my cheat sheet on Cisco Security APIs

Home

1 Security APIs

Security comprises many different parts of an enterprise's infrastructure. Replacing human slow, and error prone corroboration of security incidents with a fast and automated API interaction can greatly increase the overall resilience and impenetrability of your defences.

  1. Cyber threat hunting:

    Is the active cyber defense activity, iteratively searching through networks to detect and isolate advanced threats that have so far evaded existing security solutions.

    The main goal of security APIs is automating cyber threat hunting.

    [[threat-hunting.png]

2 Advanced Malware Protection, AMP

For details see Advanced Malware Protection

3 SecureX

For details see SecureX

4 Threat Grid

5 Umbrella

6 Firepower Management Centre & API Explorer

FMC offers an API Explorer that is available on every Firepower Management Center by browsing to:

  • https://<mgt-center-ip-or-name>:<https-port>/api/api-explorer
  • https://<mgt-center-ip-or-name>:<https-port>/api/api-explorer

As you can see, it is a REST API. The reserveable sandbox API is available: https://fmcrestapisandbox.cisco.com/api/api-explorer/ but you must reserve the sandbox to get the credentials for a 4 hour session. That sandbox is available here: https://devnetsandbox.cisco.com/RM/Topology (search for FMC)

The API Explorer will let you generate code snippets for both Perl and Python

Update: The Open API Spec is a standardized specification of a REST API. The Open API Spec for the Firepower Management Center REST API contains details about the endpoints, fields, parameters, and requirements of the API. You can use the API Spec to generate sample code as well as find specific information about API functionality.

6.1 FMC API Explorer Authentication

-H "X-auth-access-token: blah-blah-blha" The credentials for the API explorer are the same for the FMC. It can let you log in, then "try" a REST API Request and get back this for example:

curl -X GET "https://fmcrestapisandbox.cisco.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords" -H "accept: application/json" -H "X-auth-access-token: d0073556-f465-4f99-ae74-4bd8d61673d7"

curl -X GET "https://fmcrestapisandbox.cisco.com/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/devices/devicerecords" -H "accept: application/json" -H "X-auth-access-token: d0073556-f465-4f99-ae74-4bd8d61673d7"

I used POSTMAN with the tokens I copied from my FMC API Explorer session and got success as shown in this screenshot:

postman-fmc-request.png

Figure 1: Postman REST API Request to FMC

Detailed steps are available from learning labs. Authentication to the API Explorer FMC REST API uses token-based authentication. You need a valid access token to invoke a REST call, and every REST call must include a header in which key is set to X-auth-access-token and the value contains the access token.

The API Explorer automates the access token process, and you can log into the API Explorer using any FMC account, but you will only be able to perform the functions for which the account has permissions.

7 FTD and Password Granted Access Token

Every REST API call must include an authentication token to verify that the caller is authorized to perform the requested action.

Initially, you need to obtain an access token by supplying the admin username/password. This is called a password-granted access token, that is, grant_type = password.

Steps:

  1. Create the JSON object for the password-granted access token grant. Specify the admin username and password
  2. Use POST https://server/api/fdm/v3/fdm/token to obtain the access token. Use curl, postman, python, whatever you want.
  3. Retrieve the access and refresh tokens from the response. A good response has a status code 200.

8 FTD and Custom Access Token

You can use the password-granted access token as described above. However, you can also request a custom access token With a custom token, you can:

  • supply a subject name to help differentiate token usage (for own purposes).
  • You can also request specific validity periods if the default values returned for password tokens do not fit your requirements.

(Notice the difference to API keys that have no expiration time. You have to go to a web page and manually invalidate an API key.)

Before you can start, you need to first 1) get a password-granted access token.

  1. create the json object for custom access token grant 
    {

   "grant_type": "custom_token",
   "access_token": "string",
   "desired_expires_in": 0,
   "desired_refresh_expires_in": 0,
   "desired_subject": "string",
   "desired_refresh_count": 0
}

    Or realistically: 

    {
  "grant_type": "custom_token",
  "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MDI4MzI2NjcsInN1YiI6ImFkbWluIiwianRpIjoiMGM3ZDBmNDgtODIwMS0xMWU3LWE4MWMtMDcwZmYzOWU3ZjQ0IiwibmJmIjoxNTAyODMyNjY3LCJleHAiOjE1MDI4MzQ0NjcsInJlZnJlc2hUb2tlbkV4cGlyZXNBdCI6MTUwMjgzNTA2NzQxOSwidG9rZW5UeXBlIjoiSldUX0FjY2VzcyIsIm9yaWdpbiI6InBhc3N3b3JkIn0.b2hI6fVA_GbmhCOPM-ZUx6IC8SgCk1AkHXI-llV0r7s",
  "desired_expires_in": 2400,
  "desired_refresh_expires_in": 3000,
  "desired_subject": "api-client",
  "desired_refresh_count": 3
}

    The token can be refreshed 3 times, after that you need to generate another token.

