API Everything
If I want to do cool things at work then I need to learn API’s.
Basically, I have access to SecureX which is a complete Chad of an API orchestration platform. If I want to be one of the cool kids, then I need to be Chad’s friend.
Project Chadlet
Current Ingredients:
- SecureX Access
- SecureX Integration: My Alienvault OTX Key
- SecureX Integration: My VirusTotal API Key
- SecureX Integration: My Shodan API Key
Wait…that’s it?
So far, yes. So I have 3 things integrated into SecureX but no way to use them. They function as a way to look something up, but they don’t have any data coming in to act on. It’s like a Chef with no food, a PC with no user, or more aptly, it’s like Splunk with no data to index.
So this got me thinking, how can I get data shipped into SecureX without spending my own hard earned money on a production Cisco license?
Idk…Maybe I could ship data into SecureX somehow.
Apparently this can be done with a Relay integration. I might be wrong about this.
But SecureX is an API-first platform.
It is an API which interacts with other API’s through “integration”.
I’m learning some stuff lately so maybe I can piecemeal together “integration”.
In my homelab I currently have a Wazuh SIEM ingesting data from PCs so I can threat-hunt for my child’s mistakes.
I am also using an old Watchguard firewall.
Wazuh
This would ideally be my primary candidate for feeding data into SecureX.
I looked into Wazuh to SecureX integration and it looks like there’s no pre-made third party integration made.
Graylog (another SIEM) has an integration but it may only be for the paid version.
I looked into Graylog as a Wazuh replacement, and that might be do-able. I like Wazuh’s MITRE-centric reporting though. But if I migrated over to Graylog then I could do more cool things with API, like post alerts to a Discord channel.
I found the Wazuh API docs “HERE”.
Watchguard
If I can’t make the above work, then maybe I can make this-stupid-thing work.
I pay for no licenses so it’s just a stateful firewall at this point.
I looked up Watchguard API, and found “THIS”.
Firebox Management API
Use the Firebox Management API to manage and configure WatchGuard Fireboxes that you have added to your (WatchGuard Cloud) account.
The Firebox Management API enables you to manage sites on the Blocked Sites list, configure different types of Firebox exceptions, such as WebBlocker, IPS, and Blocked Sites exceptions, and deploy them to your Fireboxes.
I logged into the Watchguard Cloud account that I apparently have, and noted that no devices are added.
Oh yeah, this Watchguard Firebox was a discard that I never transferred ownership of.
I can’t put it into Watchguard Cloud until it is associated to my Watchguard account.
So I went ahead and opened up a ticket to request transfer of ownership.
I hope that whoever is working the helpdesk this Thanksgiving is having a good day.
So, once it shows as mine, hopefully I can import it into the Cloud because I also found “THIS”!
It’s a list of API options for managing rules on the fly!
I already know that I can call that from SecureX with a webhook.
CiscoLive Presentations
I also found some related CiscoLive presentations and downloaded them to disk for reference.
“DevNet: Development Opportunities with SecureX - How to Build onto the Industry’s Broadest Security Platform? - BRKDEV-2010”
“SecureX All The Things (With Hosted and Remote Relays) - BRKSEC-2005”
“Architect for Agility: How DevNet Empowers Your Teams with Software and Automation - DLBLDR-11”
I know from experience that the highly technical CiscoLive presentations are an excellent source of SME-type information so I’m stoked about finding these.
Putting a Plan Together
Once this Watchguard firewall is…officially mine…I’ll get it into the cloud.
I will then test out connection to it’s API and document.
I will investigate ways to get rudimentary info from Wazuh into SecureX.
If fail, then table it and move to Graylog.
Graylog - Look into setting up Graylog next to Wazuh, shipping the Wazuh index to Graylog and integrating Graylog into SecureX directly.
Once I am getting info into SecureX then I will go ahead and enable Orchestration and start testing API calls.
The desired end state is to be able to log into SecureX, view my SIEM alerts, and use orchestration plays to manage the firewall based on those SIEM alerts.
SecureX API Inbound <— SIEM Data
SecureX API Outbound —> Firewall Actions
We’ll see how this goes.
Let me know what you think of this article on twitter @cpardue09 or leave a comment below!