Hi all R80 Management API users,

The R80.20.M1 Managemet API release introduces a new Threat Indicators (IOC) API, allowing addition of an Indicator object - Add Threat Indicator.

One of the options of this command is deployment of indicator's observables collection.

There are two documented options to accomplish this:

1. Using the "observables" parameter with the "object notation", such as:

observables.1.name "my_observable_1" observables.1.mail-to "someone@somewhere.com" observables.1.confidence "medium" observables.1.severity "low" observables.1.product "AB" observables.1.comments "my comment"

2. Using the "observables-raw-data" parameter, with the "CSV notation", such as:

observables-raw-data "my_observable_1,someone@somewhere.com,mail-to,medium,low,AB,my comment"

For this case, you must follow this order of fields - Name, Value, Type, Confidence, Severity, Product, Comments.

There is an additional option to prepare a CSV file and then use mgmt_cli tool with the following options:

mgmt_cli add-threat-indicator name my_indicator_1 observables-raw-data @indicators1.csv --treat-value-as-file-by-prefix @ action prevent

and put the CSV file in the same folder from where you run the API commands (/home/admin or whatever you choose).

Note that the content of CSV file must follow the order as in option 2 above.

Enjoy,

Robert.