08-20-2019 07:56 AM - edited 02-20-2020 09:10 PM
First off a nod to ChiefSec-SF & Orlith for their contributions.
Objective: Use PowerShell to create a new Event Stream.
Define Authentication Credentials
$Credentials = GET-CREDENTIAL –Credential (Get-Credential) $RESTAPIUser = $Credentials.UserName $RESTAPIPassword = $Credentials.GetNetworkCredential().Password $apiCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($RESTAPIUser+":"+$RESTAPIPassword))
Next set TLS so we don't get annoying errors
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Now start building the headers
$headers = @{} $headers.add("accept","application/json") $headers.add("Content-Type","application/json") $headers.add("Authorization", "Basic $apiCreds")
Get a list of the current event types for use in the stream construction
$url = "https://api.amp.cisco.com/v1/event_types" $etList = Invoke-RestMethod -Method GET -Headers $headers -Uri $url $etListSimple = $etList.data.id
I know I could have simplified that but I like to be able to Get-Method on the higher level object as I sort stuff out.
$etListSimple are the IDs of all of the event types.
Ideally I would like to also include all of the groups that I currently have defined and I could do that with the following:
$url = "https://api.amp.cisco.com/v1/groups" $ggList = Invoke-RestMethod -Method GET -Headers $headers -Uri $url $gGUIDs = $ggList.data.guid
$gGUIDs would be all of the group GUIDs presently defined.
Now to redefine the headers for the actual event stream creation attempt.
$headers = @{} $headers.add("accept","application/json") $headers.add("Content-Type","application/json") $headers.add("Accept-Encoding","gzip, deflate") $headers.add("content-length","99") $headers.add("Authorization", "Basic $apiCreds")
Next we assemble the post body
$guid = "b1143121-0ffc-4c89-98b4-e3151ded376d" $postData = @{name = "ampTest01" event_type = $etListSimple group_guid = $guid } $body = $postData | convertto-json -compress
Looks legit so far.
Here's where I start to run into trouble. Invoke-RestMethod was unsuccessful in past attempts. Perhaps because of the need to provide "Compress" as a parameter as shown in the cURL example. Therefore I went with Invoke-WebRequest instead.
$esCreateResult = invoke-webrequest -Method Post -uri $url -TransferEncoding "Compress" -Headers $headers -Body $body
Un-fortunately this is unsuccessful also. The error is not really helpful so I am hoping someone out there can throw me a bone.
The final objective is to include ALL groups in the stream and not just the one as I am showing in this example.
Looking forward to your comments and suggestions.
09-23-2019 07:18 AM
So, just as an update...
Without adding the other Group GUIDs to the connection, I am still seeing events from ALL of the groups we currently have in out AMP deployment.
Which then leads me to presuppose that the initial GUID value in the request was simply a 'place marker' rather than an actual functioning filter or limiter...
* shrug *
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide