Problem with adding threat indicator via Web Services API

Juraj_Sakala — Tue, 02 Apr 2019 07:50:50 GMT

Hello mates,

I try to upload threat indicators via Web Services API (R80.20 Take47), but without success. I can see, that the request is processed by management server, but the threat indicator object is not created. I added indicator via mgmt_cli without problems but something wrong with Web Services. Maybe I missed something, but I really don't know what. I need help.

Here is my JSON request body:

{"name" : "IOC_test_4", "observables" : [{"name":"Observable1","ip-address":"1.2.3.1", "confidence" : "medium","severity" : "low","product" : "AV"}],"action":"Prevent","details-level":"full","ignore-warnings" : true, "comments":"Comment text"}

Got response:

{u'task-id': u'1abd28ac-325f-4097-94b5-732272eaafe5'}

I found in api.elg logs:

2019-04-02 09:29:20,182 INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp851195565-25] - Inbound Message
----------------------------
ID: 1811
Address: http://127.0.0.1:50276/web_api/add-threat-indicator
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/json
Headers: {Accept=[*/*], accept-encoding=[gzip, deflate], connection=[keep-alive], Content-Length=[248], content-type=[application/json], Host=[127.0.0.1:50276], User-Agent=[python-requests/2.21.0], X-chkp-sid=[_w5IshidWB4t4brquWvtHwCp_gXSco1Tq-cr2p0Co9Y], X-Forwarded-For=[10.51.20.70], X-Forwarded-Host=[10.51.20.13], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[10.51.20.13]}
Payload: {"name": "IOC_test_4", "ignore-warnings": true, "details-level": "full", "comments": "Comment text", "action": "Prevent", "observables": [{"product": "AV", "confidence": "medium", "name": "Observable1", "ip-address": "1.2.3.1", "severity": "low"}]}
--------------------------------------
2019-04-02 09:29:20,186 INFO com.checkpoint.management.web_api_is.utils.helpers.ApiCache.<init>:21 [qtp851195565-25] - Cache created and initialized
2019-04-02 09:29:20,187 INFO com.checkpoint.management.web_api.web_services.WebApiEntryPoint.logRequestedCommandInfo:51 [qtp851195565-25] - Executing [add-threat-indicator] of version 1.3 (references 1.2)
2019-04-02 09:29:20,568 INFO com.checkpoint.management.web_api_is.utils.CsvFileWriterUtils.writeCsvLine:7 [qtp851195565-25] - 2019-04-02,09:29:20 +0200,add-threat-indicator,PASSED,382
2019-04-02 09:29:20,569 INFO org.apache.cxf.interceptor.LoggingOutInterceptor.log:250 [qtp851195565-25] - Outbound Message
---------------------------
ID: 1811
Response-Code: 200
Content-Type: application/json
Headers: {Content-Type=[application/json], X-chkp-sync-task-id=[1abd28ac-325f-4097-94b5-732272eaafe5], Date=[Tue, 02 Apr 2019 07:29:20 GMT]}
Payload: {
"task-id" : "1abd28ac-325f-4097-94b5-732272eaafe5"
}

So, looks like everithing went OK. I also found IOC_test_4_output.xml and IOC_test_4.csv in temp directory

[Expert@R8010MGMT:0]# cat /opt/CPsuite-R80.20/fw1/temp/IOC_test_4.csv
#! DESCRIPTION = This is user defined IOC file
#! REFERENCE = Indicator Bulletin IOC_test_4;April 02 2019
# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT
Observable1,1.2.3.1,IP,medium,low,AV,

[Expert@R8010MGMT:0]# cat /opt/CPsuite-R80.20/fw1/temp/IOC_test_4_output.xml
<?xml version="1.0" encoding="UTF-8"?>

<indicator_parsing_response>
<cp_format>true</cp_format>
<status>ok</status>
<indicator uuid="1">
<fileName>/opt/CPsuite-R80.20/fw1/temp/IOC_test_4.csv</fileName>
<description>This is user defined IOC file</description>
<reference>Indicator Bulletin IOC_test_4;April 02 2019</reference>
<Hash_value>6e8d9b6ceb4cbf00082dcaada28f9b01</Hash_value>
<Observables>
<observable id="18446744069414584330">
<Name>Observable1</Name>
<type>IP</type>
<Confidence>Medium</Confidence>
<Severity>Low</Severity>
<Product>av</Product>
<Comment></Comment>
<Value>1.2.3.1</Value>
</observable>
</Observables>
</indicator>
</indicator_parsing_response>

So far so good. In SmartConsole I can see, that indicator is added

But that is all. I can not see new indicator in Indicators. In the audit logs, there is no log with new object added (only Log In/Log Out).

Thanks for any response

Juraj Sakala

Re: Problem with adding threat indicator via Web Services API

PhoneBoy — Wed, 03 Apr 2019 01:09:43 GMT

After executing that command, did you execute a publish action?
Without that, these threat indicators won't be committed.
Further, they will not take effect.on the gateway until you push the Threat Prevention policy.

Re: Problem with adding threat indicator via Web Services API

Juraj_Sakala — Wed, 03 Apr 2019 06:19:55 GMT

Thanks, you are absolutely right. I supposed that publishing is automatic like with mgmt_cli, but it is not.

topic Re: Problem with adding threat indicator via Web Services API in API / CLI Discussion

Problem with adding threat indicator via Web Services API

Re: Problem with adding threat indicator via Web Services API

Re: Problem with adding threat indicator via Web Services API