cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3288
Views
5
Helpful
1
Replies

AMP4E API - Create new Event Stream using PowerShell

MichaelErana
Level 1
Level 1

First off a nod to ChiefSec-SF & Orlith for their contributions.

Objective: Use PowerShell to create a new Event Stream.

 

Define Authentication Credentials

$Credentials = GET-CREDENTIAL –Credential (Get-Credential)
$RESTAPIUser = $Credentials.UserName
$RESTAPIPassword = $Credentials.GetNetworkCredential().Password

$apiCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($RESTAPIUser+":"+$RESTAPIPassword))

Next set TLS so we don't get annoying errors

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Now start building the headers

$headers = @{}
$headers.add("accept","application/json")
$headers.add("Content-Type","application/json")
$headers.add("Authorization", "Basic $apiCreds")

Get a list of the current event types for use in the stream construction

$url = "https://api.amp.cisco.com/v1/event_types"
$etList = Invoke-RestMethod -Method GET -Headers $headers -Uri $url

$etListSimple = $etList.data.id

I know I could have simplified that but I like to be able to Get-Method on the higher level object as I sort stuff out.

$etListSimple are the IDs of all of the event types.

Ideally I would like to also include all of the groups that I currently have defined and I could do that with the following:

$url = "https://api.amp.cisco.com/v1/groups"
$ggList = Invoke-RestMethod -Method GET -Headers $headers -Uri $url
$gGUIDs = $ggList.data.guid

$gGUIDs would be all of the group GUIDs presently defined.

Now to redefine the headers for the actual event stream creation attempt.

$headers = @{}
$headers.add("accept","application/json")
$headers.add("Content-Type","application/json")
$headers.add("Accept-Encoding","gzip, deflate")
$headers.add("content-length","99")
$headers.add("Authorization", "Basic $apiCreds")

Next we assemble the post body

$guid = "b1143121-0ffc-4c89-98b4-e3151ded376d"

$postData = @{name = "ampTest01"
	event_type = $etListSimple
	group_guid = $guid
	}

$body = $postData | convertto-json -compress

Looks legit so far.

Here's where I start to run into trouble. Invoke-RestMethod was unsuccessful in past attempts. Perhaps because of the need to provide "Compress" as a parameter as shown in the cURL example. Therefore I went with Invoke-WebRequest instead.

$esCreateResult = invoke-webrequest -Method Post -uri $url -TransferEncoding "Compress" -Headers $headers -Body $body

Un-fortunately this is unsuccessful also. The error is not really helpful so I am hoping someone out there can throw me a bone.

 

Spoiler
PS C:\WIP> $esCreateResult = invoke-webrequest -Method Post -uri $url -TransferEncoding "Compress" -Headers $headers -Body $body
invoke-webrequest : Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at webmaster@immunet.com to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.
At line:1 char:19
+ ... ateResult = invoke-webrequest -Method Post -uri $url -TransferEncodin ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

The final objective is to include ALL groups in the stream and not just the one as I am showing in this example.

 

Looking forward to your comments and suggestions.

 

 

 

 

 

 

 

1 Reply 1

MichaelErana
Level 1
Level 1

So, just as an update...

 

Without adding the other Group GUIDs to the connection, I am still seeing events from ALL of the groups we currently have in out AMP deployment.

 

Which then leads me to presuppose that the initial GUID value in the request was simply a 'place marker' rather than an actual functioning filter or limiter...

 

* shrug *