Interaction with Check Point SandBlast via API

This article will be useful to those who are familiar with Check Point technologies for emulation of files ( Threat Emulation ) and proactive cleaning of files ( Threat Extraction ) and want to take a step towards automating these tasks.

Check Point has a Threat Prevention API that works both in the cloud and on an hardware or virtualized appliance, and is functionally identical to checking files in web / smtp / ftp / smb / nfs traffic streams .

In this article you will find the Postman collections for working with the Threat Prevention API.

If you want to test this API you can get a 60 day trial from https://usercenter.checkpoint.com for testing and demo purposes.

Screenshot from a trial key generation

Basic abbreviations

Threat Prevention API , API :

av — Anti-Virus, .

te — Threat Emulation, , (malicious)/(benign) .

extraction — Threat Extraction, ( ), /.

API

Threat Prevention API 4 — upload, query, download quota. API , Authorization. , , Management API, upload query . Threat Prevention /.

, Threat Prevention API — 1.0, URL API v1 , . Management API, API URL , .

Anti-Virus (te, extraction) query md5 . Threat Emulation Threat Extraction sha1 sha256 .

! , . / . reports(reports),reports, id / API , 403.

SandBlast API:

API Check Point, (blade) Threat Emulation. ip/url 18194 ( — https://10.10.57.19:18194/tecloud/api/v1/file/query). , . API Authorization .

API CheckPoint te.checkpoint.com ( — https://te.checkpoint.com/tecloud/api/v1/file/query). API 60 , Check Point .

Threat Extraction Threat Prevention API Threat Prevention API for Security Gateway ( ). quota.

Upload API

- POST

- https://<service_address>/tecloud/api/v1/file/upload

(form-data): / . , . , , :

upload

HTTP POST

https://<service_address>/tecloud/api/v1/file/upload

Headers:

Authorization: <api_key>

Body

{ “request”: { } }

File : — te, — Win XP Win 7, . : file_name file_type , . API , d5/sha1/sha256 hash .

file_name file_type

features — , — av (Anti-Virus), te (Threat Emulation), extraction (Threat Extraction). , — te(Threat Emulation).

, API . av, te extraction

te

images — , id , . ID .

images , , Check Point ( Win XP Win 7). catch rate.

reports — , , . :

  1. summary — .tar.gz , image’ ( html , , , json, ). — summary_report .
  2. pdf — image, Smart Console. — pdf_report .
  3. xml — image, . — xml_report .
  4. tar — .tar.gz , image’ ( html , , , json, ). — full_report .

summaryfull_report, pdf_report, xml_reportsummary_report -

tar xml pdf, summary tar xml. summary pdf .

extraction

threat extraction :

method — pdf( pdf, ) clean( ).

extracted_parts_codes — , clean

query ( ) , hash extraction . id query — extracted_file_download_id. , , query id .

query extracted_file_download_idquery ( extracted_file_download_id)

API . av , features.

Query API

- POST

- https://<service_address>/tecloud/api/v1/file/query

( upload), ( query) API , API . . — sha1/sha256/md5 hash . upload.

queryupload, sha1/md5/sha256 hash

query hash , ( ) upload, “” ( query upload). , query , upload, .

query,

code label. status. “code”: 1006 “label”: “PARTIALLY_FOUND”. , — te extraction. te , , extraction .

queryquery extraction(“code”: 1001, “label”: “FOUND”), “label”: “NOT_FOUND”

API . , . query sha256query sha256 hash query API .

Download API

- POST ( ), GET ( )

- https://<service_address>/tecloud/api/v1/file/download?id=<id>

API , — , id url .

query , , id . , , id .

, query, id :

  • summary_report
  • full_report
  • pdf_report
  • xml_report
  • extracted_file_download_id

, query , ( ) extraction ( )

Quota API

- POST

- https://<service_address>/tecloud/api/v1/file/quota

quota. .

quota

Threat Prevention API for Security Gateway

API , Threat Prevention API . , Threat Extraction API. Threat Emulation Threat Prevention API. TP API for SG API sk113599. 6b https://<IPAddressofSecurityGateway>/UserCheck/TPAPI . url API . (upload/query) — request_name. — api_key ( ) protocol_version ( 1.1). API sk137032. , base64. / / base64 Postman , — https://base64.guru. encode decode.

te extraction API.

te te_options upload/query, te Threat Prevention API.

Win10

extraction scrub_options. : PDF, Threat Prevention( ). API extraction , base64 ( query id ) , API , , form-data, Threat Prevention API.

Postman

Postman Threat Prevention API, Threat Prevention API for Security Gateway, API . , ip/url API , hash sha256 , ( Edit -> Variables): te_api( ), api_key( , TP API ), sha256 ( , TP API for SG ).

Postman Threat Prevention API

Postman Threat Prevention for Security Gateway API

Check Mates , Python, TP API, TP API for SG. Threat Prevention API , ( VirusTotal API, Check Point), , , , CRM .

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store