Skip to content
This repository was archived by the owner on Aug 13, 2022. It is now read-only.

Latest commit

 

History

History
136 lines (95 loc) · 5.3 KB

2.md

File metadata and controls

136 lines (95 loc) · 5.3 KB

Use Postman

  1. Open your POSTMAN REST API Client.

  2. Set the client to make a POST command to the this URL.

  3. Click on Authorization, select Basic Auth, and type in your username and password.

  4. Click Send.

Figure: FMC REST API example setup

  1. From the response copy the following for future API calls:

  • X-auth-access-token: you need to add this token header to every request sent using FMC REST API.

  • X-auth-refresh-token: is needed to refresh the token.

  • DOMAIN_UUID: this needs to be added to every Rest API route.

Figure: FMC REST API example setup

Create a TID source

Create a TID source using URL download:

  1. Open another tab in Postman and fill in the values as shown in the screenshot below:

  2. Select POST operation and add the route where e276abec-e0f2-11e3-8169-6d9ed49b625f is the DOMAIN_UUID obtained from the generate token step.

  3. In the header add:

    • Key: X-auth-access-token Value. Paste the value obtained from the generate token step.

    • Key: X-auth-refresh-token Value. Paste the value obtained from the generate token step.

    • Body: Select raw text and paste the sample JSON into it.

  4. Important: Change the name of the feed from WannaCry to something unique. Then click send.

  5. A successful post operation returns a 201 OK.

Figure: FMC REST API example setup

{
"name": "WannaCry",
"uri": "https://cisco.box.com/shared/static/hxlc1d1r8u3naaj876mqwucuqjuywx01.txt",
	"feedType": "stix",
	"feedContent": "stix",
	"delivery": "url",
	"refresh": 1440,
	"version": "1.0.0",
	"downloadOn": true,
	"params": {
		"selfSignedServerCertificate": "false",
		"hostnameVerifier": "allow_all"
	},
	"property": {
		"ttl": 90,
		"publish": true,
		"action": "monitor"
	}
}
6. Optionally, to create a simple IP intelligence source located at:
https://cisco.box.com/shared/static/phef4u63td7bxcgkgyt1vk5vrm461jcf.txt
Follow the steps in 1, 2 and 3 but use the JSON text below
7. Important: Change the name of the feed from TorIpList to something unique
8. Important: Change the name of the feed from TorIpList to something unique
9. Click send
10.	A successful post operation returns a 201 OK.

{
    "name": "TorIpList",
    "uri":"https://cisco.box.com/shared/static/phef4u63td7bxcgkgyt1vk5vrm461jcf.txt",
    "feedType": "flatfile",
    "feedContent": "IPV_4_ADDR",
    "delivery": "url",
    "refresh": 1440,
    "version": "1.0.0",
    "downloadOn": true,
    "params": {
        "selfSignedServerCertificate": "false",
        "hostnameVerifier": "allow_all"
    },
    "property": {
        "ttl": 90,
        "publish": true,
        "action": "monitor"
    }
}

View indicators of compromise

Indicators (also known as Indicators of Compromise) convey specific Observable patterns, combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context. They contain one or more Observables in simple or complex relationships.

  1. To see all Indicators of Compromise downloaded by TID, a GET ALL operation can be performed as shown below:

Figure: FMC REST API example setup

  1. To retrieve a specific indicator, an objectId needs to be provided for the Get operation. For ex: https://cisco-tid.cisco.com/api/fmc_tid/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/tid/indicator/objectId

  2. More complex queries can be run on the data to get enhanced results. The screenshot below shows a query to get all indicators ingested in the last one hour by specifying a filter, sorted by updatedAt time field. The first 40 results matching the criteria are to be returned, with all links expanded.

    Sample Get Request: https://cisco-tid.cisco.com/api/fmc_tid/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/tid/indicator?filter=updatedAt:1496077717..1498419195&sort=-updatedAt&limit=40&expanded=true

Following are the key/value pairs:

KEY VALUE
filter updatedAt: 1496077717..1498419195
sort -updatedAt
expanded true
limit 40

View Observables

Observables represent stateful properties or measurable events pertinent to the operation of computers and networks. For example, IPs, Domains, URLs, File SHA’s, etc. Follow the steps described in the Indicators of Compromise section.

Sample Get Request: https://cisco-tid.cisco.com/api/fmc_tid/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/tid/observable?filter=updatedAt:1496077717..1498419195&sort=-updatedAt&limit=40&expanded=true

View Incidents

Incidents are discrete instances of indicators affecting an organization, along with information discovered or decided during an incident response investigation.

Follow the steps described in the Indicators of Compromise section.

Sample Get Request: https://cisco-tid.cisco.com/api/fmc_tid/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/tid/incident?filter=updatedAt: 1498077717..1498419195&sort=-updatedAt&limit=40&expanded=true