This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Tim_Otis
Employee
Employee
‎2020-01-06 12:41 PM

Fetching PCAP via API in R80.30 JHF 111

Howdy. 

With JHF 111 for R80.30 we can now fetch pcaps associated to threat prevention alerts (IPS/AB/etc) via API!

Handy for SOCs and IR teams.

Basically:
1. Log Exporter was modified to send an Attachment ID.
2. That Attachment ID can be leveraged via the get-attachment API call to fetch the goods.

Wanted to share the attached python script (in .7z + screenshot) as an example.

Tim Otis - Check Point Incident Response Team

Fetch_PCAP_via_API.7z
119 KB
Reply
7 Replies
Kim_Moberg
Advisor
‎2020-01-06 09:26 PM

Pretty need. Thanks for sharing

Best Regards
Kim
0 Kudos
Reply
Jon_Goldman
Employee
Employee
‎2020-01-07 07:17 AM

Nice!

0 Kudos
Reply
Norbert_Anderss
Explorer
‎2020-04-07 12:33 AM
In response to Jon_Goldman

Hi

 

I'm using a MDM-MLM setup.

If a pcap file must be fetched via an API, will the pcap request go to a particular CMA or a CLM?

/Norbert

0 Kudos
Reply
Tim_Otis
Employee
Employee
‎2020-04-08 01:31 PM
In response to Norbert_Anderss

Hi, It will be an API connection to the management server.
0 Kudos
Reply
Tomas_Vobruba
Employee
Employee
‎2020-07-27 06:09 AM

Hello Tim, could you  specify on which version of python it is working? Thank you

0 Kudos
Reply
Lithin_Mathew
Contributor
‎2020-09-27 07:34 PM

Hi @Tim_Otis ,

Thanks for sharing this script.

Could you confirm how would I get the "LOG_ATTACHMENT_UID".

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-09-27 07:48 PM
In response to Lithin_Mathew

Believe it's in the log entry itself.

Reply