my cheat sheet on AMP
1 Advanced Malware Protection (AMP)
2 AMP API Authentication HTTP Basic Auth
All API requests must use HTTP Basic Auth
. Which if you remember from <link>
uses a header
called Authorization
: with the value of "Basic mybase64string"
Where mybase64string was retrieved using a base64 encoding of
username:password. i.e. echo -n "username:password" | base64
but the username
is retrieved from the amp console as is "client_id
" and the password is
retrieved as "key
". So you have to log in first to get generate the API key,
and then use that key to generate the base64 encoding for use in HTTP Basic
Auth requests to the cloud.
Send that prefixed with the string "Basic" as the authorization header. For
instance, if your client_id
was 1234, and your api_key
was "atest", then it
would be base64 encoded to "MTIzNDphdGVzdA==", and your header would be:
CAUTION Since the base64 encoding of your userid and password is NOT secure, do NOT store this string un-encrpted in this or any other file.
Authorization: Basic MTIzNDphdGVzdA==
2.1 Generating Client ID and API key:
- login to AMP console
- Go to Accounts > Settings
- Features*
- Configure API Credentials
- generate the key and id
Once you have API client ID and API key, you can update the envuserzp.py module to store them.
Alternatively use the Basic HTTP Authentication shown above, with a header of
Authorization: Basic MTIzNDphdGVzdA==
You can use a script to do this.
That script is stored in _
3 Postman Basic Auth vs user:key@url
As of Feb 2nd, 2021 when using Postman, I had success when I used the Basic
Auth approach. I took my API 3rd party ID and associated API Key and created
a base64 string from echo -n "id:key" | base64
. * From that I then created a
header as follows: Authorization: resultingbase64string
What did NOT work was when I tried using the same id and key in this format: https://{{amp4e_client_id}}:{{amp4e_api_key}}@{{amp4e_host}}/v1/computers unless I also added the HTTP Basic auth header.
The result was the same…. hmmmm..
Anyway, here is the equivalent Postman generated Python code:
import requests url = 'https://{{amp4e_client_id}}:{{amp4e_api_key}}@{{amp4e_host}}/v1/computers' url = "https://85f5553ffa9425b99189: kWg1gxce-c14a-4shb-ss3a-a49hs2362yhdnapi.amp.cisco.com/v1/computers" payload={} headers = { 'Authorization': 'Basic ODVmNTUlas4mYTk0Mj23ggadfhr5uzdfgDQxZGUshdfhje34uyh34rtgfdbJdfgsfhhshhkerzQ1' } response = requests.request("GET", url, headers=headers, data=payload, timeout=400) print(response.text)
I will of course modify that, so as to use my envuserzp.py module that stores all these userid and key pairings.
4 AMP API Rate Limits
API Clients are allowed to make a limited number of requests every hour. Each API response will include HTTP headers detailing the status of their rate limit. If the limit is overrun, then an HTTP 429 Error will be returned.
X-Rate-Limit-Limit
Total allowed in current periodX-Rate-Limit-Remaining
Request remainingX-Rate-Limit-Reset
Seconds before limit is reset
5 JSON Envelope on all Returns
All data returned will have this format:
{ "version": "1.0.0", "metadata":{}, "data":{}, "errors": [] }
6 AMP and python API
7 SecureX
Cisco SecureX is built upon a collection of APIs which can be used to integrate your Cisco and third-party security products, automate the incident response process, and manage threat intelligence and security context data in a single location. With SecureX, you can:
Enrich an IP address, or file hash.
Load threat intelligence into your Private Intel Store
Manage your casebooks and investigation snapshots
Automate response actions
Provide a link for users to click and Investigate an alert or observable
7.1 SecureX Ribbon
From:
Cisco SecureX is both a centralized console
and a distributed set of
capabilities
that unify visibility,enable automation, accelerate incident
response workflows, and improve threat hunting. These distributed
capabilities are presented in the form of applications (apps)
and tools
in
the SecureX ribbon.
The ribbon is located in the lower portion of the page, and persists
as you move
between the dashboard
and other security products
in your environment.
Use the ribbon to access the casebook, apps, settings, search observables for enrichment, and view incidents.
