for the same SHA-256 observable:
GET /v1/events
http
GET https://api.amp.cisco.com/v1/events HTTP/1.1 Authorization: Basic MTIzNDphdGVzdA==
An example request:
GET /v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1
http
GET https://api.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1 HTTP/1.1 Authorization: Basic MTIzNDphdGVzdA==
An example response:
{ "version": "v1.2.0", "metadata": { "links": { "self": "https://api.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1", "next": "https://api.amp.cisco.com/v1/events?detection_sha256=b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40&limit=1&offset=1" }, "results": { "total": 4, "current_item_count": 1, "index": 0, "items_per_page": 1 } }, "data": [ { "id": 6180352115244794000, "timestamp": 1582222838, "timestamp_nanoseconds": 279000000, "date": "2020-02-20T18:20:38+00:00", "event_type": "Threat Detected", "event_type_id": 1090519054, "detection": "W32.GenericKD:ZVETJ.18gs.1201", "detection_id": "6180352115244793858", "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72", "group_guids": [ "6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03" ], "severity": "Medium", "computer": { "connector_guid": "20a0ce9f-44d1-4cbb-ab04-8a0705448b72", "hostname": "Demo_Upatre", "external_ip": "69.226.122.127", "user": "A@TEMPLATE-W7X86", "active": true, "network_addresses": [ { "ip": "230.122.135.241", "mac": "3f:1e:b2:28:25:24" } ], "links": { "computer": "https://api.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72", "trajectory": "https://api.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory", "group": "https://api.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03" } }, "file": { "disposition": "Malicious", "file_name": "wsymqyv90.exe", "file_path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe", "identity": { "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40", "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48", "md5": "e2f5dcd966e26d54329e8d79c7201652" }, "parent": { "process_id": 4040, "disposition": "Clean", "file_name": "iexplore.exe", "identity": { "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132", "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80", "md5": "b3581f426dc500a51091cdd5bacf0454" } } } } ] }
Store the values of
.data[].connector_guid.Diff the
connector_guidvalues found in step two with theconnector_guidvalues found in step four.Create a high priority alert for the endpoints that have seen the file but did not generate any events for it. This means that there is malicious activity that needs to be sent as an alert to the SOC.
Note
Example implementations of similar workflows can be found here: