Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Employee
Employee

Fetching PCAP via API in R80.30 JHF 111

Howdy. 

With JHF 111 for R80.30 we can now fetch pcaps associated to threat prevention alerts (IPS/AB/etc) via API!

Handy for SOCs and IR teams.

Basically:
1. Log Exporter was modified to send an Attachment ID.
2. That Attachment ID can be leveraged via the get-attachment API call to fetch the goods.

Wanted to share the attached python script (in .7z + screenshot) as an example.

Tim Otis - Check Point Incident Response Team

5 Replies
Highlighted
Silver

Pretty need. Thanks for sharing

Best Regards
Kim
0 Kudos
Highlighted
Employee
Employee

Nice!

0 Kudos
Highlighted

Hi

 

I'm using a MDM-MLM setup.

If a pcap file must be fetched via an API, will the pcap request go to a particular CMA or a CLM?

/Norbert

0 Kudos
Highlighted
Employee
Employee

Hi, It will be an API connection to the management server.
0 Kudos
Highlighted
Employee
Employee

Hello Tim, could you  specify on which version of python it is working? Thank you

0 Kudos