topic Re: API query with an exact match? in Endpoint Security

API query with an exact match?

Ken Stieers — Thu, 18 Jun 2020 16:27:52 GMT

Good morning.

When I do an api call, for groups, using this URI:

https://api.amp.cisco.com/v1/groups?name=Protect

It returns all of the groups with 'Protect' in their names...

Is there a way to tell the API to just return the ONE group with the name of "Protect"?

Ken

Re: API query with an exact match?

Matthew Franks — Thu, 18 Jun 2020 17:50:58 GMT

Ken,

The groups API call uses a wildcard for the name search so it will return all groups with Protect in the name. For information on an exact match you would need to use the Group GUID with the groups/{guid} API call.

Thanks,

Matt

Re: API query with an exact match?

jesutorr@cisco.com — Thu, 18 Jun 2020 18:05:53 GMT

Hi Ken,

Thanks for using Cisco Community, regarding your inquiry you can get a specific group using the API.

This information can be found in the API Documentation: https://api-docs.amp.cisco.com/api_resources/Group?api_host=api.amp.cisco.com&api_version=v1

You can get the information about a specific group by using the GUID of the group.

https://api.amp.cisco.com/v1/groups/5cdf70dd-1b14-46a0-be90-e08da14172d8

The 5cdf70dd-1b14-46a0-be90-e08da14172d8 is the GUID of the group, but how to get this ID?

* Using API

You can use this query to get all the information about the groups.

https://api.amp.cisco.com/v1/groups

Once you have the GUID you can use it in the query.

https://api.amp.cisco.com/v1/groups/TheGroupGUID

I hope this information can be useful to you.

Have a great day!!!

Uri

Re: API query with an exact match?

Ken Stieers — Thu, 18 Jun 2020 18:08:09 GMT

😞

I'm writing a script to do moves to a group, based on someone not having access to the api. "Move machine x to group y" without knowing what "y" will be...

I hoping I wouldn't have to loop through the returned list.

Thanks!

Ken

Re: API query with an exact match?

Ken Stieers — Thu, 18 Jun 2020 18:09:45 GMT

I got that already...

See my answer to Matt's response.

Re: API query with an exact match?

Matthew Franks — Thu, 18 Jun 2020 19:11:59 GMT

Ken,

I did something very similar recently and had to parse the output to get the group GUID. You may find some useful resources at github.com/CiscoSecurity if you're not aware of that repository.

I took the liberty of combining some existing Python code to parse your Groups. You may want some different information but this should be a good start. You just need to input your API credentials.

import requests

amp_client_id = ''
amp_api_key = ''

def displayGroups():
    url = 'https://api.amp.cisco.com/v1/groups'

    request = requests.get(url, auth=(amp_client_id, amp_api_key))
    response = request.json()

    print('[{:^5}]   {:^30} {:^15}'.format('Index', 'Name', 'Product'))

    index = 0
    for item in response["data"]:
        index = index + 1
        print('[{:^5}]   {:<30} {:^15}'.format(
            index,
            item['name'],
            item['guid'],
        ))
    print("------------------------------------------")
    index = input("Index: ")
    index = index.strip()

    if not index.isdigit():
        print("Invalid index")
        return

    index = int(index) - 1
    if not (0 <= index < len(response['data'])):
        print("Invalid index")
        return

    guid = response['data'][index]['guid']

    # get the details of a particular group
    url = "https://api.amp.cisco.com/v1/groups/" + guid
    request = requests.get(url, auth=(amp_client_id, amp_api_key))
    response = request.json()
    data = response["data"]
    #print(data)

    print("\nGroup details:")
    print("\tName : " + data["name"] )
    print("\tGuid : " + data["guid"])
    print("\n\tPolicies : ")
    for num, policy in enumerate(data['policies'], start=0):
        print("\t\tName: {}".format(data['policies'][num]['name']))
        print("\t\tGuid: {}".format(data['policies'][num]['guid']))
        print("\t\tProduct: {}\n".format(data['policies'][num]['product']))

if __name__ == '__main__':
    while True:
        # Print the menu
        print("""
                   Advanced Malware Protection (AMP) - Cloud
    
                Retrieve Information About a Particular Group :
                        """)

        displayGroups()

        again = input(" Do you want to run again?(y/n): ")
        again = again.strip()
        if again == 'y' or again == 'Y':
            continue
        break

Thanks,

Matt

Re: API query with an exact match?

Ken Stieers — Thu, 18 Jun 2020 19:20:09 GMT

That's all in python, I'm doing it Powershell.

(BTW, this is all an X/Y problem)

The specific issue is new machines go into a group with Orbital turned off, as the Orbital install seems to me messing about with other installs being run by the SCCM task sequence.

So at the end of the task sequence, we'll move the machine to the correct group and let Orbital do its thing later.

But that requires running something that the machine already has, without installing yet more stuff...

So Powershell... and I'm trying to get cute...

Errors written to the event log, the script is "configurable" so that we change one parameter to so change which group, etc.

So, I'll toss out the feature request for an 'exact match' parameter on queries?

For groups, computers, policies, there are probably others the people might need?

Re: API query with an exact match?

Ken Stieers — Mon, 03 Jun 2024 13:18:56 GMT

Hey guys... in powershell, here's how to do it

Assuming $GroupResponse holds the response to an Invoke-RestMethod to https://api.amp.cisco.com/v1/groups?name=Protect, this will get the guid of the exact match:

$groupguid = $GroupResponse.data | where { $_.name -eq $SourceGroupName } | Select -ExpandProperty Guid