cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Part 3 - Serverless Relay on AWS for SecureX/CTR 3rd Party Modules

509
Views
10
Helpful
0
Comments

Community_Approach_4.png

 

 

Configuring 3rd Party Modules for SecureX Integrations

This steps explains some easy steps to configure, upload and integrate 3rd Party enrichment modules.
There are just some simple steps to do. The following steps are similar to all of the modules available on Github.

Before we start, let us clone a Template GitHub Repository, because it also includes a Python Script we need later to configure the JWT token.


  1. Step: JWT Source: Clone the JWT Token Git Repository to download the Python Script for the token generation
    we need later: 
    git clone https://github.com/CiscoSecurity/tr-05-jwt-generator.git.
    Note: This step needs to be done once. When adding additional Modules, you just have to copy the Python file, as listed in the following steps, into the appropriate Module directory.

    Terminal Output
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    sh-3.2# pwd
    /usr/local/SecureX
    Cloning into 'tr-05-jwt-generator'...
    remote: Enumerating objects: 35, done.
    remote: Counting objects: 100% (35/35), done.
    remote: Compressing objects: 100% (22/22), done.
    remote: Total 35 (delta 10), reused 33 (delta 8), pack-reused 0
    Unpacking objects: 100% (35/35), done.
    sh-3.2#

    Note: This step has to be done once to download a necessary script.



Download the module source from GitHub (Module)

  1. Step: Download: Open SecureX and go to SecureX → Integrations.
  2. Step: Download: Click the "Add Module" Button to get some more info about the Module.
  3. Step: Download: The module points directly to Github. Just click the ".... Serverless Relay" link.
    In the GitHub UI click "Code" to get the dropdown including Link for cloning.
    Github Download URLGithub Download URL

    Note: When executing the following commands, it is essential to do this in the right folder!



  4. Step: Download: Start the virtual environment, if not already started, using the command line:  source securex/bin/activate

    Note: you must be in the directory /usr/local/SecureX, otherwise the virtual environment cannot be started.

     

  5. Step: Download: In the root folder of our virtual environment type the following command.
    As seen in the screenshot above (using AbuseIPDB as an example): 
    git clone https://github.com/CiscoSecurity/tr-05-serverless-abuseipdb.git.

    Terminal Output
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    (securex) sh-3.2# pwd
    /usr/local/SecureX
    Cloning into 'tr-05-serverless-abuseipdb'...
    remote: Enumerating objects: 107, done.
    remote: Counting objects: 100% (107/107), done.
    remote: Compressing objects: 100% (77/77), done.
    remote: Total 398 (delta 55), reused 51 (delta 29), pack-reused 291
    Receiving objects: 100% (398/398), 103.09 KiB | 235.00 KiB/s, done.
    Resolving deltas: 100% (245/245), done.
    (securex) sh-3.2#

     

 

Generate the JWT Token

We already downloaded the necessary source. This section describes how to generate all Tokens we need for the SecureX Integration authentication bearer and the AWS SECRET_KEY value.

 

Note: There are Modules available which to not need any Authentication Bearer, e.g. like the Shodan Module. So you can skip the JWT Token generation. Always take a look for specific Module Settings on GitHub.

 

  1. Step: JWT Token: Generate an API key from the 3rd Party Vendor. Many of them a providing community
    or free APIs which can be used to test the Integration. Follow the steps and guides as outlined there.

  2. Step: JWT Token: Now let´s generate a JWT Token (JSON Web Token), which is needed to authenticate.
    If you want to know more about this authentication mechanism, take a look at the Documentation. The JWT Token
    can easily generated with a Python Script (we once again using the Example for AbuseIPDB).

    1. Switch into the directory: cd /usr/local/SecureX/tr-05-serverless-abuseipdb/

    2. copy the Python file jwt_generator.py: cp /usr/local/SecureX/tr-05-jwt-generator/jwt_generator.py ./

      Note: 
      Change the path of the command based on the Module you are adding to your environment.

  3. Step: JWT Token: Generate the JWT Token by just executing the python script copied in the previous
    step: python3 jwt_generator.py dev.

    1. Copy the 3rd Party API Key into the Terminal Window.

    2. Take a look at the output.

      Terminal Output
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      (securex) sh-3.2# pwd
      /usr/local/SecureX/tr-05-serverless-abuseipdb
      (securex) sh-3.2# python3 jwt_generator.py dev
      Enter: Abuse IPDB API Key: FhFUAjPqS1mRFXUnb09eCXeiq7uSr0azbl2PF0fDcxxxxxxxxxx
      The JWT for the AbuseIPDB IP Checker module is:
          eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJGaEZVQWpQcVMxbVJGxxxxxxxxxx
      The SECRET_KEY to validate the JWT is:
          6QKh6b77pyCfEQYjanlTre2LyHoaY4vVJmw8YdbIIyWylxxxxxxxxx
      Use this URL to navigate to the AWS Console and configure the SECRET_KEY environment variable using the above value:
          https://console.aws.amazon.com/lambda/home?region=us-east-1#/functions/tr-abuseipdb-relay-dev/edit/environment-variables?tab=configuration
      Use one of these URLs to navigate to Threat Response in your region and create the AbuseIPDB IP Checker module using your Lambda's URL and the JWT:
          US: https://visibility.amp.cisco.com/settings/modules/available/07aedd54-aaed-43d0-b862-xxxxxxxxxxxx/new
          EU: https://visibility.eu.amp.cisco.com/settings/modules/available/4b4b5ea4-fc3f-43d3-95b7-xxxxxxxxxxxx/new
          APJC: https://visibility.apjc.amp.cisco.com/settings/modules/available/e97eecc4-6680-42d2-bb14-xxxxxxxxxxxx/new
      (securex) sh-3.2#
    3. Copy the output, you will need the generated tokens later.

