Check Point Firewall monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. Integration with Check Point covers major actions on firewalls such as add access rule, add threat rule, run script, etc. D3 Security's integration with the Check Point Firewall API v1.8 covers major firewall rule management operations, such as adding access/threat rule, running script, etc. Furthermore, D3's integration also provides Event Intake operation to query firewall logs.
D3 SOAR is providing REST operations to function with Check Point Firewall.
The API server is active on management servers with 4 GB RAM (or more) and stand-alone servers with 8 GB RAM (or more) by default. D3 recommends a minimum hardware configuration of 4 CPU cores and 12 GB of RAM for on-premise Check Point Firewall instances. If the hardware is insufficient, the FetchEvent API command may not execute successfully.
All sessions are private. Changes made by administrators are not visible to others until published. To maintain privacy, objects are locked when being modified, with the administrator's name displayed to help with coordinating work on shared resources. Other administrators can only see that the object is locked and cannot make modifications. If an API call returns an "object locked" message, you can either take over or disconnect the locking session in Check Point SmartConsole, or wait until no session locks the object before executing it.
Connection
To connect to Check Point Firewall from D3 SOAR, please follow this part to collect the required information below:
Parameter
Description
Example
Server URL
The URL of the Check Point server.
https://192.168.85.32
User Name
The username to authenticate the connection.
Admin
Password
The password to authenticate the connection.
YourPassword
Permission Requirements
Each endpoint in the Check Point Firewall API requires a certain permission scope. The following are required scopes for the commands in this integration:
As Check Point Firewall is using role-based access control (RBAC), the D3 connector will be generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account's role. Users need to configure their user profile from the Check Point Firewall console for each command in this integration.
Reader Note
Check Point Firewall's default permission profiles (sorted from the most permissions to the least) are as follows:
Super User: Full Read/Write Permissions including managing administrators and sessions.
Read Write All: Full Read/Write Permissions.
Read Only All: Full Read Permissions, no Write Permissions.
In the permissions table above, the three default permission profiles are represented by "System: Super User", etc. When a command requires one of the three default profiles, you can assign the default profile or create a customized role with the same permissions as the system profiles.
Configuring Check Point Firewall to Work with D3 SOAR
Creating Customized Roles
Log into Check Point SmartConsole.
On the left sidebar, navigate to Manage & Settings > Permissions & Administrators > Permission Profiles.
Above the Permission Profiles table, click the star icon to create a new role.
Name the role, then configure the different access permissions as needed. Click OK.
To save the changes, navigate to Sessions > View Sessions in the left sidebar and locate the Current Session. Right click the session and select Publish.
Creating a New User and Assigning Customized Roles
On the left sidebar, navigate to Manage & Settings > Permissions & Administrators > Administrators.
Above the Administrators table, click the star icon to create a new user.
Fill in the required fields for the user details. Ensure to select Check Point Password as the Authentication Method in the drop down menu. The Permission Profile dropdown menu defines the role and the user's permissions. Select the role you have created for the user and click OK to create the user.
To save the changes, navigate to Sessions > View Sessions in the left sidebar and locate the Current Session. Right click the session and select Publish.
Configuring D3 SOAR to Work with Check Point Firewall
Log in to D3 SOAR.
Find the Check Point Firewall integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Check Point Firewall in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Check Point Firewall.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection. 1. Input the domain level Server URL of your Check Point Firewall instance. 2. Input your Check Point Firewall account User Name. The default user name is admin. You can remove the default username and replace it with another username. 3. Input your Check Point Firewall account Password.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active. To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmarkappear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click +Add to create and add the configured connection.
Commands
Check Point Firewall includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.
After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.
Add Threat Exception
Creates a threat exception.
Reader Note
"Layer Name Or UID", "Parent Rule Name Or Number Or UID" and "Exception Group Name Or UID" are optional parameters to run this command.
If the threat exception is under a rule, Layer Name Or UID is a required parameter.
Run the Show Threat Layers command to obtain Layer Name and UIDs. Layer Names can be found in the returned raw data at the path $.threat-layers[*].name; UIDs can be found at the path $.threat-layers[*].uid.
If the threat exception is under an exception group, the Layer Name Or UID parameter must not be defined. Any input value will be omitted.
Run the Show Threat Rule Base command to obtain Parent Rule Names, Numbers and UIDs. Rule UIDs can be found in the returned raw data at the path $.rulebase[*].uid; Rule numbers can be found in the returned raw data at the path $.rulebase[*].rule-number. Rule Names can be found in the returned raw data at the path $.rulebase[*].name.
Run the Show Exception Groups command to obtain Exception Group Names and UIDs. Exception Group Names can be found in the returned raw data at the path $.objects[*].name; Exception Group UID can be found in the returned raw data at the path $.objects[*].uid.
🔔
Alert
To add a threat exception, you must define at least one of the Parent Rule Name Or Number Or UID or the Exception Group Name Or UID parameters, but not both.
If you are adding a threat exception to a rule, the Parent Rule Name Or Number Or UID parameter is required to run this command.
Ensure that the values entered for Layer Name Or UID and Parent Rule Name Or Number Or UID match. It is suggested to run the Show Threat Layers command to obtain the desired layer, then use that layer to run the Show Threat Rule Base command and select the desired threat rule. Failure to match the values may result in errors.
If you are adding the exception to an Exception Group, the Exception Group Name Or UID parameter is required to run this command. Do not fill "Layer Name Or UID" parameter, value will be omitted in this case.
Input
Input Parameter
Required/Optional
Description
Example
Layer Name Or UID
Optional
The name or UID of the layer that the rule belongs to. Layer UIDs can be obtained using the Show Threat Layers command. If the Parent Rule Name Or Number Or UID parameter is defined, then this parameter is required and the specified rule must match the layer. Otherwise, if the Exception Group Name Or UID parameter is defined, this parameter must not be defined. Any entered value will be omitted.
Standard Threat Prevention
Position
Required
The position (i.e. Top or Bottom) in the rulebase.
Bottom
Parent Rule Name Or Number Or UID
Optional
The name, number or UID of the parent rule. Rule numbers and UIDs can be obtained using the Show Threat Rule Base command. Note: (1) Only one of the Parent Rule Name Or Number OR UID or Exception Group Name Or UID parameters can be defined per execution of the command, but at least one must be defined. (2) If this parameter is defined, you must define the matching Layer Name Or UID parameter. Entering a rule and layer that do not match will result in an error.
1
Exception Group Name Or UID
Optional
The name or UID of the exception group. Exception Group names and UIDs can be obtained using the Show Exception Groups command. Note: (1) Only one of the Exception Group Name Or UID or Parent Rule Name Or Number OR UID parameters can be defined per execution of the command, but at least one must be defined. (2) If this parameter is defined, you cannot define the Layer Name Or UID parameter. The value entered for the layer will be omitted.
TestExceptionGroup0917001
Exception Name
Required
The name of the exception.
exception091700cc
Comment
Optional
A comment for the exception.
create exception091700cc
Track
Optional
The tracking method for protection.
log
Protected Scope
Optional
The names or UIDs of network objects defining the protected scope.
All_Internet
Install On
Optional
The name or UID of the gateways to install the policy on.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Threat Exception failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Missing parameter: [position].
Error Sample Data
Add Threat Exception failed.
Status Code: 400.
Message: Missing parameter: [position].
