topic Re: Automate deployment of Indicators of Compromise (IOC) with a new API. in API / CLI Discussion

Automate deployment of Indicators of Compromise (IOC) with a new API.

Tomer_Sole — Wed, 04 Jul 2018 19:56:06 GMT

The R80.20.M1 - Management Feature Release gives new API for something that previously we could only do from the SmartConsole GUI - deployment of IOC's.

IOC's (Indicators of Compromise) are sources which are known as malicious.

Steps to deploy IOC's with the Management API:

1. Login to the Management Server with the login command. The response contains a session ID. Use it for the next steps.

2. Add, edit or delete indicators. The session ID is a required parameter in the "sid" header.

3. Publish your changes with the publish command.

4. Install the Threat Prevention Policy on the gateways in which you would like to enforce this change, using the install-policy command. Remember, installing just the threat prevention part of the policy separates you from the network objects and access control changes that may have happened at the security management server.

Examples of indicator command executions:

Option A: define the indicators as part of the parameters:

mgmt_cli add threat-indicator name "My_Indicator" observables.1.name "My_Observable" observables.1.mail-to "someone@somewhere.com" observables.1.confidence "medium" observables.1.severity "low" observables.1.product "AV" action "ask" profile-overrides.1.profile "My_Profile" profile-overrides.1.action "detect"

Option B: place an indicators file - in CSV or STIX format - and import its raw data:

mgmt_cli add threat-indicator name "My_Indicator" observables-raw-data ""

Option C: edit the indicator action for a given threat profile. A threat profile is connected to some scope behind a gateway in the threat prevention policy.

mgmt_cli set threat-indicator name "My_Indicator" action "prevent" profile-overrides.remove "My_Profile"

Option 😧 show all indicators or one of the indicators:

mgmt_cli show threat-indicators

mgmt_cli show threat-indicator name "My_Indicator"

Option E: delete some indicators:

mgmt_cli delete threat-indicator name "My_Indicator"

To get to it in SmartConsole:

1. Open Security Policies

2. Navigate to Threat Prevention-->Policy

3. The bottom part changes to "Threat Tools". Click on "Indicators".

Let us know your feedback on this.

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Robert_Decker — Thu, 05 Jul 2018 13:09:52 GMT

Following up Tomer's post, this post may be usefull as well -

https://community.checkpoint.com/docs/DOC-3012

Robert.

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Ofir_Shikolski — Sat, 07 Jul 2018 07:42:32 GMT

it is good to know that there is a CSV support

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Danny_Yang — Mon, 09 Jul 2018 03:46:22 GMT

It's very useful and important to leverage 3rd party resource integrated with threat prevention policy.

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Jarvis_Lin1 — Mon, 09 Jul 2018 17:59:47 GMT

This API can provide import CSV file from FTP or HTTP server ?

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Tomer_Sole — Tue, 10 Jul 2018 04:34:19 GMT

There are 3 ways to import CSV's:

1. download the files, parse them and send as JSON

2. place on the Management Server and send the path

3. download the files, reorder the CSV columns to have exactly this order: Name, Value, Type, Confidence, Severity, Product, Comments, and then use the "observables-raw-data" parameter to send each row, for example:

observables-raw-data "my_observable_1,someone@somewhere.com,mail-to,medium,low,AB,my comment"

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Alex_Lewis — Fri, 24 Aug 2018 16:12:33 GMT

Doesn't seem to be a usable method for more than a few indicators. I tried to import a CSV file with 500 lines (all type IP). Progress showed 20% for over 40 minutes so I finally aborted. I tried again with just 10 lines to verify my format was good. On R77.30 I run a daily import of 9 CSV files totaling about 7000 lines; takes just a couple minutes using the load_indicators command. Unfortunately I cannot use load_indicators on R80.20M1 because of an apparent bug (doesn't like IPs that have a zero in one of the IPv4 octets).

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Tomer_Sole — Sun, 26 Aug 2018 05:59:04 GMT

It shouldn't take this long. Please open a support ticket.

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

SantiagoPlatero — Thu, 14 Feb 2019 16:13:47 GMT

Hi Tomer Sole‌ I followed your instructions and could import the CSV files just fine to the management...

BUT, when I want to look at them on the SmartConsole, the Windows process spikes to 20% cpu usage (for at least 10 minutes) and the application freezes. I'd to kill the process in order to login again and it only happens when I go to "Threat Tools" and then click on "Indicators".

If it's useful I imported 7 CSV files with a lot of records, if you need it I could count how much rows has them.

From where can I start debugging the issue?

Thanks!

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

PhoneBoy — Fri, 15 Feb 2019 03:47:24 GMT

How many lines in the CSV file?

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

SantiagoPlatero — Fri, 15 Feb 2019 15:21:53 GMT

Hi Dameon, the total lines of all of the CSV files are 76238. The most lengthy file has 60774 lines, and other one has 11567

The rest of it doesn't have more than 1k lines.

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

PhoneBoy — Fri, 15 Feb 2019 19:59:29 GMT

I'm guessing that 76k line file is causing an issue.

Generally speaking, if you've got that many IOCs, it might be better to employ a Private ThreatCloud appliance.

In that case, you upload the IOCs to your PTC appliance and all your gateways consult it.

See: Check Point Private ThreatCloud

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Brian_Deutmeyer — Fri, 22 Feb 2019 14:48:23 GMT

This is great stuff. Is there a plan to do more of a real time update? This would be something like as soon as a publish occurs, the IOC would propagate to the gateway automatically? Thinking along the lines of IPS where you can set a policy (which requires a threat prevention policy install) and IPS sigs would automatically get enabled on the gateway based on the policy, it would be nice for a way to add some IOCs and the gateways pick it up near real-time.

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

PhoneBoy — Fri, 22 Feb 2019 17:05:08 GMT

What is "Custom Intelligence Feeds" feature?

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Ron_Izraeli — Sat, 23 Feb 2019 07:13:07 GMT

Check out How to extend and enhance SmartConsole? to integrate web pages inside SmartConsole

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Tim_McColgan — Tue, 21 Jan 2020 16:57:06 GMT

How is this automated? It is a great feature, but these instructions are all done manually. I'd like a way to feed IOCs via API with an automation tool.

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

DeletedUser — Fri, 24 Jan 2020 21:59:48 GMT

Once you set up the gateway IoC feed, the updates are "automatic", but yes if you're adding indicators via the management API, then you have to build it using a tool. Which tool do you have in mind? You can use Check Point Ansible modules or Terraform Check Point Provider.

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

antkwang — Sun, 14 Jun 2020 11:14:26 GMT

Hi Tomer,

For the CSV, does it support using web API to insert multiple parameters (observables) in single threat indicator name in single api command?

When i tried it will show that the name already exist (as name is required parameter) but the command only allow to put single observables-raw-data

So the idea is something like this:

{

"name" : "Test",

"observables-raw-data" : "my_observable_1,someone@somewhere.com,mail-to,medium,low,AB,my comment",

"my_observable_2,someone@somewhere.com,mail-to,medium,low,AB,my comment",

"my_observable_3,someone@somewhere.com,mail-to,medium,low,AB,my comment",

"action" : "ask",

"profile-overrides" : [ {

"profile" : "Test",

"action" : "detect"

} ],

"ignore-warnings" : true

}

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

IgorBodrik — Tue, 08 Dec 2020 13:28:23 GMT

Hi, In the case of using PTC appliance, gateways enforce policy immediately or policy installation is needed?