Tomer Sole

Automate deployment of Indicators of Compromise (IOC) with a new API.

Discussion created by Tomer Sole Expert on Jul 4, 2018
Latest reply on Jul 9, 2018 by Tomer Sole

The R80.20.M1 - Management Feature Release gives new API for something that previously we could only do from the SmartConsole GUI - deployment of IOC's.

IOC's (Indicators of Compromise) are sources which are known as malicious.




Steps to deploy IOC's with the Management API:

1. Login to the Management Server with the login command. The response contains a session ID. Use it for the next steps.

2. Add, edit or delete indicators. The session ID is a required parameter in the "sid" header.

3. Publish your changes with the publish command.

4. Install the Threat Prevention Policy on the gateways in which you would like to enforce this change, using the install-policy command. Remember, installing just the threat prevention part of the policy separates you from the network objects and access control changes that may have happened at the security management server. 


Examples of indicator command executions:


Option A: define the indicators as part of the parameters:

mgmt_cli add threat-indicator name "My_Indicator" "My_Observable" observables.1.mail-to "" observables.1.confidence "medium" observables.1.severity "low" observables.1.product "AV" action "ask" profile-overrides.1.profile "My_Profile" profile-overrides.1.action "detect"


Option B: place an indicators file - in CSV or STIX format - and import its raw data:

mgmt_cli add threat-indicator name "My_Indicator" observables-raw-data ""


Option C: edit the indicator action for a given threat profile. A threat profile is connected to some scope behind a gateway in the threat prevention policy.

mgmt_cli set threat-indicator name "My_Indicator" action "prevent" profile-overrides.remove "My_Profile"


Option D: show all indicators or one of the indicators:

mgmt_cli show threat-indicators
mgmt_cli show threat-indicator name "My_Indicator"


Option E: delete some indicators:

mgmt_cli delete threat-indicator name "My_Indicator"


To get to it in SmartConsole:

1. Open Security Policies

2. Navigate to Threat Prevention-->Policy

3. The bottom part changes to "Threat Tools". Click on "Indicators".



Let us know your feedback on this.