Add Threat Rule
Creates a threat rule.
Reader Note
Layer Name Or UID is a required parameterto run this command.
Run the Show Threat Layers command to obtain Layer Name and UIDs. Layer Name can be found in the returned raw data at the path $.threat-layers[*].name; UID can be found at the path $.threat-layers[*].uid.
Input
Input Parameter
Required/Optional
Description
Example
Layer Name Or UID
Required
The name or UID of the layer that the threat rule belongs to. Layer names and UIDs can be obtained using the Show Threat Layers command.
Standard Threat Prevention
Position
Required
The position (i.e. Top or Bottom) in the rulebase.
Bottom
Name
Required
The name of the threat rule.
Test Rule
Comment
Optional
A comment for the threat rule.
EddieTestComment
Track
Optional
The tracking method for protection.
Alert
Action
Optional
The action of the threat rule.
Basic
Protected Scope
Optional
The names or UIDs of network objects defining the protected scope.
All_Internet
Install On
Optional
The name or UID of the gateways to install the policy on.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Threat Rule failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Requested object [xxx] not found.
Error Sample Data
Add Threat Rule failed.
Status Code: 404.
Message: Requested object [xxx] not found.
Block Domains
Adds a policy access rule to block domains.
Reader Note
Layer Name Or UID is a required parameter to run this command.
Run the Show Access Layers command to obtain Layer Name Or UID. Layer Names can be found from the returned raw data at the path $.access-layers[*].name; UIDs can be found from the returned raw data at the path $.access-layers[*].uid.
Please note that the input layer must be included in the firewall blade.
Error for "layer3" as an example: "Validate the ACCESS_LAYER 'layer3' failed, this layer hasn't included the 'Firewall' blade."
To know if the layer you select includes the firewall blade, set the Show Details parameter to True when running the Show Access Layers command. In the returned raw data, check path $.access-layers[*].firewall for your selected layer. If the value is False, then the layer is not included; if it is True, then it is included.
It can also be enabled from within the UI.
Domains can be unblocked by removing the rule name (delete the input rule name or delete the auto generated rule name in the returned raw data of the block domains command at the path $.name) using the Delete Access Rules command.
To check your created blocked domain rules, locate which policy the input layer is under. Then navigate to that policy page to view applied rules.
Click the + on the top of the policy page, then Manage policies and layers.
Navigate to Layers > Access Control, select a layer, then check Used in policies. In this example, layer3 is under policy_1.
Navigate to policy_1 to check the created rules.
Input
Input Parameter
Required/Optional
Description
Example
Domains
Required
The domain strings to block.
[
"google.com",
"facebook.com"
]
Is Root Domain
Optional
The option to specify whether the domains are DNS root domain or sub DNS domain. The type will apply to all the domains provided in the first parameter Domains. Set to True for DNS root domain, and False for sub DNS domain. The default value is False.
True
Direction
Optional
The blocking direction of the rule. The available values are From, To, or Both.
to
Rule Name
Optional
The rule name to save the block domain operation under the specified layer. If this parameter is not defined, D3 will create a new rule with the naming rule of domain_bock_datetime, e.g.: domain_block_to_rule_20230321095001.
domain_block_to_rule_***
Layer Name Or UID
Required
The name or UID of the policy layer from the Access Control policy for the new block domains rule to attach to. The layer name or UID can be obtained using the Show Access Layers command.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Block Domains failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: generic_err_object_not_found.
Error Sample Data
Block Domains failed.
Status Code: 404.
Message: generic_err_object_not_found.
Block IP Addresses
Creates a new firewall access rule to block specified IP addresses.
Reader Note
IP Addresses can be unblocked by removing the Rule Name Prefix using the Delete Access Rules command.
Please note that the input layer must be included in the firewall blade.
E.g. Error for "layer3": "Validate the ACCESS_LAYER 'layer3' failed, this layer hasn't included the 'Firewall' blade."
To know if the selected layer includes the firewall blade, set the Show Details parameter to True when running the Show Access Layers command. In the returned raw data, check path $.access-layers[*].firewall for the selected layer. If the value is False, then the layer is not included; if it is True, then it is included.
It can also be enabled from within the UI.
Rule name prefix-to-ip + Rule name prefix-from-ip depending on the chosen direction. If both are chosen, 2 will be returned.
To review the created blocked IP rules, it's necessary to identify the policy located within the input layer. Subsequently, navigate to the respective policy page to access and view the rules.
Click the + on the top of the policy page, then Manage policies and layers.
Navigate to Layers > Access Control, select a layer, then check Used in policies. In this example, layer3 is under policy_1.
Navigate to policy_1 to check the created rules.
Input
Input Parameter
Required/Optional
Description
Example
IP Addresses
Required
The list of IP addresses to block.
[
"1.1.1.1",
"2.2.2.2"
]
Direction
Optional
The blocking direction (i.e. From, To, or Both) of the rule. The default direction is both.
Both
Rule Name Prefix
Required
Defines the rule name prefix of the access rule for each IP Address. When the block action is executed, Check Point Firewall enhances this prefix by appending specific details. The resulting format is: [Chosen Rule Name Prefix]-[Block Direction]- [Blocked Entity]. If no block direction has been defined, two rules will be created for each direction.
BlockIPs2
Layer Name or UID
Required
The name or UID of the layer that the rule belongs to. The layer name or UID can be obtained using the Show Access Layers command.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command's input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Block IP Addresses failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: More than one object named 'xxx' exists.
Error Sample Data
Block IP Addresses failed.
Status Code: 400.
Message: More than one object named 'xxx' exists.
Block URLs
Blocks URLs by adding a new policy rule to the specified "Applications & URL Filtering" policy layer.
Reader Note
Category Name and "Layer Name Or UID" are required parameters to run this command.
Run the Show Application Site Categories command to obtain the Category Name. Category Names can be found in the returned raw data at the path $.objects[*].name.
Run the Show Access Layers command to obtain Layer Name or UID. Layer Names can be found in the returned raw data at the path $.access-layers[*].name; UIDs can be found in the returned raw data at the path $.access-layers[*].uid.
URLs can be unblocked by removing the rule name (delete the input rule name or delete the auto generated rule name in the returned raw data of the block domains command at the path $.name) using the Delete Access Rules command.
Please note that the input layer must be included in the Applications & URL Filtering blade.
Error for "layer3" as an example: "Validate the ACCESS_LAYER 'layer3' failed, this layer hasn't included the 'Applications & URL Filtering' blade."
To know if the selected layer includes the Applications & URL Filtering blade, set the Show Details parameter to True when running the Show Access Layers command. In the returned raw data, check under the path $.access-layers[*].applications-and-url-filtering for the selected layer. If the value is False, then the layer is not included; if it is True, then it is included.
It can also be enabled from within the UI.
If no rule name has been defined, D3 will create a new rule with the naming rule of url_block_datetime, e.g.: url_block_20230321095001.
To review created blocked url rules, it is necessary to determine which policy is the input layer under. Subsequently, navigate to that policy page to view its rules.
Click the + on the top of the policy page, then Manage policies and layers.
Navigate to Layers > Access Control, select a layer, then check Used in policies. In this example, layer3 is under policy_1.
Navigate to policy_1 to check the created rules.
Input
Input Parameter
Required/Optional
Description
Example
URL(s)
Required
The URL(s) to block.
