Guides

Resources

Insights API

Using the EchoTrail API, you can search for Windows filenames or hashes. Echotrail will return a summary of the statistical information that describes the behavior of that particular filename or hash based on the data we've collected from our sensors over time. If you only need a subset of the results, or if you want to subsearch outside the truncated table, then you can use the subsearches.

Keep in mind, list results may be truncated. If you are on a paid tier, lists are truncated at 20 items but that limit can be bypassed using subsearches.

For a more detailed explanation of EchoTrail Insights, see here.

Search Syntax

We currently support searching for the name or hash of a Windows process. When searching for a filename, make sure to include the extension (ie .exe). When searching hashes we support SHA256 or md5.

If we don't have an exact hash match, try searching for the filename!

Insights Search
GET
/insights/<query>

This endpoint allows you to to get a full summary of a requested filename or hash. Returns different results if the search was a hit or miss.

Path Parameters

  • Name
    query
    Type
    string
    Description

    Required. The name or hash of an endpoint process to lookup. Must be a Windows filename with extension, a SHA256 hash of a windows process, or a md5 hash of a windows process.

Headers

Query Parameters

  • Name
    usage=t
    Type
    string
    Description

    Optional. If you provide usage=t as a query parameter, the API will tack on a usage field to the insights results, allowing you to discover how many queries you have remaining for today.

Response

Status Codes:

  • 200 OK
  • 403 Invalid API Key
  • 404 Invalid Path
  • 429 Too many requests (exceeded quota)

Request

curl  https://api.echotrail.io/insights/cmd.exe \
  -H "x-api-key: [your api key]"
curl  https://api.echotrail.io/insights/cmd.exe \
  -H "x-api-key: [your api key]"

Response

{
"description": "Svchost.exe is the name for services that run from dynamic-linked libraries (DLLs). The Service Host... ",
"rank": 11,
"host_prev": "95.3",
"eps": "96.70",
"paths": [
  ["c:\\windows\\system32", "99.99"],
  ["c:\\windows\\syswow64", "0.00"],
  ["c:\\windows\\temp", "0.00"]
],
"parents": [
  ["services.exe", "99.88"],
  ["msmpeng.exe", "0.11"],
  ["svchost.exe", "0.00"]
],
"children": [
   ["wmiprvse.exe", "19.99"],
   ["backgroundtaskhost.exe", "11.60"],
   ["runtimebroker.exe", "6.47"],
   ["dllhost.exe", "6.30"]
],
"grandparents": [
  ["wininit.exe", "99.87"],
  ["services.exe", "0.13"],
  ["explorer.exe", "0.00"]
],
"hashes": [
  ["b868487f8edbd0571d30d89573f087bfeac3da190652344afd351b1868ea0f8b", "65.81"],
  ["9f21e51442209bcec0ea4a468ef8a4741685ae204d5063f4c3e45e1f8cf72643", "26.25"],
  ["c9a28dc8004c3e043cbf8e3a194fda2b756ce90740df2175488337281b485f69", "4.12"],
  ["c7db4ae8175c33a47baa3ddfa089fad17bc8e362f21e835d78ab22c9231fe370", "1.81"],
  ["438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7", "1.15"]
],
"network": [
  ["443", "45.15"],
  ["80", "32.48"],
  ["5355", "0.61"],
  ["1900", "0.39"],
  ["5353", "0.30"]
],
"intel": "It is normal to see many svchost processes running on a single machine. It usually has elevated privileges and... "
}
{
"description": "Svchost.exe is the name for services that run from dynamic-linked libraries (DLLs). The Service Host... ",
"rank": 11,
"host_prev": "95.3",
"eps": "96.70",
"paths": [
  ["c:\\windows\\system32", "99.99"],
  ["c:\\windows\\syswow64", "0.00"],
  ["c:\\windows\\temp", "0.00"]
],
"parents": [
  ["services.exe", "99.88"],
  ["msmpeng.exe", "0.11"],
  ["svchost.exe", "0.00"]
],
"children": [
   ["wmiprvse.exe", "19.99"],
   ["backgroundtaskhost.exe", "11.60"],
   ["runtimebroker.exe", "6.47"],
   ["dllhost.exe", "6.30"]
],
"grandparents": [
  ["wininit.exe", "99.87"],
  ["services.exe", "0.13"],
  ["explorer.exe", "0.00"]
],
"hashes": [
  ["b868487f8edbd0571d30d89573f087bfeac3da190652344afd351b1868ea0f8b", "65.81"],
  ["9f21e51442209bcec0ea4a468ef8a4741685ae204d5063f4c3e45e1f8cf72643", "26.25"],
  ["c9a28dc8004c3e043cbf8e3a194fda2b756ce90740df2175488337281b485f69", "4.12"],
  ["c7db4ae8175c33a47baa3ddfa089fad17bc8e362f21e835d78ab22c9231fe370", "1.81"],
  ["438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7", "1.15"]
],
"network": [
  ["443", "45.15"],
  ["80", "32.48"],
  ["5355", "0.61"],
  ["1900", "0.39"],
  ["5353", "0.30"]
],
"intel": "It is normal to see many svchost processes running on a single machine. It usually has elevated privileges and... "
}
Insights Field Search
GET
/insights/<query>/<field>

This endpoint allows you to get one particular field from the results of a process search. Useful for efficiently fetching data when you only need one field.

Path Parameters

  • Name
    query
    Type
    string
    Description

    Required. The name or hash of an endpoint process to lookup. Must be a Windows filename with extension, a SHA256 hash of a windows process, or a md5 hash of a windows process.

  • Name
    field
    Type
    string
    Description

    Required. Must be one of the following: description, rank, host_prev, eps, parents, children, grandparents, hashes, paths, network, or intel.

Headers

Response

Status Codes:

  • 200 OK
  • 403 Invalid API Key
  • 404 Invalid Path
  • 429 Too many requests (exceeded quota)

Request

curl  https://api.echotrail.io/insights/svchost.exe/parents \
  -H "x-api-key: [your api key]"
curl  https://api.echotrail.io/insights/svchost.exe/parents \
  -H "x-api-key: [your api key]"

Response

  { 
    "parents": [
      ["services.exe", "99.63"],
      ["MsMpEng.exe", "0.36"],
      ...
    ]
  }
  { 
    "parents": [
      ["services.exe", "99.63"],
      ["MsMpEng.exe", "0.36"],
      ...
    ]
  }
Insights Subsearch
GET
/insights/<query>/<field>/<subsearch>

This endpoint allows you to perform a search within a list of results from a process search. For example, searching for a particular port in the network table of the cmd.exe process.

Path Parameters

  • Name
    query
    Type
    string
    Description

    Required. The name or hash of an endpoint process to lookup. Must be a Windows filename with extension, a SHA256 hash of a windows process, or a md5 hash of a windows process.

  • Name
    field
    Type
    string
    Description

    Required. Must be one of the following: description, rank, host_prev, eps, parents, children, grandparents, hashes, paths, network, or intel.

  • Name
    subsearch
    Type
    string
    Description

    Required. The string to search for within the process field.

Headers

Response

Status Codes:

  • 200 OK
  • 403 Invalid API Key
  • 404 Invalid Path
  • 429 Too many requests (exceeded quota)

Request

curl  https://api.echotrail.io/insights/svchost.exe/parents/services.exe \
  -H "x-api-key: [your api key]"
curl  https://api.echotrail.io/insights/svchost.exe/parents/services.exe \
  -H "x-api-key: [your api key]"

Response

  [ "services.exe", 99.88 ]
  [ "services.exe", 99.88 ]

Was this page helpful?