Solved: Re: Filtering on show-threat-protection endpoint

jmcadams · ‎2020-03-20

Hi all,

I'm trying to use

POST https://<mgmt-server>:<port>/web_api/v1.1/show-threat-protections

and wondering if there's a way I can filter on industry-reference. I tried doing something like this with no avail...

Body:
{
"details-level": "full",
"filter": "industry-reference:CVE-2007-4676"
}

I also tried filter as a parameter, but that didn't seem to work either.

Is it possible to filter those results?

PhoneBoy · ‎2020-03-24

It looks like this was added only in R80.40.
Note, when you look at the public documentation here: https://sc1.checkpoint.com/documents/latest/APIs/index.html
It shows you the latest version of the Management API, which at this writing is R80.40 (API v1.6).
You can select older versions, such as v1.1, which corresponds to R80.10.
If you access https://your-management-ip/api_docs, you will always get the version that is specific to your installation.

The only way to get the new version of the API is to upgrade your management.

View solution in original post

PhoneBoy · ‎2020-03-22

You don't need to specify industry-reference, just specify the CVE number.
And yes, it should work exactly the same with the API, I just use the CLI because it's quicker to test.

[Expert@Mgmt:0]# mgmt_cli -r true show threat-protections filter "CVE-2007-4676"
protections:
- uid: "8fb870f1-f93a-e748-9683-f153943522f9"
name: "Apple QuickTime PICT Image Parsing Malformed Records"
type: "threat-protection"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
from: 1
to: 1
total: 1

jmcadams · ‎2020-03-23

Does that work with the Web API? If so, do you have an example of the payload or params I need to send?

PhoneBoy · ‎2020-03-23

If you can do it with mgmt_cli, it can be done with the Web API.
You just need to change your payload to:

{
"details-level": "full",
"filter": "CVE-2007-4676"
}

jmcadams · ‎2020-03-24

I tried:

{
"details-level": "full",
"filter": "CVE-2007-4676"
}

But ended up with:

{

"code": "generic_err_invalid_parameter_name",

"message": "Unrecognized parameter [filter]"

}

I'm on R80.10. Was filter added in a later release?

PhoneBoy · ‎2020-03-24

It looks like this was added only in R80.40.
Note, when you look at the public documentation here: https://sc1.checkpoint.com/documents/latest/APIs/index.html
It shows you the latest version of the Management API, which at this writing is R80.40 (API v1.6).
You can select older versions, such as v1.1, which corresponds to R80.10.
If you access https://your-management-ip/api_docs, you will always get the version that is specific to your installation.

The only way to get the new version of the API is to upgrade your management.

jmcadams · ‎2020-03-24

Got cha'. Thanks again for the help. Much appreciated!!!

pdn · ‎2023-09-07

@PhoneBoy I have v1.8, and still got the "message": "Unrecognized parameter [filter]" error message, with show-tasks.

Can you please shred some light?

Thank you.

PhoneBoy · ‎2023-09-07

Because this API call is not structured correctly.
The JSON should look something like:

{
  "details-level" : "full",
  "filter" : "MyFilterString"
}

pdn · ‎2023-09-07

I actually tried many combinations, using the examples from the Checkpoint collections that I got from this forum. No luck. Looking like 'filter' isn't actually supported. So documentation bug?

PhoneBoy · ‎2023-09-07

Paging @Omer_Kleinstern
The "filter" option doesn't show in the v1.9 documentation for the same endpoint.
Further, attempts to perform a similar query on an R81.20 system give similar results.
Which suggests this is probably not supported and a documentation bug.

pdn · ‎2023-09-07

Thanks @PhoneBoy for confirming. It would be nice to have it. For now, I got my code working which gives a similar result.

Are you a member of CheckMates?

Filtering on show-threat-protection endpoint