[
"malware.com",
"virus.com"
]
Category Name
Required
The primary application or site category of the URLs based on their most defining aspect. The application category layer name can be obtained from the Show Application Site Categories command.
Art / Culture
URL(s) Defined as Regex Expressions
Optional
The expression that states if the designated URL is defined as a Regular Expression or not.
True
Rule Name
Optional
The rule name to save the block domain operation under the specified layer. If this parameter is not defined, D3 will create a new rule with the naming rule of url_block_datetime, e.g.: url_block_20230321095001.
url_block_***
Layer Name Or UID
Required
The name or UID of the policy layer from the Access Control policy for the new block urls rule to attach to. The layer name or UID can be obtained using the Show Access Layers command.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command's input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Block URLs failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: generic_err_object_not_found.
Error Sample Data
Block URLs failed.
Status Code: 404.
Message: generic_err_object_not_found.
Delete Access Rules
Deletes the specified firewall access rules.
Reader Note
"UIDs Or Names Or Rule Numbers" and "Layer Name or UID" are required parameters to run this command.
Run the Get Access Rule Base command to obtain UIDs. UID can be found from the returned raw data at the path $.rulebase[*].uid; names can be found from the returned raw data at the path $.rulebase[*].name.
Run the Show Access Layers command to obtain access layers. Access layer UIDs can be found in the returned raw data at the path $.access-layers[*].uid; Access layer name can be found in the returned raw data at the path $.access-layers[*].name.
Please note that the value for "UIDs or Names or Rule Numbers" and Layer parameters must match in order to pass the command. It is suggested to run the Show Access Layers command first to obtain the desired layer UID/name, then use the layer UID/name to run the Get Access Rule Base command and obtain the desired rule UIDs/Names/Rule Numbers to delete.
Please note some access rules cannot be deleted. For example the Cleanup rule.
Input
Input Parameter
Required/Optional
Description
Example
UIDs Or Names Or Rule Numbers
Required
The list of access rules to delete. Rules can be specified by UID, name, or rule number. However, all input values in the list must be in the same format. These values can be obtained using the Get Access Rule Base command.
[
"***-***-***-***-***",
"***-***-***-***-***"
]
Source
Required
The source type (i.e. UID, Name or Rule-number) used for the input for the UIDs or Names or Rule-numbers parameter.
UID
Layer Name or UID
Required
The name or UID of the layer that the rule belongs to. This parameter is required when the defined Source is Name or UID. Layer names and UIDs can be obtained using the Show Access Layers command.
Network
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
No Sample Data
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command's input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
Result
Successfully delete the access rule for uid: ***-***-***-***-***
Successfully delete the access rule for uid: ***-***-***-***-***
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Delete Access Rules failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Please double check the Server URL, the Username and password.
Error Sample Data
Delete Access Rules failed.
Status Code: 400.
Message: Please double check the Server URL, the Username and password.
Discard unpublished changes created by Web API
Discards unpublished changes made by the Web API session and removes them from the database.
Reader Note
Session UID is an optional parameter to run this command.
Run the Show Session Objects command to obtain the Session UID. Session UIDs can be found in the returned raw data at the path $.objects[*].uid.
Once the session is discarded, the session cannot be used again. Running this command using the UID of a session that was already discarded will return "not found".
The Session UID is optional to input, if you leave the parameter empty, no discard will be operated.
Input
Input Parameter
Required/Optional
Description
Example
Session UID
Optional
The UID of the session to discard. The session to discard must be a different session than the one you are currently using. Session UIDs can be obtained using the Show Session Objects command. Only changes made by the Web API type sessions can be discarded.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
No Sample Data
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
number-of-discarded-changes
0
message
OK
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Discard unpublished changes created by Web API failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid parameter for [uid]. The invalid value: [xxx].
Error Sample Data
Discard unpublished changes created by Web API failed.
Status Code: 400.
Message: Invalid parameter for [uid]. The invalid value: [xxx].
Fetch Event
Returns firewall logs based on specified criteria.
Reader Note
Query ID is an optional parameter to run this command.
Query IDs can be obtained by running this command with the Query ID parameter empty. The Query IDs can be found at the path $.query-id.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Optional
The start time of the time range to fetch logs in UTC time. Note: If the Start Time and End Time parameters are not defined, the query will return logs from the past 24 hours.
2022-03-01 00:00
End Time
Optional
The end time of the time range to fetch logs in UTC time format. Note: If the Start Time and End Time parameters are not defined, the query will return logs from the past 24 hours.
2022-03-22 00:00
Filter
Optional
The filter expression for the query. The syntax is Field1:Value1 {AND|OR|NOT} Field2:Value2. If the value contains any spaces, it must be enclosed in double quotation marks. For example, subject:"Object Manipulation".
severity:Informational AND comment like "%update to%"
Number of Event(s) Fetched
Optional
The maximum number of results to return, starting from the defined offset index value. The default limit is set to 20, and the maximum limit that can be set is 100.
20
Type
Optional
The log type to filter results. The available options are Logs and Audit. If this parameter is not defined, all log types will be returned.
Logs
Log Server IPs
Optional
The list of IP addresses of log servers to filter results.
[ "1.1.1.1" ]
Query ID
Optional
The ID of the query to retrieve the next page of results from the previous run query, using the specified limit. If this parameter is defined, all other parameters will be ignored. The query ID can be obtained from the raw data of the command at the JSON path $.query-id.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Log file has been switched to: 2022-03-25_132425.log
1.1.1.1
gw-***
@***C@0
Log file has been switched to: 2022-03-25_132425.log
***-***-***-***-***
2022-03-25T20:24:25Z
daemon
true
Fetch Event Field Mapping
Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.
If you require a custom field mapping, click + Add Field to add a custom field mapping. You may also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.
As a system integration, the Check Point Firewall integration has some pre-configured field mappings for default field mapping.
Default Event Source The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched events . The default event source has a ‘Main Event JSON Path' (i.e., $.logs) that is used to extract a batch of events from the response raw data. Click Edit Event Source to view the 'Main Event JSON Path’.
Main Event JSON Path: $.logs The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks (['...']) should be used to separate child elements in JSON arrays. For example, the root node of a JSON Path is logs. The child node denoting the Unique Event Key field would be id. Putting it together, the JSON Path expression to extract the Unique Event Key is $.logs.id.
The pre-configured field mappings are detailed below:
Field Name
Source Field
Unique Event Key
.id
Event Type
.type
Event name
.subject
Start Time
.time
Severity
.severity
Description
.calc_desc
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Fetch Event failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Please double check the Server URL, the Username and password.
Error Sample Data
Fetch Event failed.
Status Code: 400.
Message: Please double check the Server URL, the Username and password.
Get Access Rule Base
Retrieves the entire access rule layer of the specified object.
Reader Note
Name is a required parameter to run this command.
The Name parameter is referring to the Access Layers. You can run the Show Access Layers command to obtain your desired values. Layer Names can be found from the returned raw data at the path $.access-layers[*].name; UIDs can be found from the returned raw data at the path $.access-layers[*].uid.
Input
Input Parameter
Required/Optional
Description
Example
Name
Required
The name or UID of the access rule to retrieve rulebase details for.
Network
Limit
Optional
The maximum number (up to 100) of rulebase records to return. If the input value is negative or not specified, the default value of 20 will be used.
