my cheat sheet on AMP

All API requests must use HTTP Basic Auth. Which if you remember from <link> uses a header called Authorization: with the value of "Basic mybase64string"

Where mybase64string was retrieved using a base64 encoding of username:password. i.e. echo -n "username:password" | base64 but the username is retrieved from the amp console as is "client_id" and the password is retrieved as "key". So you have to log in first to get generate the API key, and then use that key to generate the base64 encoding for use in HTTP Basic Auth requests to the cloud.

Send that prefixed with the string "Basic" as the authorization header. For instance, if your client_id was 1234, and your api_key was "atest", then it would be base64 encoded to "MTIzNDphdGVzdA==", and your header would be:

CAUTION Since the base64 encoding of your userid and password is NOT secure, do NOT store this string un-encrpted in this or any other file.

Authorization: Basic MTIzNDphdGVzdA==

As of Feb 2nd, 2021 when using Postman, I had success when I used the Basic Auth approach. I took my API 3rd party ID and associated API Key and created a base64 string from echo -n "id:key" | base64. * From that I then created a header as follows: Authorization: resultingbase64string

What did NOT work was when I tried using the same id and key in this format: https://{{amp4e_client_id}}:{{amp4e_api_key}}@{{amp4e_host}}/v1/computers unless I also added the HTTP Basic auth header.

The result was the same…. hmmmm..

Anyway, here is the equivalent Postman generated Python code:

import requests
url = 'https://{{amp4e_client_id}}:{{amp4e_api_key}}@{{amp4e_host}}/v1/computers'
url = "https://85f5553ffa9425b99189: kWg1gxce-c14a-4shb-ss3a-a49hs2362yhdnapi.amp.cisco.com/v1/computers"

payload={}
headers = {
  'Authorization': 'Basic ODVmNTUlas4mYTk0Mj23ggadfhr5uzdfgDQxZGUshdfhje34uyh34rtgfdbJdfgsfhhshhkerzQ1'
}

response = requests.request("GET", url, headers=headers, data=payload, timeout=400)

print(response.text)

I will of course modify that, so as to use my env_userzp.py module that stores all these userid and key pairings.

API Clients are allowed to make a limited number of requests every hour. Each API response will include HTTP headers detailing the status of their rate limit. If the limit is overrun, then an HTTP 429 Error will be returned.

• X-Rate-Limit-Limit Total allowed in current period
• X-Rate-Limit-Remaining Request remaining
• X-Rate-Limit-Reset Seconds before limit is reset

All data returned will have this format:

{
  "version": "1.0.0",
  "metadata":{},
  "data":{},
  "errors": []
}

Cisco SecureX is built upon a collection of APIs which can be used to integrate your Cisco and third-party security products, automate the incident response process, and manage threat intelligence and security context data in a single location. With SecureX, you can:

Enrich an IP address, or file hash.

Load threat intelligence into your Private Intel Store

Manage your casebooks and investigation snapshots

Automate response actions

Provide a link for users to click and Investigate an alert or observable

You can create an API Client following: secureX API Client link.

See link on visibility.amp.cisco.com/iroh

Login to GUI is https://panacea.threatgrid.com/login

From there you can retrieve your threatgrid API key

What is a CASB? Cloud Access Security Broker

Where: String composed of "Basic”, followed by a space, followed by the Base64 encoding of “username:password”, NOT including the quotes. For example Basic YWRtaW46TWFnbGV2MTIz, where YWRtaW46TWFnbGV2MTIz is the Base 64 encoding.

To get the credentials into a Base64 encoding you can send username:password through any Base54 encoding site, such as base64encode.org or in terminal:

• echo -n "username:password" | base64 -n needed to remove the \n from echo string.

For example, echo -n "devnet:Cisco123" | base64 gets me ZGV2bmV0OkNpc2NvMTIzC

Reverse: echo "ZGV2bmV0OkNpc2NvMTIzC" | base64 -d gets me devnet:Cisco123

To do it right though, you either use base64encode.org or make sure that you do NOT include a line feed ("\n") in the string you want to encode. For me, all I had to do was change the last character from a "K" to a "=" But the correct way to do this is have echo not add a linefeed before you pass it to base64. So echo -n "username:password" | base64 is your ticket

Note that this is NOT secure. Anyone can decrypt this using base64 as well. Note also that if you want the password to contain special characters that are normally interpretted by the shell, you must \ escape the character first as in: echo -n "devnet:Cisco123\!" | base64 which is ZGV2bmV0OkNpc2NvMTIzXCEK=

The = or == are padding characters at the end of the string, if it does not land on proper boundary that base64 is looking for.

Here's what I did using python. Notice the b'devnetuser:Cisco123!'

import base64
auth = b'devnetuser:Cisco123!'
base64.b64encode(auth)

Note that b64encode requires a bytes type object, NOT a string. So if I was to make auth = 'devnetuser:Cisco123!' the encoding with fail

Very similarly for AMP

a_id = env_user_zp.AMP["ID"]
a_passwd = env_user_zp.AMP["KEY"]
amp_creds_string = (a_id + ":" + a_passwd))
b_amp_creds_string = str.encode(amp_creds_string)
basic_auth_str = base64.b64encode(b_amp_creds_string)

This to show what is going on. I can shorten that to:

   amp_creds_string = env_user_zp.AMP["ID"] + ":" + env_user_zp.AMP["KEY"]
   # results in '85f5553ffa9425b99189:e84041de-c14a-46eb-973a-a495faaa8c45'
my
   b_amp_creds_string = str.encode(amp_creds_string)
   # results in b'85f5553ffa9425b99189:e84041de-c14a-46eb-973a-a495faaa8c45'

   basic_auth_str = base64.b64encode(b_amp_creds_string)
   # results in  b'ODVmNTU1M2ZmYTk0MjViOTkxODk6ZTg0MDQxZGUtYzE0YS00NmViLTk3M2EtYTQ5NWZhYWE4YzQ1'