Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tomer_Sole
Mentor
Mentor
Jump to solution

Automate deployment of Indicators of Compromise (IOC) with a new API.

The R80.20.M1 - Management Feature Release gives new API for something that previously we could only do from the SmartConsole GUI - deployment of IOC's.

IOC's (Indicators of Compromise) are sources which are known as malicious.

Steps to deploy IOC's with the Management API:

1. Login to the Management Server with the login command. The response contains a session ID. Use it for the next steps.

2. Add, edit or delete indicators. The session ID is a required parameter in the "sid" header.

3. Publish your changes with the publish command.

4. Install the Threat Prevention Policy on the gateways in which you would like to enforce this change, using the install-policy command. Remember, installing just the threat prevention part of the policy separates you from the network objects and access control changes that may have happened at the security management server. 

Examples of indicator command executions:

Option A: define the indicators as part of the parameters:

mgmt_cli add threat-indicator name "My_Indicator" observables.1.name "My_Observable" observables.1.mail-to "someone@somewhere.com" observables.1.confidence "medium" observables.1.severity "low" observables.1.product "AV" action "ask" profile-overrides.1.profile "My_Profile" profile-overrides.1.action "detect"

Option B: place an indicators file - in CSV or STIX format - and import its raw data:

mgmt_cli add threat-indicator name "My_Indicator" observables-raw-data ""

Option C: edit the indicator action for a given threat profile. A threat profile is connected to some scope behind a gateway in the threat prevention policy.

mgmt_cli set threat-indicator name "My_Indicator" action "prevent" profile-overrides.remove "My_Profile"

Option 😧 show all indicators or one of the indicators:

mgmt_cli show threat-indicators
mgmt_cli show threat-indicator name "My_Indicator"

Option E: delete some indicators:

mgmt_cli delete threat-indicator name "My_Indicator"

To get to it in SmartConsole:

1. Open Security Policies

2. Navigate to Threat Prevention-->Policy

3. The bottom part changes to "Threat Tools". Click on "Indicators".

Let us know your feedback on this.

1 Solution

Accepted Solutions
DeletedUser
Not applicable

Once you set up the gateway IoC feed, the updates are "automatic", but yes if you're adding indicators via the management API, then you have to build it using a tool. Which tool do you have in mind?  You can use Check Point Ansible modules or Terraform Check Point Provider.

View solution in original post

0 Kudos
18 Replies
Robert_Decker
Advisor

Following up Tomer's post, this post may be usefull as well -

https://community.checkpoint.com/docs/DOC-3012

Robert.

Ofir_Shikolski
Employee Alumnus
Employee Alumnus

it is good to know that there is a CSV support Smiley Happy

Danny_Yang
Ambassador
Ambassador

It's very useful and important to leverage 3rd party resource integrated with threat prevention policy.

Jarvis_Lin1
Contributor

This API can provide import CSV file from FTP or HTTP server ?

0 Kudos
Tomer_Sole
Mentor
Mentor

There are 3 ways to import CSV's:

1. download the files, parse them and send as JSON

2. place on the Management Server and send the path

3. download the files, reorder the CSV columns to have exactly this order: Name, Value, Type, Confidence, Severity, Product, Comments, and then use the "observables-raw-data" parameter to send each row, for example: 

observables-raw-data "my_observable_1,someone@somewhere.com,mail-to,medium,low,AB,my comment"

 

antkwang
Employee Employee
Employee

Hi Tomer,

For the CSV, does it support using web API to insert multiple parameters (observables)  in single threat indicator name in single api command? 

 

When i tried it will show that the name already exist (as name is required parameter) but the command only allow to put single observables-raw-data 

 

So the idea is something like this:

 

{
  "name" : "Test",
  "observables-raw-data" : "my_observable_1,someone@somewhere.com,mail-to,medium,low,AB,my comment"
                                                "my_observable_2,someone@somewhere.com,mail-to,medium,low,AB,my comment",             
                                                "my_observable_3,someone@somewhere.com,mail-to,medium,low,AB,my comment",    
  "action" : "ask",
  "profile-overrides" : [ {
    "profile" : "Test",
    "action" : "detect"
  } ],
  "ignore-warnings" : true
}
0 Kudos
Alex_Lewis
Contributor

Doesn't seem to be a usable method for more than a few indicators. I tried to import a CSV file with 500 lines (all type IP). Progress showed 20% for over 40 minutes so I finally aborted. I tried again with just 10 lines to verify my format was good. On R77.30 I run a daily import of 9 CSV files totaling about 7000 lines; takes just a couple minutes using the load_indicators command. Unfortunately I cannot use load_indicators on R80.20M1 because of an apparent bug (doesn't like IPs that have a zero in one of the IPv4 octets).

Tomer_Sole
Mentor
Mentor

It shouldn't take this long. Please open a support ticket.

0 Kudos
SantiagoPlatero
Collaborator

Hi Tomer Sole‌ I followed your instructions and could import the CSV files just fine to the management...

BUT, when I want to look at them on the SmartConsole, the Windows process spikes to 20% cpu usage (for at least 10 minutes) and the application freezes. I'd to kill the process in order to login again and it only happens when I go to "Threat Tools" and then click on "Indicators".

If it's useful I imported 7 CSV files with a lot of records, if you need it I could count how much rows has them.

From where can I start debugging the issue?

Thanks!

0 Kudos
PhoneBoy
Admin
Admin

How many lines in the CSV file?

0 Kudos
SantiagoPlatero
Collaborator

Hi Dameon, the total lines of all of the CSV files are 76238. The most lengthy file has 60774 lines, and other one has 11567

The rest of it doesn't have more than 1k lines.

0 Kudos
PhoneBoy
Admin
Admin

I'm guessing that 76k line file is causing an issue.

Generally speaking, if you've got that many IOCs, it might be better to employ a Private ThreatCloud appliance.

In that case, you upload the IOCs to your PTC appliance and all your gateways consult it.

See: Check Point Private ThreatCloud 

IgorBodrik
Participant

Hi, In the case of using PTC appliance, gateways enforce policy immediately or policy installation is needed?

0 Kudos
Brian_Deutmeyer
Collaborator

This is great stuff.  Is there a plan to do more of a real time update?  This would be something like as soon as a publish occurs, the IOC would propagate to the gateway automatically?  Thinking along the lines of IPS where you can set a policy (which requires a threat prevention policy install) and IPS sigs would automatically get enabled on the gateway based on the policy, it would be nice for a way to add some IOCs and the gateways pick it up near real-time.

0 Kudos
PhoneBoy
Admin
Admin
0 Kudos
Ron_Izraeli
Employee
Employee

Check out How to extend and enhance SmartConsole? to integrate web pages inside SmartConsole

Tim_McColgan
Contributor

How is this automated? It is a great feature, but these instructions are all done manually. I'd like a way to feed IOCs via API with an automation tool. 

0 Kudos
DeletedUser
Not applicable

Once you set up the gateway IoC feed, the updates are "automatic", but yes if you're adding indicators via the management API, then you have to build it using a tool. Which tool do you have in mind?  You can use Check Point Ansible modules or Terraform Check Point Provider.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events