Showing results for 
Search instead for 
Did you mean: 
Post a Question

R80 Management API tips and tricks - a new "add-threat-indicator" command

Hi all R80 Management API users,

The R80.20.M1 Managemet API release introduces a new Threat Indicators (IOC) API, allowing addition of an Indicator object - Add Threat Indicator.

One of the options of this command is deployment of indicator's observables collection.

There are two documented options to accomplish this:

1. Using the "observables" parameter with the "object notation", such as: "my_observable_1" observables.1.mail-to "" observables.1.confidence "medium" observables.1.severity "low" observables.1.product "AB" observables.1.comments "my comment"

2. Using the "observables-raw-data" parameter, with the "CSV notation", such as:

observables-raw-data "my_observable_1,,mail-to,medium,low,AB,my comment"

For this case, you must follow this order of fields - Name, Value, Type, Confidence, Severity, Product, Comments.

There is an additional option to prepare a CSV file and then use mgmt_cli tool with the following options:

mgmt_cli add-threat-indicator name my_indicator_1 observables-raw-data @indicators1.csv --treat-value-as-file-by-prefix @ action prevent

and put the CSV file in the same folder from where you run the API commands (/home/admin or whatever you choose).

Note that the content of CSV file must follow the order as in option 2 above.