Hello mates,
I try to upload threat indicators via Web Services API (R80.20 Take47), but without success. I can see, that the request is processed by management server, but the threat indicator object is not created. I added indicator via mgmt_cli without problems but something wrong with Web Services. Maybe I missed something, but I really don't know what. I need help.
Here is my JSON request body:
{"name" : "IOC_test_4", "observables" : [{"name":"Observable1","ip-address":"", "confidence" : "medium","severity" : "low","product" : "AV"}],"action":"Prevent","details-level":"full","ignore-warnings" : true, "comments":"Comment text"}
Got response:
{u'task-id': u'1abd28ac-325f-4097-94b5-732272eaafe5'}
I found in api.elg logs:
2019-04-02 09:29:20,182 INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp851195565-25] - Inbound Message
ID: 1811
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/json
Headers: {Accept=[*/*], accept-encoding=[gzip, deflate], connection=[keep-alive], Content-Length=[248], content-type=[application/json], Host=[], User-Agent=[python-requests/2.21.0], X-chkp-sid=[_w5IshidWB4t4brquWvtHwCp_gXSco1Tq-cr2p0Co9Y], X-Forwarded-For=[], X-Forwarded-Host=[], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[]}
Payload: {"name": "IOC_test_4", "ignore-warnings": true, "details-level": "full", "comments": "Comment text", "action": "Prevent", "observables": [{"product": "AV", "confidence": "medium", "name": "Observable1", "ip-address": "", "severity": "low"}]}
2019-04-02 09:29:20,186 INFO com.checkpoint.management.web_api_is.utils.helpers.ApiCache.<init>:21 [qtp851195565-25] - Cache created and initialized
2019-04-02 09:29:20,187 INFO com.checkpoint.management.web_api.web_services.WebApiEntryPoint.logRequestedCommandInfo:51 [qtp851195565-25] - Executing [add-threat-indicator] of version 1.3 (references 1.2)
2019-04-02 09:29:20,568 INFO com.checkpoint.management.web_api_is.utils.CsvFileWriterUtils.writeCsvLine:7 [qtp851195565-25] - 2019-04-02,09:29:20 +0200,add-threat-indicator,PASSED,382
2019-04-02 09:29:20,569 INFO org.apache.cxf.interceptor.LoggingOutInterceptor.log:250 [qtp851195565-25] - Outbound Message
ID: 1811
Response-Code: 200
Content-Type: application/json
Headers: {Content-Type=[application/json], X-chkp-sync-task-id=[1abd28ac-325f-4097-94b5-732272eaafe5], Date=[Tue, 02 Apr 2019 07:29:20 GMT]}
Payload: {
"task-id" : "1abd28ac-325f-4097-94b5-732272eaafe5"
So, looks like everithing went OK. I also found IOC_test_4_output.xml and IOC_test_4.csv in temp directory
[Expert@R8010MGMT:0]# cat /opt/CPsuite-R80.20/fw1/temp/IOC_test_4.csv
#! DESCRIPTION = This is user defined IOC file
#! REFERENCE = Indicator Bulletin IOC_test_4;April 02 2019
[Expert@R8010MGMT:0]# cat /opt/CPsuite-R80.20/fw1/temp/IOC_test_4_output.xml
<?xml version="1.0" encoding="UTF-8"?>
<indicator uuid="1">
<description>This is user defined IOC file</description>
<reference>Indicator Bulletin IOC_test_4;April 02 2019</reference>
<observable id="18446744069414584330">
So far so good. In SmartConsole I can see, that indicator is added

But that is all. I can not see new indicator in Indicators. In the audit logs, there is no log with new object added (only Log In/Log Out).
Thanks for any response
Juraj Sakala