Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4653
Views
21
Helpful
4
Replies

Some handy tips for AMP4E API connections with PowerShell

ChiefSec-SF
Level 1
Level 1

‎07-31-2017 01:18 PM - edited ‎02-20-2020 09:04 PM

Thought I would share some things I found in case it saves someone else some time. The API documentation is good, but all in cURL and some of the items can be a little bit misleading when coming at it from a Windows Admin background. (I am not going to cover creating your API key)

First off, in the Documentation they state:

Using the API Key and Client ID

Once you have the API client ID and API key, you can make the API calls as follows:

https://<your_client_id>:<your_api_key>@<api_endpoint>

So this is basically not right at all. If you are in the US region the endpoint url you want is just "https://api.amp.cisco.com"

The client id and api key get sent in the header section.

The method that I found worked the best was to use Invoke-RestMethod

The tricky part is how to get the formatting of the header section correct. (The required header entries are covered in the documentation but not the formatting)

Here is what I found from some other online postings and modified for my purposes:

####

$clientid = "xxxxxxxx"
$apikey = "xxxxxxxxxxx"
$APIendpoint = "https://api.amp.cisco.com"

#$Credential = Get-Credential
# Much better to use get-credential and not leave your key sitting in a script, but I used this for a simple example

$EncodedUsernamePassword = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($('{0}:{1}' -f $clientid, $apikey)))
$Headers = @{'Authorization' = "Basic $($EncodedUsernamePassword)"; 'accept' = 'application/json'; 'Content-type' = 'application/json'; 'Accept-Encoding' = 'gzip, deflate'}

####

This shows you the correct formatting, you can then run one of the example queries:

####

$comp = "SomeComputerName"

$filter = ("/v1/computers?hostname[]=" + $comp + "&limit=10")
$url = ($APIendpoint + $filter)    

 #Those three could all be one string, but I set it up this way to make it easier to drop in a foreach block later
$query = Invoke-RestMethod -Method Get -Uri $url -Headers $Headers

####

$query.data.guid would then be the guid of the returned computer object for an example

Once you have the headers part down any of the Get requests are then pretty simple to do.

If you want to write a change, you must change to the Patch method, but here we run into another formatting issue no covered in the documentation.

Initially I tried this to get a computer moved to a new group:

####

$body = @{"group_guid" = "xxxxxxxxxxxxx"}

$url1 = ($APIendpoint + "/v1/computers/" + $compGUID)
$move = Invoke-RestMethod -Method Patch -Uri $url1 -Headers $Headers -Body $body

####

This fails as the server rejects it as a bad request. What you have to do for the body portion is convert it the the json format, like this:

####

$body = @{"group_guid" = "xxxxxxxxxxxxx"}

$body = $body | ConvertTo-json

$url1 = ($APIendpoint + "/v1/computers/" + $compGUID)
$move = Invoke-RestMethod -Method Patch -Uri $url1 -Headers $Headers -Body $body

####

Then it works like magic and you are up a running! 

Labels:
4 Replies 4

Ken Stieers
VIP
VIP

‎06-17-2020 08:23 AM

####

$body = @{"group_guid" = "xxxxxxxxxxxxx"}

$url1 = ($APIendpoint + "/v1/computers/" + $compGUID)
$move = Invoke-RestMethod -Method Patch -Uri $url1 -Headers $Headers -Body $body

####

This fails as the server rejects it as a bad request. What you have to do for the body portion is convert it the the json format, like this:

####

$body = @{"group_guid" = "xxxxxxxxxxxxx"}

$body = $body | ConvertTo-json

$url1 = ($APIendpoint + "/v1/computers/" + $compGUID)
$move = Invoke-RestMethod -Method Patch -Uri $url1 -Headers $Headers -Body $body

####

 

Then it works like magic and you are up a running! 

 

OMG Thanks so much!!!! I've been beating my head against that for a couple of days, trying to get Powershell to give me enough information to be useful, and I haven't been doing much in Powershell or with APIs as yet, so the epiphany of "maybe it wants json" didn't hit... 

0 Helpful

justin.cooksey
Level 1
Level 1

‎04-19-2021 05:25 PM

404 Not found on https://api.apjc.amp.cisco.com

I'm getting 404 Not Found for just about any request I try.

If I alter the authorization I do get Unauthorized, so that makes sense, but if I try some of the APIs with Postman I always get 404 Not Found.

Some that Ive tried:

https://api.apjc.amp.cisco.com/v1/version

https://api.apjc.amp.cisco.com/v1/computer

https://api.apjc.amp.cisco.com/v0/version

0 Helpful

alicitra
Level 1
Level 1

‎11-02-2023 10:36 AM

This is great, thank you for posting this! I was trying to export blocked applications and simple custom detection hash lists and Cisco still hasn't put an export feature in their portal. Saves me a lot of manually copy and pasting hashes.

0 Helpful

tonypearce1
Level 3
Level 3
In response to alicitra

‎11-02-2023 10:32 PM

I am not a dev or a coder. I know what coding is, but I dont really know the names of functions or methods for any code. 

As I use Windows and Windows provides powershell natively, I decided to try and get some data being pulled from the API because eventTypes list is only visible via API. 

Having never done this before, ever I used one of the AI's to get me going. Powershell is very annoying to work with, information is obscure and difficult to find. However, I have a ps1 script that done what I needed to do. 

Later I was then told by a senior to use python because thats what they use and I was given different objectives. Well within 1 day what I built in Python is vastly superior to what I managed to do with powershell even though I spent weeks with the .ps1 and just a few hours with the .py. I had so much ease that I was able to search around for best practices and guidelines and I created a tiered python directory structure. Everything runs through functions and code is re-usable wherever possible. Everything I learned was through 2-way discussion with Bing chat. I say discussion because each time I needed help I described my problem and intent and the response would often give me a couple of options to choose from. Having no background in coding, I didnt have the experience to make decisions on the way forward. So I extended the discussion and the response told me which option I needed to use and why. 

Once finished, we zipped up the python directory and dropped it into chatGPT 4 (paid) for code analysis. There were no huge concerns, just minor things such as using "import * from file" where I just tried * instead of the function name and it worked and I moved on, however this is not best practice. 

For secure credential storage I used a python keyring. Something similar is with powershell but I didnt use it. 

If you save,document,improve your prompts, AI can guide. Though, today bing chat advised me to seek help from a mental health care professional when I was trying to find out information about Secure Endpoint, so it's not perfect (...or is it?).

0 Helpful
Customers Also Viewed These Support Documents