2
Offset
Optional
The number of matching records to omit initially. The default value is 0.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Access Rule Base failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Requested object [Standard Threat Prevention] not found.
Error Sample Data
Get Access Rule Base failed.
Status Code: 404.
Message: Requested object [Standard Threat Prevention] not found.
Get Task Status
Retrieves the progress and details of the specified task.
Reader Note
Task ID is an optional parameterto run this command.
You should already have your desired task IDs on hand to run this command. If you don't know what the task ID is, you can use the Run Script command. The task IDs can be found in the raw data at the path $.[*].task-id. Store the task ID in a secure location, you may need it to run this command in the future.
Since all parameters are optional to input when running this command, if all parameters are left blank then 50 tasks will be returned.
Input
Input Parameter
Required/Optional
Description
Example
Task ID
Optional
The ID of the task to return the status of. Task IDs can be obtained using the Run Script command. If this parameter is defined, the other parameters will be omitted.
***-***-***-***-***
From Time
Optional
The start time of the time range to filter tasks, by the tasks' last update time.
2022-03-01 00:00
To Time
Optional
The end time of the time range to filter tasks, by the tasks' last update time.
2022-03-22 00:00
Status
Optional
The status to filter tasks. The available options are All, Successful, Failed and In Progress. The default option is All.
All
Limit
Optional
The maximum number (up to 500) of records to return. If the input value is negative or not defined, the default value of 50 will be used.
2
Offset
Optional
The number of matching records to omit initially. The default value is 0.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"TaskIDs": "\"***-***-***-***-***\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Task Status failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: 'Invalid parameter for [task-id].
Error Sample Data
Get Task Status failed.
Status Code: 400.
Message: 'Invalid parameter for [task-id].
Install Policy
Applies all published changes from the database to a given target policy package. Installation of incorrect changes or onto the wrong target may cause Check Point to work improperly. Ensure to check changes and Policy Package Names by running the Show Published Changes between a period of time or two sessions and Show Policy Packages commands or check them within Check Point SmartConsole before executing this command.
Reader Note
Policy Package Name is a required parameterto run this command.
Run the Show Policy Packages command to obtain the Policy Package Name. Policy Package Names can be obtained in the returned raw data at the path $.packages[*].name.
Input
Input Parameter
Required/Optional
Description
Example
Policy Package Name
Required
The name of the Policy Package to be installed. Policy Package Name can be obtained using the Show Policy Packages command.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"TaskStatus": "\"succeeded\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
task-id
***-***-***-***-***
task-name
Policy installation - new2
status
succeeded
progress-percentage
100
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Install Policy failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Requested object [xxx] not found.
Error Sample Data
Get Task Status failed.
Status Code: 404.
Message: Requested object [xxx] not found.
Run Script
Executes a script on the specified targets.
Reader Note
Ensure the specified targets are present in the system. Targets can be viewed from Check Point SmartConsole, under GATEWAYS & SERVERS. Right-click on an object to copy its target name to your clipboard.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"TaskIDs": "\"[\\\"***-***-***-***-***\\\"]\"",
"TaskNames": "\"[\\\"gw-*** - List All VPN Tunnel\\\"]\"",
"Statuses": "\"[\\\"succeeded\\\"]\"",
"ProgressPercentages": "\"[100]\"",
"StartTimes": "\"[\\\"2021-07-07T14:25-0700\\\"]\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Run Script failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Requested object [xxx] not found.
Error Sample Data
Run Script failed.
Status Code: 404.
Message: Requested object [xxx] not found.
Enable/Disable Access Rule
Enables or disables the specified access rule(s).
Reader Note
"UIDs Or Names Or Rule Numbers" and "Layer Name or UID" are required parameters to run this command.
Run the Get Access Rule Base command to obtain UIDs. UID can be found from the returned raw data at the path $.rulebase[*].uid; names can be found from the returned raw data at the path $.rulebase[*].name.
Run the Show Access Layers command to obtain access layers. Access layer UIDs can be found in the returned raw data at the path $.access-layers[*].uid; Access layer name can be found in the returned raw data at the path $.access-layers[*].name.
Please note that the value for "UIDs Or Names Or Rule Numbers" and Layer parameters must match in order to pass the command. It is suggested to run the Show Access Layers command first to obtain the desired layer UID/name, then use the layer UID/name to run the Get Access Rule Base command to obtain the desired rule UIDs/Names/Rule Numbers to enable/disable.
Input
Input Parameter
Required/Optional
Description
Example
UIDs Or Names Or Rule Numbers
Required
The list of access rules to enable or disable. Rules can be specified by UID, name, or rule number. However, all input values in the list must be in the same format. These values can be obtained using the Get Access Rule Base command.
["***-***-***-***-***"
]
Source
Required
The source type (i.e. UID, Name or Rule-number) used for the input for the UIDs or Names or Rule-numbers parameter.
UID
Layer Name or UID
Required
The name or UID of the layer that the rule belongs to. Layer names and UIDs can be obtained using the Show Access Layers command.
Network
Enabled
Optional
The option to enable or disable the specified access rules. Selecting True will enable the rules, and selecting False will disable them. Default value is True.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Enable/Disable Access Rule failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Requested object [Entities can not be found] not found.
Error Sample Data
Enable/Disable Access Rule failed.
Status Code: 404.
Message: Requested object [Entities can not be found] not found.
Set Threat Exception
Sets the specified threat exception.
Reader Note
Exception Name Or UID is a required parameterto run this command.
For exception under a rule: Run the Show Threat Rule Exception Rule Base command to obtain Exception Name Or UID. Exception Names can be found in the returned raw data at the path $.rulebase[*].name; Exception UID can be found in the returned raw data at the path $.rulebase[*].uid.
For exceptions under an exception group: These can only be found from within Check Point SmartConsole. Navigate to Security Policies > Exceptions, then click Exception Group Name and select Exceptions.
"Layer Name Or UID", "Parent Rule Name Or Number Or UID" and "Exception Group Name Or UID" are optional parameters to run this command.
If the threat exception is under a rule, Layer Name Or UID is a required parameter.
Run the Show Threat Layers command to obtain Layer Name and UIDs. Layer Names can be found in the returned raw data at the path $.threat-layers[*].name; UIDs can be found at the path $.threat-layers[*].uid.
If the threat exception is under an exception group, the Layer Name Or UID parameter must not be defined. Any input value will be omitted.
Run the Show Threat Rule Base command to obtain Parent Rule Names, Numbers and UIDs. Rule UIDs can be found in the returned raw data at the path $.rulebase[*].uid; Rule numbers can be found in the returned raw data at the path $.rulebase[*].rule-number. Rule Names can be found in the returned raw data at the path $.rulebase[*].name.
Run the Show Exception Groups command to obtain Exception Group Names and UIDs. Exception Group Names can be found in the returned raw data at the path $.objects[*].name; Exception Group UID can be found in the returned raw data at the path $.objects[*].uid.
🔔
Alert
To set threat exceptions, you must define at least one of the Parent Rule Name Or Number Or UID or the Exception Group Name Or UID parameters, but not both.
If your desired threat exception is under a rule, the Layer Name Or UID, Parent Rule Name Or Number Or UID and Exception Name Or UID parameters are required to run this command.