 

 

 

Upload Serverless App to AWS

Now let us upload the Application to AWS:

  1. Step: Upload/Deploy Package: Before uploading the WebApp to AWS, we have to ensure, that the s3_Package which is generated during upload, is unique. To do so, we have to modify the zappa_settings.json file.
    The easies way is to add your AWS AccountID to the s3_bucket definition in the zappa_settings.json file.

    {
        "dev": {
            "app_function": "app.app",
            "aws_region": "us-east-1",
            "exclude": [".*", "*.json", "*.md", "*.txt"],
            "keep_warm": false,
            "log_level": "INFO",
            "manage_roles": false,
            "profile_name": "serverless",
            "project_name": "tr-abuseipdb-relay",
            "role_name": "tr-serverless-relay-ZappaLambdaExecutionRole",
            "runtime": "python3.7",
            "s3_bucket": "zappa-tr-abuseipdb-relay-XXXXXXXXXXXX"
        }
    }



  2. Step: Upload/Deploy Package: Deploy the App to AWS using the following Command: zappa deploy dev.

    Terminal Output
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    (securex) sh-3.2# pwd
    /usr/local/SecureX/tr-05-serverless-abuseipdb
    (securex) sh-3.2# zappa deploy dev
    Calling deploy for stage dev..
    Downloading and installing dependencies..
     - markupsafe==1.1.1: Downloading
    100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 27.5k/27.5k [00:00<00:00, 580kB/s]
    .
    .
    .
    █████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 4/4 [00:23<00:00,  5.84s/res]
    Deploying API Gateway..
    .
    .
    .
    Your updated Zappa deployment is live!: https://XXXXXXXXXX.execute-api.us-east-1.amazonaws.com/dev

  3. Step: Upload Package: Write down the shown URL to access your Lambda app.

    Note: You can check the URL and other settings by typing: zappa status dev.

 

 

 

Configure AWS environment variable

The last configuration step is to add an environment variable to the Lambda function on AWS.

  1. Step: AWS environment variable: The JWT token Output shows the URL to jump directly to the AWS Setting: 
    https://console.aws.amazon.com/lambda/home?region=us-east-1#/functions/tr-abuseipdb-relay-dev/edit/environment-variables?tab=configuration.
    You can also go to the settings manually by selecting the Lambda Service in the AWS UI. Click the Function name to get
    to the environment variables.
    AWS environment variableAWS environment variable


  2. Step: AWS environment variable: Scroll down to the Environment variables and click the "Manage Environment variables"
    button. 
    AWS environment variableAWS environment variable


  3. Step: AWS environment variable: Click the "Add environment variable" button
  4. Step: AWS environment variable: Add the following values
    1. Key: SECRET_KEY
    2. Value: the JWT Token output (The SECRET_KEY to validate the JWT is: )
      AWS environment variableAWS environment variable

  5. Step: AWS environment variable: Click the SAVE Button to finish.

 

 

 

Community_Approach_5.png

 

 

Configure the SecureX Integration Module

Add the necessary values to the Module Settings:

  • URL: The URL shown during the App deployment to AWS or by checking the App settings using the command
    zappa status dev.
  • Authorization Bearer: The long JWT token generated before (E.g. The JWT for the AbuseIPDB IP Checker module is:....)

 

Repeat these steps to add other available integrations.
Several 3rd Party Modules configured in Threat ResponseSeveral 3rd Party Modules configured in Threat Response

 

 

Note: In some cases i have seen an Error 502 message when deploying the serverless app.
If you seen this error message, you may have to update some components, as described here:
https://github.com/CiscoSecurity/tr-05-serverless-relay/blob/develop/aws/CommonErrors.md.

  • Switch to your virtual environment: cd /usr/local/SecureX/
  • Enable the environment (if not already enabled): source securex/bin/activate
  • Execute the following command: pip install --upgrade --requirement requirements.txt && zappa update dev

 

 

Related Topics

  1. Serverless Relay on AWS for SecureX/CTR 3rd Party Modules - Part 1
  2. Serverless Relay on AWS for SecureX/CTR 3rd Party Modules - Part 2
  3. Serverless Relay on AWS for SecureX/CTR 3rd Party Modules - Part 3

 

 

Command Line Cheat Sheet

  • Start the virtual environment: source securex/bin/activate
  • Stop the virtual environment: deactivate