The R80.20.M1 - Management Feature Release gives new API for something that previously we could only do from the SmartConsole GUI - deployment of IOC's.
IOC's (Indicators of Compromise) are sources which are known as malicious.
Steps to deploy IOC's with the Management API:
1. Login to the Management Server with the login command. The response contains a session ID. Use it for the next steps.
2. Add, edit or delete indicators. The session ID is a required parameter in the "sid" header.
3. Publish your changes with the publish command.
4. Install the Threat Prevention Policy on the gateways in which you would like to enforce this change, using the install-policy command. Remember, installing just the threat prevention part of the policy separates you from the network objects and access control changes that may have happened at the security management server.
Examples of indicator command executions:
Option A: define the indicators as part of the parameters:
mgmt_cli add threat-indicator name "My_Indicator" observables.1.name "My_Observable" observables.1.mail-to "firstname.lastname@example.org" observables.1.confidence "medium" observables.1.severity "low" observables.1.product "AV" action "ask" profile-overrides.1.profile "My_Profile" profile-overrides.1.action "detect"
Option B: place an indicators file - in CSV or STIX format - and import its raw data:
mgmt_cli add threat-indicator name "My_Indicator" observables-raw-data ""
mgmt_cli set threat-indicator name "My_Indicator" action "prevent" profile-overrides.remove "My_Profile"
mgmt_cli show threat-indicators
mgmt_cli show threat-indicator name "My_Indicator"
Option E: delete some indicators:
mgmt_cli delete threat-indicator name "My_Indicator"
To get to it in SmartConsole:
1. Open Security Policies
2. Navigate to Threat Prevention-->Policy
3. The bottom part changes to "Threat Tools". Click on "Indicators".
Let us know your feedback on this.