Ensure that the values entered for the Layer Name Or UID, Parent Rule Name Or Number Or UID and Exception Name Or UID match. It is suggested to run the Show Threat Layers command to identify the correct layer, and then use that layer to run the Show Threat Rule Base command and select the desired threat rule. Then use your selected threat layer and threat rule to run the Show Threat Rule Exception Rule Base command. If your selected threat layer and threat rule has exceptions (some may not), select your desired exception. Use the threat layer, threat rule and exception as a pair to run this command. Failure to match the values may result in errors.
If your desired threat exception is under an exception group instead of a rule, the Exception Group Name Or UID and Exception Name Or UID parameters are required to run this command.
For threat exceptions under an exception group, the Layer Name Or UID parameter must not be defined. Any input value will be omitted.
Ensure the input threat exception group value matches the threat exception. You can use the threat group you choose to check Check Point SmartConsole. Navigate to Security Policies > Exceptions to view threat exceptions under their corresponding Exception Groups.
Input
Input Parameter
Required/Optional
Description
Example
Layer Name Or UID
Optional
The name or UID of the layer that the rule belongs to. Layer names and UIDs can be obtained using the Show Threat Layers command. If the Parent Rule Name Or Number Or UID parameter is defined, then this parameter is required and the specified rule must match the layer. Otherwise, if the Exception Group Name Or UID parameter is defined, this parameter must not be defined. Any entered value will be omitted.
Standard Threat Prevention
Exception Name Or UID
Required
The name or UID of the exception. If the exception is under a rule, then it can be obtained using the Show Threat Rule Exception Rule Base command; if the exception is under an exception group, then it can only be found from within Check Point SmartConsole.
exception091700b
Parent Rule Name Or Number Or UID
Optional
The name, number or UID of the parent rule. Rule number and UIDs can be obtained using the Show Threat Rule Base command. Note: (1) Only one of the Parent Rule Name Or Number OR UID or Exception Group Name Or UID parameters can be defined per execution of the command, but at least one must be defined. (2) If this parameter is defined, you must define the Layer Name Or UID parameter. Entering a rule and layer that do not match will result in an error.
1
Exception Group Name Or UID
Optional
The name or UID of the exception group. Exception Group names and UIDs can be obtained using the Show Exception Groups command. Note: (1) Only one of the Exception Group Name Or UID or Rule Name Or Number OR UID parameters can be defined per execution of the command, but at least one must be defined. (2) If this parameter is defined, you cannot define the Layer Name Or UID parameter. The value entered for the layer will be omitted.
TestExceptionGroup0917001
New Exception Name
Optional
The new name of the exception.
New Test Exception
Comment
Optional
The comment for the exception.
Test Comment
Track
Optional
The tracking method for protection.
log
Protected Scope
Optional
The name of UIDs or network objects defining the protected scope.
All_Internet
Install On
Optional
The name or UID of the gateways to install the policy on.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"ExceptionUID": "\"***-***-***-***-***\"",
"ExceptionName": "\"ThreatException1210a New Name\"",
"Type": "\"threat-exception\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Set Threat Exception failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: layer can't be used with exception-group-name or exception-group-uid.
Error Sample Data
Set Threat Exception failed.
Status Code: 400.
Message: layer can't be used with exception-group-name or exception-group-uid.
Set Threat Protection
Edits the specified threat protection.
Reader Note
Threat Protection Name Or UID is a required parameterto run this command.
Run the Show Threat Protections command to obtain Threat Protection Name Or UID. Threat Protection Name can be found in the returned raw data at the path $.protections[*].name; Threat Protection UID can be found in the returned raw data at the path $.protections[*].uid.
Input
Input Parameter
Required/Optional
Description
Example
Threat Protection Name Or UID
Required
The name or UID of the threat protection. Threat Protection Names and UIDs can be obtained using the Show Threat Protections command.
***-***-***-***-***
Comment
Required
The comment for the threat protection.
Test Comment
Follow Up
Optional
The option to mark the protection with a predefined follow-up flag. The available input options are True or False. Default option is False.
False
Profile
Required
The name of the profile.
Basic
Action
Required
The protection action of the threat protection. The valid actions are Threat Cloud: Inactive, Detect, Prevent Core: Drop, Inactive, Accept.
Inactive
Track
Optional
The tracking method for the threat protection.
Alert
Capture Packets
Optional
The option to capture packets when set to True. The available input options are True or False. Default option is False.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Set Threat Protection failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Please double check the Server URL, the Username and password.
Error Sample Data
Set Threat Protection failed.
Status Code: 400.
Message: Please double check the Server URL, the Username and password.
Set Threat Rule
Edits the specified threat rule.
Reader Note
"Layer Name Or UID" and "Rule Name Or Number Or UID" are required parametersto run this command.
Run the Show Threat Layers command to obtain Layer Names and UIDs. Layer Names can be found in the returned raw data at the path $.threat-layers[*].name; UIDs can be found at the path $.threat-layers[*].uid.
Run the Show Threat Rule Base command to obtain Rule Names, Numbers and UIDs. Rule UIDs can be found in the returned raw data at the path $.rulebase[*].uid; Rule numbers can be found in the returned raw data at the path $.rulebase[*].rule-number. Rule Names can be found in the returned raw data at the path $.rulebase[*].name.
🔔
Alert
Ensure that the values entered for the Layer Name Or UID and Rule Name Or Number Or UID match. It is suggested to run the Show Threat Layers command to choose the desired layer, and then use that layer to run the Show Threat Rule Base command and select the desired threat rule. Use those pairs to run this command. Failure to match the values may result in errors.
Input
Input Parameter
Required/Optional
Description
Example
Layer Name Or UID
Required
The name or UID of the layer that the threat rules belongs to. Layer names and UIDs can be obtained using the Show Threat Layers command.
Standard Threat Prevention
Rule Name Or Number Or UID
Required
The name, number or UID of the rule. Rule numbers and UIDs can be obtained using the Show Threat Rule Base command.
1
New Rule Name
Optional
The new name for the threat rule.
admin_Testrule21
Comment
Optional
The comment for the rule.
AdminTestComment20
Track
Optional
The tracking method for protection.
None
Action
Optional
The protection action of the threat rule.
Basic
Protected Scope
Optional
The names or UIDs defining the protected scope.
All_Internet
Install On
Optional
The name or UID of the gateways to install the policy on.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Set Threat Rule failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Requested object [xxx] not found.
Error Sample Data
Set Threat Rule failed.
Status Code: 404.
Message: Requested object [xxx] not found.
Show Access Layers
Retrieves access layers based on the specified criteria.
Reader Note
If the defined value for the Filter parameter does not match a full or partial layer name, the command will run successfully with no results.
Input
Input Parameter
Required/Optional
Description
Example
Filter
Optional
The partial or full layer name for a free text search to filter access layers.
work
Limit
Optional
The maximum number (up to 100) of rulebase records to return. If the input value is negative or not defined, the default value of 20 will be used.
2
Offset
Optional
The number of matching records to omit initially. The default value is 0.
0
Show Details
Optional
The option to return detailed information when set to True.Selecting False will only return the standard level of information. The default value is False.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Access Layers failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Please double check the Server URL, the Username and password.
Error Sample Data
Show Access Layers failed.
Status Code: 400.
Message: Please double check the Server URL, the Username and password.
Show Application Site Categories
Retrieves the primary categories of applications and sites.
Reader Note
If the defined value for the Filter parameter does not match a category, the command will run successfully with no results.
