Interaction with Check Point SandBlast via API
This article will be useful to those who are familiar with Check Point technologies for emulation of files ( Threat Emulation ) and proactive cleaning of files ( Threat Extraction ) and want to take a step towards automating these tasks.
Check Point has a Threat Prevention API that works both in the cloud and on an hardware or virtualized appliance, and is functionally identical to checking files in web / smtp / ftp / smb / nfs traffic streams .
In this article you will find the Postman collections for working with the Threat Prevention API.
If you want to test this API you can get a 60 day trial from https://usercenter.checkpoint.com for testing and demo purposes.
Basic abbreviations
Threat Prevention API , API :
av — Anti-Virus, .
te — Threat Emulation, , (malicious)/(benign) .
extraction — Threat Extraction, ( ), /.
API
Threat Prevention API 4 — upload, query, download quota. API , Authorization. , , Management API, upload query . Threat Prevention /.
, Threat Prevention API — 1.0, URL API v1 , . Management API, API URL , .
Anti-Virus (te, extraction) query md5 . Threat Emulation Threat Extraction sha1 sha256 .
! , . / . reports(reports),reports, id / API , 403.
SandBlast API:
API Check Point, (blade) Threat Emulation. ip/url 18194 ( — https://10.10.57.19:18194/tecloud/api/v1/file/query). , . API Authorization .
API CheckPoint te.checkpoint.com ( — https://te.checkpoint.com/tecloud/api/v1/file/query). API 60 , Check Point .
Threat Extraction Threat Prevention API Threat Prevention API for Security Gateway ( ). quota.
Upload API
- POST
- https://<service_address>/tecloud/api/v1/file/upload
(form-data): / . , . , , :
upload
HTTP POST
https://<service_address>/tecloud/api/v1/file/upload
Headers:
Authorization: <api_key>
Body
{ “request”: { } }
File : — te, — Win XP Win 7, . : file_name file_type , . API , d5/sha1/sha256 hash .
file_name file_type
features — , — av (Anti-Virus), te (Threat Emulation), extraction (Threat Extraction). , — te(Threat Emulation).
, API . av, te extraction
te
images — , id , . ID .
images , , Check Point ( Win XP Win 7). catch rate.
reports — , , . :
- summary — .tar.gz , image’ ( html , , , json, ). — summary_report .
- pdf — image, Smart Console. — pdf_report .
- xml — image, . — xml_report .
- tar — .tar.gz , image’ ( html , , , json, ). — full_report .
summaryfull_report, pdf_report, xml_reportsummary_report -
tar xml pdf, summary tar xml. summary pdf .
extraction
threat extraction :
method — pdf( pdf, ) clean( ).
extracted_parts_codes — , clean
query ( ) , hash extraction . id query — extracted_file_download_id. , , query id .
query extracted_file_download_idquery ( extracted_file_download_id)
API . av , features.
Query API
- POST
- https://<service_address>/tecloud/api/v1/file/query
( upload), ( query) API , API . . — sha1/sha256/md5 hash . upload.
queryupload, sha1/md5/sha256 hash
query hash , ( ) upload, “” ( query upload). , query , upload, .
query,
code label. status. “code”: 1006 “label”: “PARTIALLY_FOUND”. , — te extraction. te , , extraction .
queryquery extraction(“code”: 1001, “label”: “FOUND”), “label”: “NOT_FOUND”
API . , . query sha256query sha256 hash query API .
Download API
- POST ( ), GET ( )
- https://<service_address>/tecloud/api/v1/file/download?id=<id>
API , — , id url .
query , , id . , , id .
, query, id :
- summary_report
- full_report
- pdf_report
- xml_report
- extracted_file_download_id
, query , ( ) extraction ( )
Quota API
- POST
- https://<service_address>/tecloud/api/v1/file/quota
quota. .
quota
Threat Prevention API for Security Gateway
API , Threat Prevention API . , Threat Extraction API. Threat Emulation Threat Prevention API. TP API for SG API sk113599. 6b https://<IPAddressofSecurityGateway>/UserCheck/TPAPI . url API . (upload/query) — request_name. — api_key ( ) protocol_version ( 1.1). API sk137032. , base64. / / base64 Postman , — https://base64.guru. encode decode.
te extraction API.
te te_options upload/query, te Threat Prevention API.
Win10
extraction scrub_options. : PDF, Threat Prevention( ). API extraction , base64 ( query id ) , API , , form-data, Threat Prevention API.
Postman
Postman Threat Prevention API, Threat Prevention API for Security Gateway, API . , ip/url API , hash sha256 , ( Edit -> Variables): te_api( ), api_key( , TP API ), sha256 ( , TP API for SG ).
Postman Threat Prevention API
Postman Threat Prevention for Security Gateway API
Check Mates , Python, TP API, TP API for SG. Threat Prevention API , ( VirusTotal API, Check Point), , , , CRM .
