CiscoAMPforEndpointsAPI
FrequentlyAskedQuestions
Q.WhatistheAMPforEndpointsAPI?
A.TheAMPforEndpointsAPIisasetofprogrammaticinterfacesthatallowyouto
accessthedataandeventsinyouraccountwithoutloggingintotheConsole.The
RESTAPIusesJSONasthemessagecontainer.Youcanwritescriptsusingthe
programminglanguageofyourchoicetopulldataoutoftheCloudanddisplayit
usingyourpreferredmethodorintegratewithothertools.TheAPIgivesusersa
flexibleoptionforaccessingtheiraccount.
Q.HowcanIaccesstheAPI?
A.TheAPIcanbeaccessedprogrammaticallyusingtheprograminglanguageofyour
choice.ItisaRESTAPIandJSONisusedasthecontainerforexchangingmessages.
TheAPIendpointislocatedat:
https://api.amp.sourcefire.com/v0/
APIdocumentationcanbefoundat:
https://api-docs.amp.sourcefire.com/
AnAPIKeyandAPIClientIDarerequiredtoaccesstheAPIforyouraccount.
Q.HowdoIgenerateanAPIkeyandfindmyAPIClientID?
A.TogenerateanAPIKey,logintoyouraccountandnavigatetotheBusinesspage
undertheAccountsmenuthenfollowthesesteps.
• Click“Edit”ontheBusinesspage.
• Click“Regenerate”nexttothe“3rdPartyAPIAccess”option.Youwillbe
shownthefollowingmessage:
•
•
PleasenotethatyoucanonlyhaveoneactiveAPIkey,asindicatedbythe
messageabove.
Click“Confirm”andyouwillbeshownyournewAPIKeyaswellasyourAPI
ClientIDasshownbelow.
•
YouarenowreadytousetheAPIClientIDandAPIKeytoaccesstheAPI.
Q.WherecanIfindthedocumentationfortheAPI?
A.APIdocumentationcanbefoundatthefollowingaddress:
https://api-docs.amp.sourcefire.com/
Q.WhatformatisthereplytoanAPIquery?
A.ThemessagecontainerisJSONsorepliestoquerieswillbeinJSONformat.
Q.IstherearatelimitforhowmanyqueriesIcanmakeagainsttheAPI?
A.Yes.Youcanmake1000queriestotheAPIeachhour.Everyresponsetoaquery
alsoincludestheratelimitintheresponseitself.
Q.Istherealimittohowmanyresultsarereturnedforaquery?
A.Yes.WhenyouqueryforaresourcethroughtheAPIamaximumof500results
willbereturned.However,theresultsarepaginatedandalinktothenextsetof
resultsisincludedinthequeryresponse.Youcanalsousequeryparameterstofilter
thedataifyouwanttoreturnfewerresults.
Q.CanIseesomesamplecode?
A.TheAPIdocumentationprovidesseveralexamplestoaccesstheAPI.The
documentationcanbefoundatthefollowingaddress:
https://api-docs.amp.sourcefire.com/
Q.Whatinformation/datacanIaccessthroughtheAPI?
A.PleaserefertotheAPIdocumentationforacompletelistofresourcesyoucan
access.Atahighlevel,youcanaccessthefollowing:
• Computers
o activity
o trajectory
• Events
• Groups
Formoredetailsrefertothedocumentation
https://api-docs.amp.sourcefire.com/
Q.WhataresomeusecasesfortheAPI?
A.TheAPIgivesyouflexibilitytoaccessdataandinformationaboutyourAMPfor
Endpointsdeployment.YoucanusetheAPItoqueryfordataandintegratewith
othertoolsanddownstreamprocesswithinyourorganization.Usecasesinclude,
butarenotlimitedto,thefollowing:
• Queryforcomputersrunningvulnerableapplicationsandintegratethe
outputwithapatchmanagementtoolorsystem.
• Queryeventsandintegratewitha3rdpartytoolsuchasSplunk.
• Queryfortopinfectedsystemsinthelast7daystogenerateacustomreport
usingthetoolofyourchoice.
• Queryforeverycomputerthathasseenaparticularfile.
•
•
Queryforallcomputersthathavecommunicatedwithacertaininternalor
externalIPaddress.
Queryforallthefileandnetworkactivityforagivencomputer(device
trajectory).
Q.CanIseeasimpleexampleofaccessingtheAPI?
A.BelowisasimpleexampleusingthecommandlineutilitycURL,availableonmost
MacOSXandUNIX-likesystems.Basicauthenticationisusedbybase64encoding
yourAPIClientIDandAPIkeypairseparatedbyasemicolon(:).Asimplewayto
base64encodeyourkeypaironmostLinuxorBSDsystemsisbyusingthebase64
commandoropenssl.
>base64<<<API_CLIENT_ID:API_KEY
>opensslbase64<<<API_CLIENT_ID:API_KEY
curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'authorization: Basic <INSERT_BASE64ENCODED_CLIENTID:APIKEY_PAIR> \
'https://api.amp.sourcefire.com/v0/version'
Q.CanIseesomesimplesourcecodeforaccessingtheAPI?
A.BelowisRubycodeforgettingEventsandComputersusingtheAPI.Thissample
requirestheHTTPartygem.
>geminstallhttparty
require 'rubygems'
require 'httparty'
require 'base64'
class AMP
include HTTParty
BASE_URL="https://api.amp.sourcefire.com/v0/"
def initialize(client_id, api_token)
@api_token = api_token
@client_id = client_id
self.class.basic_auth( @client_id , @api_token)
end
def get(endpoint, params={})
@response = self.class.get( BASE_URL + endpoint, query: params, \
headers: {"accept-encoding" => "gzip , deflate"})
@response["data"]
end
def version
get("version")
@response.parsed_response["version"]
end
end
CLIENT_ID = "<INSERT_CLIENTID_HERE>"
API_KEY = "<INSERT_API_KEY_HERE>"
client = AMP.new(CLIENT_ID, API_KEY)
puts "API Version: " + client.version
# An example of accessing a list of computers based on hostname Demo_TeslaCrypt
puts client.get("computers", "hostname": "Demo_TeslaCrypt")
# An example of getting a list of events based on
# EventType 1107296272(Vulnerable Application Detected)
puts client.get("events", "event_type": "1107296272")