Input
Input Parameter
Required/Optional
Description
Example
Filter
Optional
The search expression to filter objects by. The provided text should be exactly the same as it would be given in Check Point SmartConsole. The logical operators in the expression ('AND', 'OR') should be provided in capital letters.
Entertainment
Limit
Optional
The maximum number (up to 500) of application primary categories records to return. The default value is 500.
500
Offset
Optional
The number of matching records to omit initially. The default value is 0.
0
Show Details
Optional
The option to return detailed information when set to True. Selecting False will only return the standard level of information. The default value is False.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Application Site Categories failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Please double check the Server URL, the Username and password.
Error Sample Data
Show Application Site Categories failed.
Status Code: 400.
Message: Please double check the Server URL, the Username and password.
Show Published Changes between a period of time or two sessions
Shows published changes from all user sessions in the database. It is highly recommended to run this command with the Details Level parameter set to Full before running the Install Policy command, in order to check whether all desired changes are already published, or if any incorrect changes have been mistakenly published. The results are ordered from past to recent.
Reader Note
From Session parameter must be a published session. Otherwise, errors will return.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Optional
The start time from which tracking changes is to be performed. If the time parameters are used, the session parameters will be omitted.
2023-04-03 08:20
End Time
Optional
The end time until which tracking changes is to be performed. If the time parameters are used, the session parameters will be omitted.
2023-04-04 08:20
From Session
Optional
The session UID from which tracking changes is to be performed. The default used is the session before To Session. If the time parameters are used, the session parameters will be omitted.
***-***-***-***-***
To Session
Optional
The session UID until which tracking changes is to be performed. The default used is the last published session. If the time parameters are used, the session parameters will be omitted.
***-***-***-***-***
Details Level
Optional
The level of detail to include for some of the fields in the response. The available options are Standard, UID and Full. The default option is Standard.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Published Changes between a period of time or two sessions failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Management server failed to execute command.
Error Sample Data
Show Published Changes between a period of time or two sessions failed.
Status Code: 400.
Message: Management server failed to execute command
Show Exception Group
Retrieves the details of a specified exception group.
Reader Note
Exception Group Name Or UID is a required parameterto run this command.
Run the Show Exception Groups command to obtain Exception Group Names and UIDs. Exception Group Names can be found in the returned raw data at the path $.objects[*].name; Exception Group UIDs can be found in the returned raw data at the path $.objects[*].uid.
For clarification, Show Exception Groups returns all exception groups, while Show Exception Group can only search for one specific exception group.
Input
Input Parameter
Required/Optional
Description
Example
Exception Group Name Or UID
Required
The name or UID of the exception group. Exception Group names and UIDs can be obtained using the Show Exception Groups command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Exception Group failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Requested object [xxx] not found.
Error Sample Data
Show Exception Group failed.
Status Code: 404.
Message: Requested object [xxx] not found.
Show Exception Groups
Retrieves a list of all exception groups.
Reader Note
For clarification, Show Exception Groups returns all exception groups, while Show Exception Group can only search for one specific exception group.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.objects in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Error Sample Data
Show Exception Groups failed.
Status Code: 400.
Message: Please double check the Server URL, the Username and password.
Show Logs
Retrieves log information matching the specified criteria. Note: This command is available for Check Point's Management API version 1.6.1 or above.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Required
The start time of the time range to query logs in UTC time.
2023-02-01 00:00
End Time
Required
The end time of the time range to query logs in UTC time.
2023-02-02 00:00
Limit
Optional
The maximum number (between 1 and 100) of logs to return. The default value is 100.
10
Log Servers
Optional
The IPs of the log servers to query. If this parameter is not defined, all log servers will be returned.
[ "1.1.1.1" ]
Log Type
Optional
The type of logs (i.e. Logs or Audit Logs) to return. The default option is Logs.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.logs in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"IDs": "\"[ \\\"***-***-***-***-***\\\"]\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
Low disk space in directory /opt/CPsuite-R81.10/fw1/log/: only 742.6 Mbytes left
1.1.1.1
gw-***
@A@***@262
Traffic
***-***-***-***-***
2022-02-22T18:11:49Z
daemon
true
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Logs failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Policy Packages failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Please double check the Server URL, the Username and password.
Error Sample Data
Show Policy Packages failed.
Status Code: 400.
Message: Please double check the Server URL, the Username and password.
Show Session Objects
Retrieves session objects.
Input
Input Parameter
Required/Optional
Description
Example
Session UIDs
Optional
The session UIDs to check. When this parameter is defined, Application Type will be omitted.
[
"***-***-***-***-***"
]
Application Type
Optional
The application type which the sessions are generated from. When Session UIDs is defined, this parameter will be omitted.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
UID
STATE
USER-NAME
EXPIRED-SESSION
APPLICATION
CHANGES
IN-WORK
IP-ADDRESS
LOCKS
CONNECTION-MODE
SESSION-TIMEOUT
READ-ONLY
***-***-***-***-***
open
admin
False
0
True
1.1.1.1
0
read write
600
F
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Session Objects failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid parameter for [uid]. The invalid value.
Error Sample Data
Show Session Objects failed.
Status Code: 400.
Message: Invalid parameter for [uid]. The invalid value.
Show Threat Exception
Shows the details of the specified threat exception.
Reader Note
Exception Name Or UID is a required parameterto run this command.
For exceptions under a rule: Run the Show Threat Rule Exception Rule Base command to obtain Exception Name Or UID. Exception Names can be found in the returned raw data at the path $.rulebase[*].name; Exception UID can be found in the returned raw data at the path $.rulebase[*].uid.
For exceptions under an exception group: These can only be found from within Check Point SmartConsole. Navigate to Security Policies > Exceptions, then click Exception Group Name and select Exceptions.
"Layer Name Or UID", "Rule Name Or Number Or UID" and "Exception Group Name Or UID" are optional parameters to run this command.
If the threat exception is under a rule, Layer Name Or UID is a required parameter.
Run the Show Threat Layers command to obtain Layer Name and UIDs. Layer Names can be found in the returned raw data at the path $.threat-layers[*].name; UIDs can be found at the path $.threat-layers[*].uid.
If the threat exception is under an exception group, the Layer Name Or UID parameter must not be defined. Any input value will be omitted.
Run the Show Threat Rule Base command to obtain Rule Names, Numbers and UIDs. Rule UIDs can be found in the returned raw data at the path $.rulebase[*].uid; Rule numbers can be found in the returned raw data at the path $.rulebase[*].rule-number. Rule Names can be found in the returned raw data at the path $.rulebase[*].name.
Run the Show Exception Groups command to obtain Exception Group Names and UIDs. Exception Group Names can be found in the returned raw data at the path $.objects[*].name; Exception Group UID can be found in the returned raw data at the path $.objects[*].uid.
🔔
Alert
To show threat exceptions, you must define at least one of the ParentRule Name Or Number Or UID or the Exception Group Name Or UID parameters, but not both.
If your desired threat exception is under a rule, the Layer Name Or UID, Parent Rule Name Or Number Or UID and Exception Name Or UID parameters are required to run this command.
