https://community.cisco.com/t5/endpoint-security/amp4e-api-create-new-event-stream-using-powershell/m-p/3928610#M34 <P>So, just as an update...</P><P>&nbsp;</P><P>Without adding the other Group GUIDs to the connection, I am still seeing events from ALL of the groups we currently have in out AMP deployment.</P><P>&nbsp;</P><P>Which then leads me to presuppose that the initial GUID value in the request was simply a 'place marker' rather than an actual functioning filter or limiter...</P><P>&nbsp;</P><P>* shrug *</P> Mon, 23 Sep 2019 14:18:27 GMT MichaelErana 2019-09-23T14:18:27Z https://community.cisco.com/t5/endpoint-security/amp4e-api-create-new-event-stream-using-powershell/m-p/3910916#M19 <P>First off a nod to&nbsp;<SPAN class="UserName lia-user-name lia-user-rank-Beginner lia-component-message-view-widget-author-username"><A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/225679" target="_self"><SPAN class="">ChiefSec-SF</SPAN></A>&nbsp;&amp;&nbsp;<SPAN class=""><A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/824426" target="_self">Orlith</A>&nbsp;for their contributions.</SPAN></SPAN></P><P>Objective: Use PowerShell to create a new Event Stream.</P><P>&nbsp;</P><P>Define Authentication Credentials</P><PRE>$Credentials = GET-CREDENTIAL –Credential (Get-Credential) $RESTAPIUser = $Credentials.UserName $RESTAPIPassword = $Credentials.GetNetworkCredential().Password $apiCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($RESTAPIUser+":"+$RESTAPIPassword))</PRE><P>Next set TLS so we don't get annoying errors</P><PRE>[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12</PRE><P>Now start building the headers</P><PRE>$headers = @{} $headers.add("accept","application/json") $headers.add("Content-Type","application/json") $headers.add("Authorization", "Basic $apiCreds")</PRE><P>Get a list of the current event types for use in the stream construction</P><PRE>$url = "https://api.amp.cisco.com/v1/event_types" $etList = Invoke-RestMethod -Method GET -Headers $headers -Uri $url $etListSimple = $etList.data.id</PRE><P>I know I could have simplified that but I like to be able to Get-Method on the higher level object as I sort stuff out.</P><P>$etListSimple are the IDs of all of the event types.</P><P>Ideally I would like to also include all of the groups that I currently have defined and I could do that with the following:</P><PRE>$url = "https://api.amp.cisco.com/v1/groups" $ggList = Invoke-RestMethod -Method GET -Headers $headers -Uri $url $gGUIDs = $ggList.data.guid</PRE><P>$gGUIDs would be all of the group GUIDs presently defined.</P><P>Now to redefine the headers for the actual event stream creation attempt.</P><PRE>$headers = @{} $headers.add("accept","application/json") $headers.add("Content-Type","application/json") $headers.add("Accept-Encoding","gzip, deflate") $headers.add("content-length","99") $headers.add("Authorization", "Basic $apiCreds")</PRE><P>Next we assemble the post body</P><PRE>$guid = "b1143121-0ffc-4c89-98b4-e3151ded376d" $postData = @{name = "ampTest01" event_type = $etListSimple group_guid = $guid } $body = $postData | convertto-json -compress</PRE><P>Looks legit so far.</P><P>Here's where I start to run into trouble. Invoke-RestMethod was unsuccessful in past attempts. Perhaps because of the need to provide "Compress" as a parameter as shown in the <A href="https://api-docs.amp.cisco.com/api_actions/details?api_action=POST+%2Fv1%2Fevent_streams&amp;api_host=api.amp.cisco.com&amp;api_resource=EventStream&amp;api_version=v1" target="_blank" rel="noopener">cURL example</A>. Therefore I went with Invoke-WebRequest instead.</P><PRE>$esCreateResult = invoke-webrequest -Method Post -uri $url -TransferEncoding "Compress" -Headers $headers -Body $body</PRE><P>Un-fortunately this is unsuccessful also. The error is not really helpful so I am hoping someone out there can throw me a bone.</P><P>&nbsp;</P><LI-SPOILER>PS C:\WIP&gt; $esCreateResult = invoke-webrequest -Method Post -uri $url -TransferEncoding "Compress" -Headers $headers -Body $body<BR />invoke-webrequest : Internal Server Error<BR />The server encountered an internal error or misconfiguration and was unable to complete your request.<BR />Please contact the server administrator at webmaster@immunet.com to inform them of the time this error occurred, and the actions you performed just before this error.<BR />More information about this error may be available in the server error log.<BR />At line:1 char:19<BR />+ ... ateResult = invoke-webrequest -Method Post -uri $url -TransferEncodin ...<BR />+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<BR />+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException<BR />+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand</LI-SPOILER><P>The final objective is to include ALL groups in the stream and not just the one as I am showing in this example.</P><P>&nbsp;</P><P>Looking forward to your comments and suggestions.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Feb 2020 05:10:32 GMT https://community.cisco.com/t5/endpoint-security/amp4e-api-create-new-event-stream-using-powershell/m-p/3910916#M19 MichaelErana 2020-02-21T05:10:32Z https://community.cisco.com/t5/endpoint-security/amp4e-api-create-new-event-stream-using-powershell/m-p/3928610#M34 <P>So, just as an update...</P><P>&nbsp;</P><P>Without adding the other Group GUIDs to the connection, I am still seeing events from ALL of the groups we currently have in out AMP deployment.</P><P>&nbsp;</P><P>Which then leads me to presuppose that the initial GUID value in the request was simply a 'place marker' rather than an actual functioning filter or limiter...</P><P>&nbsp;</P><P>* shrug *</P> Mon, 23 Sep 2019 14:18:27 GMT https://community.cisco.com/t5/endpoint-security/amp4e-api-create-new-event-stream-using-powershell/m-p/3928610#M34 MichaelErana 2019-09-23T14:18:27Z