8 SecureX API Client
You can create an API Client following: secureX API Client link.
9 SecureX Encrich API doc
See link on visibility.amp.cisco.com/iroh
10 ThreatGrid API
Login to GUI is https://panacea.threatgrid.com/login
From there you can retrieve your threatgrid API key
11 Umbrella API
What is a CASB? Cloud Access Security Broker
12 Umbrellas 7 different APIs
13 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Appendices <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
14 Review of base64 encoding
Where: String composed of "Basic”
, followed by a space
, followed by the
Base64 encoding of “username:password”, NOT including the quotes. For example
Basic YWRtaW46TWFnbGV2MTIz
, where YWRtaW46TWFnbGV2MTIz is the Base 64
encoding.
To get the credentials into a Base64 encoding you can send username:password through any Base54 encoding site, such as base64encode.org or in terminal:
echo -n "username:password" | base64
-n needed to remove the \n from echo string.
For example, echo -n "devnet:Cisco123" | base64
gets me ZGV2bmV0OkNpc2NvMTIzC
Reverse: echo "ZGV2bmV0OkNpc2NvMTIzC" | base64 -d
gets me devnet:Cisco123
To do it right though, you either use base64encode.org or make sure that
you do NOT include a line feed ("\n") in the string you want to encode.
For me, all I had to do was change the last character from a "K" to a "="
But the correct way to do this is have echo not add a linefeed before you
pass it to base64. So echo -n "username:password" | base64
is your ticket
Note that this is NOT secure. Anyone can decrypt this using base64 as well.
Note also that if you want the password to contain special characters that
are normally interpretted by the shell, you must \ escape the character first
as in: echo -n "devnet:Cisco123\!" | base64
which is ZGV2bmV0OkNpc2NvMTIzXCEK=
The =
or ==
are padding characters at the end of the string, if it does not
land on proper boundary that base64 is looking for.
15 base64 in python base64.b64encode(auth)
Here's what I did using python. Notice the b'devnetuser:Cisco123!'
import base64 auth = b'devnetuser:Cisco123!' base64.b64encode(auth)
Note that b64encode requires a bytes type object
, NOT a string. So if I
was to make auth = 'devnetuser:Cisco123!
' the encoding with fail
Very similarly for AMP
a_id = env_user_zp.AMP["ID"] a_passwd = env_user_zp.AMP["KEY"] amp_creds_string = (a_id + ":" + a_passwd)) b_amp_creds_string = str.encode(amp_creds_string) basic_auth_str = base64.b64encode(b_amp_creds_string)
This to show what is going on. I can shorten that to:
amp_creds_string = env_user_zp.AMP["ID"] + ":" + env_user_zp.AMP["KEY"] # results in '85f5553ffa9425b99189:e84041de-c14a-46eb-973a-a495faaa8c45' my b_amp_creds_string = str.encode(amp_creds_string) # results in b'85f5553ffa9425b99189:e84041de-c14a-46eb-973a-a495faaa8c45' basic_auth_str = base64.b64encode(b_amp_creds_string) # results in b'ODVmNTU1M2ZmYTk0MjViOTkxODk6ZTg0MDQxZGUtYzE0YS00NmViLTk3M2EtYTQ5NWZhYWE4YzQ1'
15.0.1 decoding base64
echo "ZGV2bmV0OkNpc2NvMTIzXCEK" | base64 --decode -i
to decode, & ignore non-base64
characters.
Example to get strings from the bytes type
import base64 message = "Python is fun" message_bytes = message.encode('ascii') base64_bytes = base64.b64encode(message_bytes) base64_message = base64_bytes.decode('ascii') print(base64_message)
From my ipython session:
In [1]: mystring = "Hello World!" In [4]: mybytes = mystring.encode('ascii') In [5]: mybytes Out[5]: b'Hello World!' In [6]: type(mybytes) Out[6]: bytes In [7]: import base64 In [8]: mybase64bytes = base64.b64encode(mybytes) In [9]: mybase64bytes Out[9]: b'SGVsbG8gV29ybGQh' In [10]: back2string = mybase64bytes.decode('ascii') In [11]: back2string Out[11]: 'SGVsbG8gV29ybGQh' In [12]: type(back2string) Out[12]: str