Ensure that the values entered for the Layer Name Or UID, Parent Rule Name Or Number Or UID and Exception Name Or UID match. It is suggested to run the Show Threat Layers command to identify the correct layer, and then use that layer to run the Show Threat Rule Base command and select the desired threat rule. Then use your selected threat layer and threat rule to run the Show Threat Rule Exception Rule Base command. If your selected threat layer and threat rule has exceptions (some may not), select your desired exception. Use the threat layer, threat rule and exception as a pair to run this command. Failure to match the values may result in errors.
If your desired threat exception is under an exception group instead of a rule, the Exception Group Name Or UID and Exception Name Or UID parameters are required to run this command.
For threat exceptions under an exception group, the Layer Name Or UID parameter must not be defined. Any input value will be omitted.
Ensure the input exception group value matches the threat exception. You can use the threat group you choose to check Check Point SmartConsole. Navigate to Security Policies > Exceptions to view threat exceptions under their corresponding Exception Groups.
Input
Input Parameter
Required/Optional
Description
Example
Layer Name Or UID
Optional
The name or UID of the layer that the rule belongs to. Layer names and UIDs can be obtained using the Show Threat Layers command. If the Parent Rule Name Or Number Or UID parameter is defined, then this parameter is required and the specified rule must match the layer. Otherwise, if the Exception Group Name Or UID parameter is defined, this parameter must not be defined. Any entered value will be omitted.
Standard Threat Prevention
Parent Rule Name Or Number Or UID
Optional
The name, number or UID of the rule. Rule numbers and UIDs can be obtained using the Show Threat Rule Base command. Note: (1) Only one of the Parent Rule Name Or Number OR UID or Exception Group Name Or UID parameters can be defined per execution of the command, but at least one must be defined. (2) If this parameter is defined, you must define the Layer Name Or UID parameter. Entering a rule and layer that do not match will result in an error.
***-***-***-***-***
Exception Group Name Or UID
Optional
The name or UID of the exception group. Exception Group names and UIDs can be obtained using the Show Exception Groups command. (1) Only one of the Exception Group Name Or UID or Parent Rule Name Or Number OR UID parameters can be defined per execution of the command, but at least one must be defined. (2) If this parameter is defined, you cannot define the Layer Name Or UID parameter. The value entered for the layer will be omitted.
TestExceptionGroup
Exception Name Or UID
Required
The name or UID of the exception. If the exception is under a rule, then it can be obtained using the Show Threat Rule Exception Rule Base command; if the exception is under an exception group, then it can only be found from within Check Point SmartConsole.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Threat Exception failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.threat-layers in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Threat Layers failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Please double check the Server URL, the Username and password.
Error Sample Data
Show Threat Layers failed.
Status Code: 404.
Message: Please double check the Server URL, the Username and password.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.profiles in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
{'email-action': 'allow', 'remove-attachments-and-links': True, 'malicious-attachments-text': "Malicious email attachment '$filename$' removed by Check Point.", 'failed-to-scan-attachments-text': "Email attachment '$filename$' failed to be scanned and removed by Check Point.", 'malicious-links-text': '[Check Point] Malicious link: $neutralized_url$ [Check Point]', 'add-x-header-to-email': False, 'add-email-subject-prefix': False, 'email-subject-prefix-text': 'Attachment was found malicious. It is recommended not to open this mail.', 'add-customized-text-to-email-body': False, 'email-body-customized-text': '[Check Point] The following verdicts were determined by Check Point: $verdicts$ [Check Point]', 'send-copy': False}
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Threat Profiles failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Please double check the Server URL, the Username and password.
Error Sample Data
Show Threat Profiles failed.
Status Code: 400.
Message: Please double check the Server URL, the Username and password.
Show Threat Protection
Returns the details of the specified threat protection.
Rreader Note
Threat Protection Name Or UID is a required parameterto run this command.
Run the Show Threat Protections command to obtain Threat Protection Name Or UID. Threat Protection name can be found in the returned raw data under path $.protections.name; Threat Protection UID can be found in the returned raw data under path $.protections.uid.
Input
Input Parameter
Required/Optional
Description
Example
Threat Protection Name Or UID
Required
The name or UID of the threat protection. Threat Protection names and UIDs can be obtained using the Show Threat Protections command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Threat Protection failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Requested object [xxx] not found.
Error Sample Data
Show Threat Protection failed.
Status Code: 404.
Message: Requested object [xxx] not found.
Show Threat Protections
Retrieves all threat protections.
Input
Input Parameter
Required/Optional
Description
Example
Limit
Optional
The maximum number of threat protections to return. The default value is 50.
50
Offset
Optional
The number of matching records to omit initially.
0
Details Level
Optional
The level of detail to include for some of the fields in the response. The available options are Standard, UID and Full. The default option is Standard.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $[*].protections in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"ThreatProtectionUIDs": "\"[\\\"***-***-***-***-***\\\",\\\"***-***-***-***-***\\\",\\\"***-***-***-***-***\\\",\\\"***-***-***-***-***\\\]"\"
"ThreatProtectionNames": "\"[\\\"3Com Network Supervisor Directory Traversal\\\",\\\"3Com TFTP Server Transporting Mode Remote Buffer Overflow\\\",\\\"3CX Phone System VAD_Deploy.aspx Arbitrary File Upload\\\",\\\"3ivx MPEG-4 MP4 File Handling Stack Overflow\\\",\\\"3ivx MPEG-4 MP4 File Handling Stack Overflow - Specific\\\",\\\"3S Smart Software Solutions CoDeSys Gateway Server Denial Of Service\\\",\\\"3S Smart Software Solutions CoDeSys Gateway Server Directory Traversal\\\",\\\"3S Smart Software Solutions CoDeSys Gateway Server Heap Buffer Overflow\\\",\\\"3S Smart Software Solutions CoDeSys Gateway Server Memory Access Error\\\",\\\"3S Smart Software Solutions CoDeSys Gateway Server Stack Buffer Overflow\\\",\\\"7-Zip ARJ Archive Handling Buffer Overflow\\\",\\\"7-Zip RAR Solid Compression Remote Code Execution\\\",\\\"7T Interactive Graphical SCADA RMS Reports Buffer Overflow\\\",\\\"7T Interactive Graphical SCADA System (IGSS) Directory Traversal\\\",\\\"7T Interactive Graphical SCADA System Arbitrary File Execution\\\",\\\"7T Interactive Graphical SCADA System File Operations Buffer Overflows\\\",\\\"ABB IDAL HTTP Server Stack Buffer Overflow (CVE-2019-7232)\\\",\\\"ABB MicroSCADA Wserver Command Execution\\\",\\\"ABB MicroSCADA Wserver Multiple Buffer Overflows\\\",\\\"ABB Multiple Products RobNetScanHost.exe Stack Buffer Overflow\\\",\\\"ABB Panel Builder 800 Stack-based Buffer Overflow (CVE-2018-10616)\\\",\\\"ABB Test Signal Viewer CWGraph3D ActiveX Arbitrary File Creation\\\",\\\"ABBS Audio Media Player Buffer Overflow\\\",\\\"Accellion FTA getStatus verify_oauth_token Command Execution\\\",\\\"ACD Systems ACDSee Products XBM File Handling Buffer Overflow\\\",\\\"ACD Systems ACDSee Products XPM File Handling Buffer Overflow\\\",\\\"ACD Systems ACDSee Products XPM Values Section Buffer Overflow\\\",\\\"ACDSee FotoSlate PLP File id Parameter Overflow\\\",\\\"ACE Files\\\",\\\"ACGVclick function.inc.php path Parameter PHP Code Execution - Ver2\\\",\\\"ActFax LPD Server Buffer Overflow\\\",\\\"ActFax RAW Server Buffer Overflow\\\",\\\"ActiveBar ActiveX Method Arbitrary File Write - Ver2\\\",\\\"ActiveCampaign 1-2-All Broadcast Email sername Parameter SQL Injection - Ver2\\\",\\\"activeCollab Chat Module Arbitrary PHP Code Execution\\\",\\\"ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow\\\",\\\"Activist Mobilization Platform base.php base_path Parameter PHP Code Execution - Ver2\\\",\\\"ActualScripts ActualAnalyzer Cookie Command Execution\\\",\\\"Acunetix Web Scanner\\\",\\\"AdaptWeb Web Application SCADA SQL Injection\\\",\\\"Adobe Acrobat AcroPDF.dll Code Execution - Ver2\\\",\\\"Adobe Acrobat and Adobe Reader Deflate Parameter Integer Overflow\\\",\\\"Adobe Acrobat and Adobe Reader Plugin Object Reloading Memory Corruption\\\",\\\"Adobe Acrobat and Reader API Calls Code Execution (APSB14-15)\\\",\\\"Adobe Acrobat and Reader API Calls Code Execution (APSB15-10: CVE-2015-3062)\\\",\\\"Adobe Acrobat and Reader API Calls Code Execution (APSB15-10: CVE-2015-3064)\\\",\\\"Adobe Acrobat and Reader API Calls Code Execution (APSB15-10: CVE-2015-3069)\\\",\\\"Adobe Acrobat and Reader API Calls Code Execution (APSB15-15: CVE-2015-4445)\\\",\\\"Adobe Acrobat and Reader Binary Planting (APSB19-55: CVE-2019-16444)\\\",\\\"Adobe Acrobat and Reader Buffer Access with Incorrect Length Value (APSB17-36: CVE-2017-16381)\\\"]\"",
"Types": "\"[\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\",\\\"threat-protection\\\"]\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Threat Protections failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Please double check the Server URL, the Username and password.