    1. POST that json to obtain the access token. For example, if I was using curl, I would: 
      curl -X POST \
  --header 'Content-Type: application/json' \
  --header 'Accept: application/json' \
  -d '{ 
    "grant_type": "custom_token", 
    "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MDI4MzU5NjgsInN1YiI6ImFkbWluIiwianRpIjoiYmMyNjM4N2EtODIwOC0xMWU3LWE4MWMtYzNlYTZkZjJjZThjIiwibmJmIjoxNTAyODM1OTY4LCJleHAiOjE1MDI4Mzc3NjgsInJlZnJlc2hUb2tlbkV4cGlyZXNBdCI6MTUwMjgzODM2ODYwNiwidG9rZW5UeXBlIjoiSldUX0FjY2VzcyIsIm9yaWdpbiI6InBhc3N3b3JkIn0.acOE_Y4SEds-NE4Qw99fQlUzdoSkhsjInaCh0a9WK38",
    "desired_expires_in": 2400, 
    "desired_refresh_expires_in": 3000, 
    "desired_subject": "api-client", 
    "desired_refresh_count": 3  
  }' https://ftd.example.com/api/fdm/v3/fdm/token
      1. Retrieve the access tokens from the response, (if status is 200 ok)

        For example this is a response to retrieve an access token. 

        {
  "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MDI4MzU5OTEsInN1YiI6ImFwaS1jbGllbnQiLCJqdGkiOiJjOWIxYzdjYi04MjA4LTExZTctYTgxYy02YmY0NzY3ZmRmZGUiLCJuYmYiOjE1MDI4MzU5OTEsImV4cCI6MTUwMjgzODM5MSwicmVmcmVzaFRva2VuRXhwaXJlc0F0IjoxNTAyODM4OTkxMzMxLCJ0b2tlblR5cGUiOiJKV1RfQWNjZXNzIiwib3JpZ2luIjoiY3VzdG9tIn0.9IVzLjGffVQffHAWdrNkrYfvuO6TgpJ7Zi_z3RYubN8",
  "expires_in": 2400,
  "token_type": "Bearer",
  "refresh_token": "eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MDI4MzU5OTEsInN1YiI6ImFwaS1jbGllbnQiLCJqdGkiOiJjOWIxYzdjYi04MjA4LTExZTctYTgxYy02YmY0NzY3ZmRmZGUiLCJuYmYiOjE1MDI4MzU5OTEsImV4cCI6MTUwMjgzODk5MSwiYWNjZXNzVG9rZW5FeHBpcmVzQXQiOjE1MDI4MzgzOTEzMzEsInJlZnJlc2hDb3VudCI6MywidG9rZW5UeXBlIjoiSldUX1JlZnJlc2giLCJvcmlnaW4iOiJjdXN0b20ifQ.qseqjg3Uo183YvfN_77iJZELEqwpWw5AbKAqAnCIcSA",
  "refresh_expires_in": 3000
}

8.1 Refreshing an Access Token

After an access token expires, you need to refresh it using the refresh token that was supplied in the original grant. A refreshed access token is actually different than the original access token. “Refreshing” actually supplies a new pair of access token and refresh token, it does not simply extend the life of the old access token.

9 FTD Using access token on API calls

After you obtain either a password-granted or custom access token, you must include it on each API call in the Authorization: Bearer header to the HTTPS request.

For example, a curl command to perform GET /object/networks might look like the following:

BASH curl -k -X GET \ -H 'Accept: application/json' \ -H 'Authorization: Bearer eyJhbGciOiJIUz… …vuO6TgpJ7Ziz3RYubN8' \ https://ftd.example.com/api/fdm/v3/object/networks

For more, including how to refresh an access token using json and calls see this developer.cisco.com link.

10 From journey2theccie.wordpress.com site:

10.1 Basic

Basic authentication transmits credentials as username/password pairs separated by a colon. It looks like this in the request:

Authorization: Basic <user>:<pass> These passwords are in plain text and are very insecure unless paired with HTTPS.

10.2 Custom Token

Token auth uses the Bearer HTTP authentication scheme. It is more secure than basic authentication and is used with OAuth and SSO. It uses a token generated by an authentication server. It looks like this in the request:

Authorization: Bearer <token>

It should also be used with HTTPS instead of HTTP.

10.3 API Keys

API keys are generated by a server and assigned to an individual user. To obtain the key, users log into the server using their credentials and get the assigned key. These keys are assigned once and are not regenerated. The user then has to use the key in every request.

Just like Basic & Bearer, it should be paired with HTTPS.

There are two types of API keys:

Public Private A public key can be shared, but a private key must not be shared since it is paired to a user’s credentials. For public keys, you can provide it in a query:

GET https://localhost:8000/v1/devices?API_KEY=YOUR_KEY For private keys, there are a few options for putting them in the header:

Authorization: <APIKEY> #OR Authorization: APIKEY <APIKEY> #OR APIKEY: <APIKEY> You can also put keys in the body of the request:

{ APIKEY: <APIKEY> }

Lastly, you can use a cookie:

Cookie: APIKEY = <APIKEY>

10.4 Home