Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2185
Views
15
Helpful
0
Comments

Part 3- Cisco SecureX hosted Integration Modules and Serverless Relay on AWS

Troja007
Cisco Employee
Cisco Employee

‎07-21-2020 04:50 AM - edited ‎04-09-2021 03:04 AM

Community_Approach_4.png

 

NEWS: Cisco hosted SecureX Integration Modules

Cisco Secure is moving forward with Cisco hosted SecureX Integration Modules, where you do not need Serverless or docker any more. Find details in Part 1 of the documentation.
If you are moving to the Cisco hosted version of the Integration Modules the steps below are not necessary.

 

Related Topics

  1. Serverless Relay on AWS for SecureX/CTR 3rd Party Modules - Part 1
  2. Serverless Relay on AWS for SecureX/CTR 3rd Party Modules - Part 2
  3. Serverless Relay on AWS for SecureX/CTR 3rd Party Modules - Part 3

 

Configuring 3rd Party Modules for SecureX Integrations

This steps explains some easy steps to configure, upload and integrate 3rd Party enrichment modules.
There are just some simple steps to do. The following steps are similar to all of the modules available on Github.

Before we start, let us clone a Template GitHub Repository, because it also includes a Python Script we need later to configure the JWT token.


Step: JWT Source (not necessary any more): Clone the JWT Token Git Repository to download the Python Script for the token generation we need later: git clone https://github.com/CiscoSecurity/tr-05-jwt-generator.git.

Note: Cisco constantly enhances the 3rd Party integrations. The JWT Token generation is now implemented as a command line tool. So you can skip this step.

 

 

Download the module source from GitHub (Module)

  1. Step: Download: Open SecureX and go to SecureX → Integrations.
  2. Step: Download: Click the "Add Module" Button to get some more info about the Module.

  3. Step: Download: The module points directly to Github. Just click the ".... Serverless Relay" link.
    In the GitHub UI click "Code" to get the dropdown including Link for cloning.
    Github Download URLGithub Download URL

    Note: When executing the following commands, it is essential to do this in the right folder!



  4. Step: Download: Start the virtual environment, if not already started, using the command line:  source securex/bin/activate

    Note: you must be in the directory /usr/local/SecureX, otherwise the virtual environment cannot be started.

     

  5. Step: Download: In the root folder of our virtual environment type the following command.
    As seen in the screenshot above (using AbuseIPDB as an example): 
    git clone https://github.com/CiscoSecurity/tr-05-serverless-abuseipdb.git.

    Terminal Output
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    (securex) sh-3.2# pwd
    /usr/local/SecureX
    (securex) sh-3.2# git clone https://github.com/CiscoSecurity/tr-05-serverless-abuseipdb.git
    Cloning into 'tr-05-serverless-abuseipdb'...
    remote: Enumerating objects: 107, done.
    remote: Counting objects: 100% (107/107), done.
    remote: Compressing objects: 100% (77/77), done.
    remote: Total 398 (delta 55), reused 51 (delta 29), pack-reused 291
    Receiving objects: 100% (398/398), 103.09 KiB | 235.00 KiB/s, done.
    Resolving deltas: 100% (245/245), done.
    (securex) sh-3.2#

     

  6. Step: Download:  Update the necessary components using the command: pip install --upgrade --requirement requirements.txt

    Note: Always do this step, some modules may need different libraries to work probably. There will not be any issue with your deployment. The needed components are listed in the requirements.txt file.

     


 

Generate the JWT Token

We already downloaded the necessary source. This section describes how to generate all Tokens we need for the SecureX Integration authentication bearer and the AWS SECRET_KEY value.

 

Note: There are Modules available which to not need any Authentication Bearer, e.g. like the Shodan Module. So you can skip the JWT Token generation. Always take a look for specific Module Settings on GitHub.

 

  1. Step: JWT Token: Generate an API key from the 3rd Party Vendor. Many of them a providing community
    or free APIs which can be used to test the Integration. Follow the steps and guides as outlined there.

    Note: In August 2020 we simplified the token generation, so you do not need to copy the jwt_generator.py file any more. All necessary files are already included when cloning the tr-05-serverless-relay code from Github and afterwards updating the app.

    Execute the following commands to upgrade an existing virtual environment starting in directory /usr/local/SecureX/tr-05-serverless-relay/.

    1. Update the local code: git pull
    This updates the requirements.txt file
    2. Install the latest components including the jwt command line tool:  pip install --upgrade --requirement requirements.txt

  2. Step: JWT Token: Now let´s generate a JWT Token (JSON Web Token), which is needed to authenticate.
    If you want to know more about this authentication mechanism, take a look at the Documentation. The JWT Token
    can easily generated with a single statement.