Error Sample Data
Show Threat Protections failed.
Status Code: 400.
Message: Please double check the Server URL, the Username and password.
Show Threat Rule
Shows the details of the specified threat rule.
Reader Note
"Layer Name Or UID" and "Rule Name Or Number Or UID" are required parametersto run this command.
Run the Show Threat Layers command to obtain Layer Name Or UID. Either UID or Layer Name can be accepted. Layer Name can be found in the returned raw data at the path $.threat-layers[*].name; UID can be found at the path $.threat-layers[*].uid.
Run the Show Threat Rule Base command to obtain Rule Name Or Number Or UID. Rule name can be found in the returned raw data at the path $.rulebase[*].name; Rule number can be found in the returned raw data at the path $.rulebase[*].rule-number; Rule UID can be found in the returned raw data at the path $.rulebase[*].uid.
Please note the input values for "Layer Name Or UID" and "Rule Name Or Number Or UID" must match. It is suggested to run the Show Threat Layers command first in order to obtain the desired layer. You can then use that layer to run the Show Threat Rule Base command, and choose your desired threat rule. Use that pair of values to run this command. Otherwise, errors will be returned.
Input
Input Parameter
Required/Optional
Description
Example
Layer Name Or UID
Required
The name or UID of the layer that the threat rule belongs to. Layer names and UIDs can be obtained using the Show Threat Layers command.
***-***-***-***-***
Rule Name Or Number Or UID
Required
The name, number or UID of the rule. Rule numbers and UIDs can be obtained using the Show Threat Rule Base command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Threat Rule failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Requested object [Entities can not be found] not found.
Error Sample Data
Show Threat Rule failed.
Status Code: 404.
Message: Requested object [Entities can not be found] not found.
Show Threat Rule Base
Shows the threat prevention rules of the specified layer.
Reader Note
Layer Name Or UID is a required parameterto run this command.
Run the Show Threat Layers command to obtain Layer Name Or UID. Either UID or Layer Name can be accepted. Layer Name can be found in the returned raw data at the path $.threat-layers[*].name; UID can be found at the path $.threat-layers[*].uid.
Please note some Threat Layers may not have a threat rule base. If your input Threat layer does not have a threat rule base, it will return success with no result.
Input
Input Parameter
Required/Optional
Description
Example
Layer Name Or UID
Required
The name or UID of the layer that the rule belongs to. Layer names and UIDs can be obtained using the Show Threat Layers command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.rulebase in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Threat Rule Base failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Requested object [xxx] not found.
Error Sample Data
Show Threat Rule Base failed.
Status Code: 404.
Message: Requested object [xxx] not found.
Show Threat Rule Exception Rule Base
Shows the entire threat exceptions layer generated for a given threat rule.
Reader Note
"Layer Name Or UID" and "Rule Name Or Number Or UID" are required parametersto run this command.
Run the Show Threat Layers command to obtain Layer Name Or UID. Either UID or Layer Name can be accepted. Layer Name can be found in the returned raw data at the path $.threat-layers[*].name; UID can be found at the path $.threat-layers[*].uid.
Run the Show Threat Rule Base command to obtain Rule Name Or Number Or UID. Rule Name can be found in the returned raw data at the path $.rulebase[*].name; Rule Number can be found in the returned raw data at the path $.rulebase[*].rule-number; Rule UID can be found in the returned raw data at the path $.rulebase[*].uid.
Please note the input values for "Layer Name Or UID" and "Rule Name Or Number Or UID" must match. It is suggested to run the Show Threat Layers command first in order to obtain the desired layer. You can then use that layer to run the Show Threat Rule Base command, and choose your desired threat rule. Use that pair of values to run this command. Otherwise, errors will be returned.
If there is no exception based on your provided layer and rule, the returned raw data of this command will show "total": 0 at the bottom.
Input
Input Parameter
Required/Optional
Description
Example
Layer Name Or UID
Required
The name or UID of the layer that the rule belongs to. Layer names and UIDs can be obtained using the Show Threat Layers command.
Standard Threat Prevention
Rule Name Or Number Or UID
Required
The name, number or UID of the rule. Rule numbers and UIDs can be obtained using the Show Threat Rule Base command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.rulebase in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Show Threat Rule Exception Rule Base failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Requested object [Entities can not be found] not found.
Error Sample Data
Show Threat Rule Exception Rule Base failed.
Status Code: 404.
Message: Requested object [Entities can not be found] not found.
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
SAMPLE DATA
CODE
Successful
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Test Connection failed. Failed to check the connector.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Check Point Firewall portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Please double check the Server URL, the Username and password.
Error Sample Data
Test Connection failed. Failed to check the connector.
Status Code: 400.
Message: Please double check the Server URL, the Username and password.
FAQ
Q1: Why can't I see the changes I made?
Answer: If you made those changes with D3 commands, D3 will help you publish those sections automatically, so you won't see this issue. However, if you ran the command from other places (Postman, the Check Point Firewall UI, etc.), you must publish your changed session in order to see the changes.
For example, adding a threat exception to an exception group with Postman. If you cannot see the threat exception you just created, this is because you need to publish that session in which you made the changes. One way to publish the session is to go to: Manage & Settings > Sessions > View Sessions. Locate the corresponding session and right click it to publish it. The changes will then be published along with the session.
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
