All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the AMP for endpoints API require the "write" access?

hrithiktej
Communicator
‎12-14-2018 03:44 AM

Why does the AMP for endpoints API require the "write" access? I am afraid of the APP making changes to the events in AMP console. Will it delete or resolve the alerts if i give the WRITE access to the APP?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

powerst
Engager
‎01-20-2020 05:51 PM

I had the same question and reached out to the app developer through my Cisco SE.

When you configure an input in the app, it needs to do a POST to the AMP API to configure the AMQPS event stream.

Once you've configured your inputs and they're all posted to your AMP instance, you can switch the app to a read-only credential and it continues to work.

Tested this myself and it so far it's been working as described. If I need to modify an input I temporarily swap in a RW API credential and go back to RO after the modification is made.

View solution in original post

Reply
Solved! Jump to solution
Solution

powerst
Engager
‎01-20-2020 05:51 PM

I had the same question and reached out to the app developer through my Cisco SE.

When you configure an input in the app, it needs to do a POST to the AMP API to configure the AMQPS event stream.

Once you've configured your inputs and they're all posted to your AMP instance, you can switch the app to a read-only credential and it continues to work.

Tested this myself and it so far it's been working as described. If I need to modify an input I temporarily swap in a RW API credential and go back to RO after the modification is made.

Reply
Solved! Jump to solution

powerst
Engager
‎01-21-2020 07:10 AM

Small update to this.

Do not delete the RW API credential set from the AMP console. If you do, it will delete any event streams created using that credential set.

Also, input in the app will continue to use RW credentials even after you change configuration to different RO credential. You'll need to edit local/inputs and update the api_id and api_key for your created input manually if you want to be sure those keys aren't stored anywhere.

0 Karma
Reply
Solved! Jump to solution

hrithiktej
Communicator
‎01-21-2020 12:58 AM

cool thanks for the update

0 Karma
Reply
Solved! Jump to solution

linuxnoobcast
New Member
‎11-12-2019 10:55 PM

Can we have another app with read only rights? ,Can we have a repose on this? from the developer? it would be better if we have another app that requires read only rights.

0 Karma
Reply
Solved! Jump to solution

hrithiktej
Communicator
‎04-16-2019 03:50 AM

I was unable to get it to work with read only access and then i explained my AMP admin and they got me both access and from last 4 months we are pulling data into Splunk and can say that it is safe to have read and write both. But i agree ideally it should work with read only access.

I have not tested whether it requires read write initially or whether throughout

0 Karma
Reply
Solved! Jump to solution

tomasmoser
Contributor
‎04-16-2019 02:53 AM

I have the same "issue". My CSIRT team that is in charge of AMP deployment will give me only RO-only access. Can we go about it somehow? Perhaps R/W user is only necessary for initial set-up and we can change it to RO for future use? This is really a limitation 😞

Tomas

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...