Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Automate deployment of Indicators of Compromise (IOC) with a new API.

Jump to solution

The R80.20.M1 - Management Feature Release gives new API for something that previously we could only do from the SmartConsole GUI - deployment of IOC's.

IOC's (Indicators of Compromise) are sources which are known as malicious.

Steps to deploy IOC's with the Management API:

1. Login to the Management Server with the login command. The response contains a session ID. Use it for the next steps.

2. Add, edit or delete indicators. The session ID is a required parameter in the "sid" header.

3. Publish your changes with the publish command.

4. Install the Threat Prevention Policy on the gateways in which you would like to enforce this change, using the install-policy command. Remember, installing just the threat prevention part of the policy separates you from the network objects and access control changes that may have happened at the security management server. 

Examples of indicator command executions:

Option A: define the indicators as part of the parameters:

mgmt_cli add threat-indicator name "My_Indicator" observables.1.name "My_Observable" observables.1.mail-to "someone@somewhere.com" observables.1.confidence "medium" observables.1.severity "low" observables.1.product "AV" action "ask" profile-overrides.1.profile "My_Profile" profile-overrides.1.action "detect"

Option B: place an indicators file - in CSV or STIX format - and import its raw data:

mgmt_cli add threat-indicator name "My_Indicator" observables-raw-data ""

Option C: edit the indicator action for a given threat profile. A threat profile is connected to some scope behind a gateway in the threat prevention policy.

mgmt_cli set threat-indicator name "My_Indicator" action "prevent" profile-overrides.remove "My_Profile"

Option 😧 show all indicators or one of the indicators:

mgmt_cli show threat-indicators
mgmt_cli show threat-indicator name "My_Indicator"

Option E: delete some indicators:

mgmt_cli delete threat-indicator name "My_Indicator"

To get to it in SmartConsole:

1. Open Security Policies

2. Navigate to Threat Prevention-->Policy

3. The bottom part changes to "Threat Tools". Click on "Indicators".

Let us know your feedback on this.

Labels (1)
1 Solution

Accepted Solutions
Highlighted

Once you set up the gateway IoC feed, the updates are "automatic", but yes if you're adding indicators via the management API, then you have to build it using a tool. Which tool do you have in mind?  You can use Check Point Ansible modules or Terraform Check Point Provider.

View solution in original post

0 Kudos
17 Replies
Highlighted
Employee++
Employee++

Following up Tomer's post, this post may be usefull as well -

https://community.checkpoint.com/docs/DOC-3012

Robert.

Highlighted
Employee+
Employee+

it is good to know that there is a CSV support Smiley Happy

Highlighted
Employee++
Employee++

It's very useful and important to leverage 3rd party resource integrated with threat prevention policy.

Nickel

This API can provide import CSV file from FTP or HTTP server ?

0 Kudos
Highlighted

There are 3 ways to import CSV's:

1. download the files, parse them and send as JSON

2. place on the Management Server and send the path

3. download the files, reorder the CSV columns to have exactly this order: Name, Value, Type, Confidence, Severity, Product, Comments, and then use the "observables-raw-data" parameter to send each row, for example: 

observables-raw-data "my_observable_1,someone@somewhere.com,mail-to,medium,low,AB,my comment"

 

Highlighted
Employee
Employee

Hi Tomer,

For the CSV, does it support using web API to insert multiple parameters (observables)  in single threat indicator name in single api command? 

 

When i tried it will show that the name already exist (as name is required parameter) but the command only allow to put single observables-raw-data 

 

So the idea is something like this:

 

{
  "name" : "Test",
  "observables-raw-data" : "my_observable_1,someone@somewhere.com,mail-to,medium,low,AB,my comment"
                                                "my_observable_2,someone@somewhere.com,mail-to,medium,low,AB,my comment",             
                                                "my_observable_3,someone@somewhere.com,mail-to,medium,low,AB,my comment",    
  "action" : "ask",
  "profile-overrides" : [ {
    "profile" : "Test",
    "action" : "detect"
  } ],
  "ignore-warnings" : true
}
0 Kudos
Highlighted

Doesn't seem to be a usable method for more than a few indicators. I tried to import a CSV file with 500 lines (all type IP). Progress showed 20% for over 40 minutes so I finally aborted. I tried again with just 10 lines to verify my format was good. On R77.30 I run a daily import of 9 CSV files totaling about 7000 lines; takes just a couple minutes using the load_indicators command. Unfortunately I cannot use load_indicators on R80.20M1 because of an apparent bug (doesn't like IPs that have a zero in one of the IPv4 octets).

Highlighted

It shouldn't take this long. Please open a support ticket.

0 Kudos
Highlighted

Hi Tomer Sole‌ I followed your instructions and could import the CSV files just fine to the management...

BUT, when I want to look at them on the SmartConsole, the Windows process spikes to 20% cpu usage (for at least 10 minutes) and the application freezes. I'd to kill the process in order to login again and it only happens when I go to "Threat Tools" and then click on "Indicators".

If it's useful I imported 7 CSV files with a lot of records, if you need it I could count how much rows has them.

From where can I start debugging the issue?

Thanks!

0 Kudos
Highlighted
Admin
Admin

How many lines in the CSV file?

0 Kudos
Highlighted

Hi Dameon, the total lines of all of the CSV files are 76238. The most lengthy file has 60774 lines, and other one has 11567

The rest of it doesn't have more than 1k lines.

0 Kudos
Highlighted
Admin
Admin

I'm guessing that 76k line file is causing an issue.

Generally speaking, if you've got that many IOCs, it might be better to employ a Private ThreatCloud appliance.

In that case, you upload the IOCs to your PTC appliance and all your gateways consult it.

See: Check Point Private ThreatCloud 

Highlighted

This is great stuff.  Is there a plan to do more of a real time update?  This would be something like as soon as a publish occurs, the IOC would propagate to the gateway automatically?  Thinking along the lines of IPS where you can set a policy (which requires a threat prevention policy install) and IPS sigs would automatically get enabled on the gateway based on the policy, it would be nice for a way to add some IOCs and the gateways pick it up near real-time.

0 Kudos
Highlighted
Admin
Admin
0 Kudos
Highlighted
Employee+
Employee+

Check out How to extend and enhance SmartConsole? to integrate web pages inside SmartConsole

Highlighted

How is this automated? It is a great feature, but these instructions are all done manually. I'd like a way to feed IOCs via API with an automation tool. 

0 Kudos
Highlighted

Once you set up the gateway IoC feed, the updates are "automatic", but yes if you're adding indicators via the management API, then you have to build it using a tool. Which tool do you have in mind?  You can use Check Point Ansible modules or Terraform Check Point Provider.

View solution in original post

0 Kudos