    1. Switch into the directory: cd /usr/local/SecureX/tr-05-serverless-abuseipdb/

    2. Generate the JWT token using the command: jwt dev

    1. Terminal Output
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      (securex) sh-3.2# pwd
      /usr/local/SecureX/tr-05-serverless-abuseipdb
      (securex) sh-3.2# jwt dev
      Enter: Abuse IPDB API Key: FhFUAjPqS1mRFXUnb09eCXeiq7uSr0azbl2PF0fDcxxxxxxxxxx
      The JWT for the AbuseIPDB IP Checker module is:
          eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJGaEZVQWpQcVMxbVJGxxxxxxxxxx
      The SECRET_KEY to validate the JWT is:
          6QKh6b77pyCfEQYjanlTre2LyHoaY4vVJmw8YdbIIyWylxxxxxxxxx
      Use this URL to navigate to the AWS Console and configure the SECRET_KEY environment variable using the above value:
          https://console.aws.amazon.com/lambda/home?region=us-east-1#/functions/tr-abuseipdb-relay-dev/edit/environment-variables?tab=configuration
      Use one of these URLs to navigate to Threat Response in your region and create the AbuseIPDB IP Checker module using your Lambda's URL and the JWT:
          US: https://visibility.amp.cisco.com/settings/modules/available/07aedd54-aaed-43d0-b862-xxxxxxxxxxxx/new
          EU: https://visibility.eu.amp.cisco.com/settings/modules/available/4b4b5ea4-fc3f-43d3-95b7-xxxxxxxxxxxx/new
          APJC: https://visibility.apjc.amp.cisco.com/settings/modules/available/e97eecc4-6680-42d2-bb14-xxxxxxxxxxxx/new
      (securex) sh-3.2#

    2. Copy the output, you will need the generated tokens later.

 

 

 

Upload Serverless App to AWS

Now let us upload the Application to AWS:

  1. Step: Upload/Deploy Package: Before uploading the WebApp to AWS, we have to ensure, that the s3_Package which is generated during upload, is unique. To do so, we have to modify the zappa_settings.json file.
    The easies way is to add your AWS AccountID to the s3_bucket definition in the zappa_settings.json file.

    {
    "dev": {
        "app_function": "app.app",
        "aws_region": "us-east-1",
        "exclude": [".*", "*.json", "*.md", "*.txt"],
        "keep_warm": false,
        "log_level": "INFO",
        "manage_roles": false,
        "profile_name": "serverless",
        "project_name": "tr-abuseipdb-relay",
        "role_name": "tr-serverless-relay-ZappaLambdaExecutionRole",
        "runtime": "python3.7",
        "s3_bucket": "zappa-tr-abuseipdb-relay-XXXXXXXXXXXX"
    }
}



  2. Step: Upload/Deploy Package: Deploy the App to AWS using the following Command: zappa deploy dev.

    Terminal Output
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    (securex) sh-3.2# pwd
    /usr/local/SecureX/tr-05-serverless-abuseipdb
    (securex) sh-3.2# zappa deploy dev
    Calling deploy for stage dev..
    Downloading and installing dependencies..
     - markupsafe==1.1.1: Downloading
    100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 27.5k/27.5k [00:00<00:00, 580kB/s]
    .
    .
    .
    █████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 4/4 [00:23<00:00,  5.84s/res]
    Deploying API Gateway..
    .
    .
    .
    Your updated Zappa deployment is live!: https://XXXXXXXXXX.execute-api.us-east-1.amazonaws.com/dev

  3. Step: Upload Package: Write down the shown URL to access your Lambda app.

    Note: You can check the URL and other settings by typing: zappa status dev.

 

 

 

Configure AWS environment variable

The last configuration step is to add an environment variable to the Lambda function on AWS.

  1. Step: AWS environment variable: The JWT token Output shows the URL to jump directly to the AWS Setting: 
    https://console.aws.amazon.com/lambda/home?region=us-east-1#/functions/tr-abuseipdb-relay-dev/edit/environment-variables?tab=configuration.
    You can also go to the settings manually by selecting the Lambda Service in the AWS UI. Click the Function name to get
    to the environment variables.
    AWS environment variableAWS environment variable


  2. Step: AWS environment variable: Scroll down to the Environment variables and click the "Manage Environment variables"
    button. 
    AWS environment variableAWS environment variable


  3. Step: AWS environment variable: Click the "Add environment variable" button
  4. Step: AWS environment variable: Add the following values
    1. Key: SECRET_KEY
    2. Value: the JWT Token output (The SECRET_KEY to validate the JWT is: )
      AWS environment variableAWS environment variable

  5. Step: AWS environment variable: Click the SAVE Button to finish.

 

 

 

Community_Approach_5.png

 

 

Configure the SecureX Integration Module

Add the necessary values to the Module Settings:

  • URL: The URL shown during the App deployment to AWS or by checking the App settings using the command
    zappa status dev.
  • Authorization Bearer: The long JWT token generated before (E.g. The JWT for the AbuseIPDB IP Checker module is:....)

 

Repeat these steps to add other available integrations.
Several 3rd Party Modules configured in Threat ResponseSeveral 3rd Party Modules configured in Threat Response

 

 

Note: In some cases i have seen an Error 502 message when deploying the serverless app.
If you seen this error message, you may have to update some components, as described here:
https://github.com/CiscoSecurity/tr-05-serverless-relay/blob/develop/aws/CommonErrors.md.

  • Switch to your virtual environment: cd /usr/local/SecureX/
  • Enable the environment (if not already enabled): source securex/bin/activate
  • Execute the following command: pip install --upgrade --requirement requirements.txt && zappa update dev

 

 

Related Topics

  1. Serverless Relay on AWS for SecureX/CTR 3rd Party Modules - Part 1
  2. Serverless Relay on AWS for SecureX/CTR 3rd Party Modules - Part 2
  3. Serverless Relay on AWS for SecureX/CTR 3rd Party Modules - Part 3

 

 

Command Line Cheat Sheet

  • Start the virtual environment: source securex/bin/activate
  • Stop the virtual environment: deactivate

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents