Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with adding threat indicator via Web Services API

Jump to solution

Hello mates,

I try to upload threat indicators via Web Services API (R80.20 Take47), but without success. I can see, that the request is processed by management server, but the threat indicator object is not created. I added indicator via mgmt_cli without problems but something wrong with Web Services. Maybe I missed something, but I really don't know what. I need help.

Here is my JSON request body:

{"name" : "IOC_test_4", "observables" : [{"name":"Observable1","ip-address":"1.2.3.1", "confidence" : "medium","severity" : "low","product" : "AV"}],"action":"Prevent","details-level":"full","ignore-warnings" : true, "comments":"Comment text"}

Got response:

{u'task-id': u'1abd28ac-325f-4097-94b5-732272eaafe5'}

I found in api.elg logs:

2019-04-02 09:29:20,182 INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp851195565-25] - Inbound Message
----------------------------
ID: 1811
Address: http://127.0.0.1:50276/web_api/add-threat-indicator
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/json
Headers: {Accept=[*/*], accept-encoding=[gzip, deflate], connection=[keep-alive], Content-Length=[248], content-type=[application/json], Host=[127.0.0.1:50276], User-Agent=[python-requests/2.21.0], X-chkp-sid=[_w5IshidWB4t4brquWvtHwCp_gXSco1Tq-cr2p0Co9Y], X-Forwarded-For=[10.51.20.70], X-Forwarded-Host=[10.51.20.13], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[10.51.20.13]}
Payload: {"name": "IOC_test_4", "ignore-warnings": true, "details-level": "full", "comments": "Comment text", "action": "Prevent", "observables": [{"product": "AV", "confidence": "medium", "name": "Observable1", "ip-address": "1.2.3.1", "severity": "low"}]}
--------------------------------------
2019-04-02 09:29:20,186 INFO com.checkpoint.management.web_api_is.utils.helpers.ApiCache.<init>:21 [qtp851195565-25] - Cache created and initialized
2019-04-02 09:29:20,187 INFO com.checkpoint.management.web_api.web_services.WebApiEntryPoint.logRequestedCommandInfo:51 [qtp851195565-25] - Executing [add-threat-indicator] of version 1.3 (references 1.2)
2019-04-02 09:29:20,568 INFO com.checkpoint.management.web_api_is.utils.CsvFileWriterUtils.writeCsvLine:7 [qtp851195565-25] - 2019-04-02,09:29:20 +0200,add-threat-indicator,PASSED,382
2019-04-02 09:29:20,569 INFO org.apache.cxf.interceptor.LoggingOutInterceptor.log:250 [qtp851195565-25] - Outbound Message
---------------------------
ID: 1811
Response-Code: 200
Content-Type: application/json
Headers: {Content-Type=[application/json], X-chkp-sync-task-id=[1abd28ac-325f-4097-94b5-732272eaafe5], Date=[Tue, 02 Apr 2019 07:29:20 GMT]}
Payload: {
"task-id" : "1abd28ac-325f-4097-94b5-732272eaafe5"
}

So, looks like everithing went OK. I also found IOC_test_4_output.xml and IOC_test_4.csv in temp directory

[Expert@R8010MGMT:0]# cat /opt/CPsuite-R80.20/fw1/temp/IOC_test_4.csv
#! DESCRIPTION = This is user defined IOC file
#! REFERENCE = Indicator Bulletin IOC_test_4;April 02 2019
# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT
Observable1,1.2.3.1,IP,medium,low,AV,


[Expert@R8010MGMT:0]# cat /opt/CPsuite-R80.20/fw1/temp/IOC_test_4_output.xml
<?xml version="1.0" encoding="UTF-8"?>

<indicator_parsing_response>
<cp_format>true</cp_format>
<status>ok</status>
<indicator uuid="1">
<fileName>/opt/CPsuite-R80.20/fw1/temp/IOC_test_4.csv</fileName>
<description>This is user defined IOC file</description>
<reference>Indicator Bulletin IOC_test_4;April 02 2019</reference>
<Hash_value>6e8d9b6ceb4cbf00082dcaada28f9b01</Hash_value>
<Observables>
<observable id="18446744069414584330">
<Name>Observable1</Name>
<type>IP</type>
<Confidence>Medium</Confidence>
<Severity>Low</Severity>
<Product>av</Product>
<Comment></Comment>
<Value>1.2.3.1</Value>
</observable>
</Observables>
</indicator>
</indicator_parsing_response>

So far so good. In SmartConsole I can see, that indicator is added

scind.png

But that is all. I can not see new indicator in Indicators. In the audit logs, there is no log with new object added (only Log In/Log Out).

Thanks for any response

Juraj Sakala

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Admin
Admin

Re: Problem with adding threat indicator via Web Services API

Jump to solution
After executing that command, did you execute a publish action?
Without that, these threat indicators won't be committed.
Further, they will not take effect.on the gateway until you push the Threat Prevention policy.

View solution in original post

2 Replies
Highlighted
Admin
Admin

Re: Problem with adding threat indicator via Web Services API

Jump to solution
After executing that command, did you execute a publish action?
Without that, these threat indicators won't be committed.
Further, they will not take effect.on the gateway until you push the Threat Prevention policy.

View solution in original post

Highlighted

Re: Problem with adding threat indicator via Web Services API

Jump to solution

Thanks, you are absolutely right. I supposed that publishing is automatic like with mgmt_cli, but it is not.

0 Kudos