topic R80 Management API tips and tricks - a new &quot;add-threat-indicator&quot; command in API / CLI Discussion https://community.checkpoint.com/t5/API-CLI-Discussion/R80-Management-API-tips-and-tricks-a-new-quot-add-threat/m-p/40046#M2600 <HTML><HEAD></HEAD><BODY><P>Hi all R80 Management API users,</P><P></P><P><A _jive_internal="true" href="https://community.checkpoint.com/docs/DOC-3011-whats-new-with-r8020m1-management-api">The R80.20.M1 Managemet API release</A>&nbsp;introduces a new Threat Indicators (IOC) API, allowing addition of an Indicator object -&nbsp;<A href="https://sc1.checkpoint.com/documents/latest/APIs/index.html#gui-cli/add-threat-indicator~v1.2%20">Add Threat Indicator</A>.</P><P>One of the&nbsp;options of this command is deployment of indicator's observables collection.</P><P></P><P>There are two documented options to accomplish this:</P><P>1. Using the <STRONG>"observables"</STRONG> parameter with the "object notation", such as:</P><P><SPAN style="color: #993300;"><EM><SPAN>observables.1.name "my_observable_1" observables.1.mail-to "</SPAN><A class="jive-link-email-small" href="mailto:someone@somewhere.com">someone@somewhere.com</A><SPAN>" observables.1.confidence "medium" observables.1.severity "low" observables.1.product "AB" observables.1.comments "my comment"</SPAN></EM></SPAN></P><P></P><P>2. Using the <STRONG>"observables-raw-data"</STRONG> parameter, with the "CSV notation", such as:</P><P><SPAN style="color: #993300;"><EM><SPAN>observables-raw-data "my_observable_1,</SPAN><A class="jive-link-email-small" href="mailto:someone@somewhere.com">someone@somewhere.com</A><SPAN>,mail-to,medium,low,AB,my comment"</SPAN></EM></SPAN></P><P>For this case, you must follow this order of fields - Name, Value, Type, Confidence, Severity, Product, Comments.</P><P></P><P>There is an additional option to prepare <STRONG>a CSV file</STRONG> and then use <STRONG>mgmt_cli tool</STRONG> with the following options:</P><P><SPAN style="color: #993300;"><EM>mgmt_cli add-threat-indicator name my_indicator_1 observables-raw-data <SPAN style="color: #ff0000;">@</SPAN><SPAN style="color: #0000ff;">indicators1.csv</SPAN> <SPAN style="color: #ff0000;">--treat-value-as-file-by-prefix @</SPAN> action prevent</EM></SPAN></P><P>and put the CSV file in the same folder from where you run the API commands (/home/admin or whatever you choose).</P><P>Note that the content of CSV file must follow the order as in option 2 above.</P><P></P><P>Enjoy,</P><P>Robert.</P></BODY></HTML> Thu, 05 Jul 2018 12:39:09 GMT Robert_Decker 2018-07-05T12:39:09Z R80 Management API tips and tricks - a new "add-threat-indicator" command https://community.checkpoint.com/t5/API-CLI-Discussion/R80-Management-API-tips-and-tricks-a-new-quot-add-threat/m-p/40046#M2600 <HTML><HEAD></HEAD><BODY><P>Hi all R80 Management API users,</P><P></P><P><A _jive_internal="true" href="https://community.checkpoint.com/docs/DOC-3011-whats-new-with-r8020m1-management-api">The R80.20.M1 Managemet API release</A>&nbsp;introduces a new Threat Indicators (IOC) API, allowing addition of an Indicator object -&nbsp;<A href="https://sc1.checkpoint.com/documents/latest/APIs/index.html#gui-cli/add-threat-indicator~v1.2%20">Add Threat Indicator</A>.</P><P>One of the&nbsp;options of this command is deployment of indicator's observables collection.</P><P></P><P>There are two documented options to accomplish this:</P><P>1. Using the <STRONG>"observables"</STRONG> parameter with the "object notation", such as:</P><P><SPAN style="color: #993300;"><EM><SPAN>observables.1.name "my_observable_1" observables.1.mail-to "</SPAN><A class="jive-link-email-small" href="mailto:someone@somewhere.com">someone@somewhere.com</A><SPAN>" observables.1.confidence "medium" observables.1.severity "low" observables.1.product "AB" observables.1.comments "my comment"</SPAN></EM></SPAN></P><P></P><P>2. Using the <STRONG>"observables-raw-data"</STRONG> parameter, with the "CSV notation", such as:</P><P><SPAN style="color: #993300;"><EM><SPAN>observables-raw-data "my_observable_1,</SPAN><A class="jive-link-email-small" href="mailto:someone@somewhere.com">someone@somewhere.com</A><SPAN>,mail-to,medium,low,AB,my comment"</SPAN></EM></SPAN></P><P>For this case, you must follow this order of fields - Name, Value, Type, Confidence, Severity, Product, Comments.</P><P></P><P>There is an additional option to prepare <STRONG>a CSV file</STRONG> and then use <STRONG>mgmt_cli tool</STRONG> with the following options:</P><P><SPAN style="color: #993300;"><EM>mgmt_cli add-threat-indicator name my_indicator_1 observables-raw-data <SPAN style="color: #ff0000;">@</SPAN><SPAN style="color: #0000ff;">indicators1.csv</SPAN> <SPAN style="color: #ff0000;">--treat-value-as-file-by-prefix @</SPAN> action prevent</EM></SPAN></P><P>and put the CSV file in the same folder from where you run the API commands (/home/admin or whatever you choose).</P><P>Note that the content of CSV file must follow the order as in option 2 above.</P><P></P><P>Enjoy,</P><P>Robert.</P></BODY></HTML> Thu, 05 Jul 2018 12:39:09 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/R80-Management-API-tips-and-tricks-a-new-quot-add-threat/m-p/40046#M2600 Robert_Decker 2018-07-05T12:39:09Z