cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Automate deployment of Indicators of Compromise (IOC) with a new API.

The R80.20.M1 - Management Feature Release gives new API for something that previously we could only do from the SmartConsole GUI - deployment of IOC's.

IOC's (Indicators of Compromise) are sources which are known as malicious.

Steps to deploy IOC's with the Management API:

1. Login to the Management Server with the login command. The response contains a session ID. Use it for the next steps.

2. Add, edit or delete indicators. The session ID is a required parameter in the "sid" header.

3. Publish your changes with the publish command.

4. Install the Threat Prevention Policy on the gateways in which you would like to enforce this change, using the install-policy command. Remember, installing just the threat prevention part of the policy separates you from the network objects and access control changes that may have happened at the security management server. 

Examples of indicator command executions:

Option A: define the indicators as part of the parameters:

mgmt_cli add threat-indicator name "My_Indicator" observables.1.name "My_Observable" observables.1.mail-to "someone@somewhere.com" observables.1.confidence "medium" observables.1.severity "low" observables.1.product "AV" action "ask" profile-overrides.1.profile "My_Profile" profile-overrides.1.action "detect"

Option B: place an indicators file - in CSV or STIX format - and import its raw data:

mgmt_cli add threat-indicator name "My_Indicator" observables-raw-data ""

Option C: edit the indicator action for a given threat profile. A threat profile is connected to some scope behind a gateway in the threat prevention policy.

mgmt_cli set threat-indicator name "My_Indicator" action "prevent" profile-overrides.remove "My_Profile"

Option 😧 show all indicators or one of the indicators:

mgmt_cli show threat-indicators
mgmt_cli show threat-indicator name "My_Indicator"

Option E: delete some indicators:

mgmt_cli delete threat-indicator name "My_Indicator"

To get to it in SmartConsole:

1. Open Security Policies

2. Navigate to Threat Prevention-->Policy

3. The bottom part changes to "Threat Tools". Click on "Indicators".

Let us know your feedback on this.

Labels (1)
14 Replies
Employee++
Employee++

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Following up Tomer's post, this post may be usefull as well -

https://community.checkpoint.com/docs/DOC-3012

Robert.

Employee+
Employee+

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

it is good to know that there is a CSV support Smiley Happy

0 Kudos
Employee++
Employee++

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

It's very useful and important to leverage 3rd party resource integrated with threat prevention policy.

0 Kudos
Jarvis_Lin1
Nickel

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

This API can provide import CSV file from FTP or HTTP server ?

0 Kudos

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

There are 3 ways to import CSV's:

1. download the files, parse them and send as JSON

2. place on the Management Server and send the path

3. download the files, reorder the CSV columns to have exactly this order: Name, Value, Type, Confidence, Severity, Product, Comments, and then use the "observables-raw-data" parameter to send each row, for example: 

observables-raw-data "my_observable_1,someone@somewhere.com,mail-to,medium,low,AB,my comment"

 

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Doesn't seem to be a usable method for more than a few indicators. I tried to import a CSV file with 500 lines (all type IP). Progress showed 20% for over 40 minutes so I finally aborted. I tried again with just 10 lines to verify my format was good. On R77.30 I run a daily import of 9 CSV files totaling about 7000 lines; takes just a couple minutes using the load_indicators command. Unfortunately I cannot use load_indicators on R80.20M1 because of an apparent bug (doesn't like IPs that have a zero in one of the IPv4 octets).

0 Kudos

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

It shouldn't take this long. Please open a support ticket.

0 Kudos

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Hi Tomer Sole‌ I followed your instructions and could import the CSV files just fine to the management...

BUT, when I want to look at them on the SmartConsole, the Windows process spikes to 20% cpu usage (for at least 10 minutes) and the application freezes. I'd to kill the process in order to login again and it only happens when I go to "Threat Tools" and then click on "Indicators".

If it's useful I imported 7 CSV files with a lot of records, if you need it I could count how much rows has them.

From where can I start debugging the issue?

Thanks!

0 Kudos
Admin
Admin

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

How many lines in the CSV file?

0 Kudos

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Hi Dameon, the total lines of all of the CSV files are 76238. The most lengthy file has 60774 lines, and other one has 11567

The rest of it doesn't have more than 1k lines.

0 Kudos
Admin
Admin

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

I'm guessing that 76k line file is causing an issue.

Generally speaking, if you've got that many IOCs, it might be better to employ a Private ThreatCloud appliance.

In that case, you upload the IOCs to your PTC appliance and all your gateways consult it.

See: Check Point Private ThreatCloud 

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

This is great stuff.  Is there a plan to do more of a real time update?  This would be something like as soon as a publish occurs, the IOC would propagate to the gateway automatically?  Thinking along the lines of IPS where you can set a policy (which requires a threat prevention policy install) and IPS sigs would automatically get enabled on the gateway based on the policy, it would be nice for a way to add some IOCs and the gateways pick it up near real-time.

0 Kudos
Admin
Admin

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

0 Kudos
Employee+
Employee+

Re: Automate deployment of Indicators of Compromise (IOC) with a new API.

Check out How to extend and enhance SmartConsole? to integrate web pages inside SmartConsole