Cisco

AMP for Endpoints API

Frequently Asked Questions

Q. What is the AMP for Endpoints API?
A. The AMP for Endpoints API is a set of programmatic interfaces that allow you to
access the data and events in your account without logging into the Console. The
REST API uses JSON as the message container. You can write scripts using the
programming language of your choice to pull data out of the Cloud and display it
using your preferred method or integrate with other tools. The API gives users a
flexible option for accessing their account.

Q. How can I access the API?
A. The API can be accessed programmatically using the programing language of your
choice. It is a REST API and JSON is used as the container for exchanging messages.
The API endpoint is located at:

https://api.amp.sourcefire.com/v0/

API documentation can be found at:

https://api-docs.amp.sourcefire.com/

An API Key and API Client ID are required to access the API for your account.

Q. How do I generate an API key and find my API Client ID?
A. To generate an API Key, log into your account and navigate to the Business page
under the Accounts menu then follow these steps.

• Click “Edit” on the Business page.
• Click “Regenerate” next to the “3rd Party API Access” option. You will be
shown the following message:



• Please note that you can only have one active API key, as indicated by the
message above.
• Click “Confirm” and you will be shown your new API Key as well as your API
Client ID as shown below.

• You are now ready to use the API Client ID and API Key to access the API.

Q. Where can I find the documentation for the API?
A. API documentation can be found at the following address:

https://api-docs.amp.sourcefire.com/

Q. What format is the reply to an API query?
A. The message container is JSON so replies to queries will be in JSON format.

Q. Is there a rate limit for how many queries I can make against the API?
A. Yes. You can make 1000 queries to the API each hour. Every response to a query
also includes the rate limit in the response itself.

Q. Is there a limit to how many results are returned for a query?
A. Yes. When you query for a resource through the API a maximum of 500 results
will be returned. However, the results are paginated and a link to the next set of
results is included in the query response. You can also use query parameters to filter
the data if you want to return fewer results.

Q. Can I see some sample code?
A. The API documentation provides several examples to access the API. The
documentation can be found at the following address:

https://api-docs.amp.sourcefire.com/

Q. What information/data can I access through the API?
A. Please refer to the API documentation for a complete list of resources you can
access. At a high level, you can access the following:

• Computers
o activity
o trajectory
• Events
• Groups

For more details refer to the documentation

https://api-docs.amp.sourcefire.com/

Q. What are some use cases for the API?
A. The API gives you flexibility to access data and information about your AMP for
Endpoints deployment. You can use the API to query for data and integrate with
other tools and downstream process within your organization. Use cases include,
but are not limited to, the following:

• Query for computers running vulnerable applications and integrate the
output with a patch management tool or system.
• Query events and integrate with a 3rd party tool such as Splunk.
• Query for top infected systems in the last 7 days to generate a custom report
using the tool of your choice.
• Query for every computer that has seen a particular file.
 • Query for all computers that have communicated with a certain internal or
external IP address.
• Query for all the file and network activity for a given computer (device
trajectory).

Q. Can I see a simple example of accessing the API?
A. Below is a simple example using the command line utility cURL, available on most
Mac OS X and UNIX-like systems. Basic authentication is used by base64 encoding
your API Client ID and API key pair separated by a semicolon (:). A simple way to
base64 encode your key pair on most Linux or BSD systems is by using the base64
command or openssl.

>base64 <<< API_CLIENT_ID:API_KEY
>openssl base64 <<< API_CLIENT_ID:API_KEY

curl -X GET \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'authorization: Basic <INSERT_BASE64ENCODED_CLIENTID:APIKEY_PAIR> \
'https://api.amp.sourcefire.com/v0/version'


Q. Can I see some simple source code for accessing the API?
A. Below is Ruby code for getting Events and Computers using the API. This sample
requires the HTTParty gem.

> gem install httparty

require 'rubygems'
require 'httparty'
require 'base64'

class AMP

include HTTParty

BASE_URL="https://api.amp.sourcefire.com/v0/"

def initialize(client_id, api_token)

@api_token = api_token
@client_id = client_id
self.class.basic_auth( @client_id , @api_token)
end

def get(endpoint, params={})

@response = self.class.get( BASE_URL + endpoint, query: params, \
headers: {"accept-encoding" => "gzip , deflate"})
@response["data"]
end

def version
get("version")
@response.parsed_response["version"]
end
end

CLIENT_ID = "<INSERT_CLIENTID_HERE>"
API_KEY = "<INSERT_API_KEY_HERE>"

client = AMP.new(CLIENT_ID, API_KEY)

puts "API Version: " + client.version

# An example of accessing a list of computers based on hostname Demo_TeslaCrypt

puts client.get("computers", "hostname": "Demo_TeslaCrypt")

# An example of getting a list of events based on

# EventType 1107296272(Vulnerable Application Detected)
puts client.get("events", "event_type": "1107296272")