Docs4dev
Docs
ansible / latest / collections / check_point / mgmt / cp_mgmt_threat_indicator_module.html

check_point.mgmt.cp_mgmt_threat_indicator – Manages threat-indicator objects on Check Point over Web Services API

Note

This plugin is part of the check_point.mgmt collection (version 2.1.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install check_point.mgmt.

To use it in a playbook, specify: check_point.mgmt.cp_mgmt_threat_indicator.

New in version 2.9: of check_point.mgmt

Synopsis

  • Manages threat-indicator objects on Check Point devices including creating, updating and removing objects.
  • All operations are performed over Web Services API.

Parameters

Parameter Choices/Defaults Comments
action
string
    Choices:
  • Inactive
  • Ask
  • Prevent
  • Detect
The indicator's action.
auto_publish_session
boolean
    Choices:
  • no
  • yes
Publish the current session if changes have been performed after task completes.
color
string
    Choices:
  • aquamarine
  • black
  • blue
  • crete blue
  • burlywood
  • cyan
  • dark green
  • khaki
  • orchid
  • dark orange
  • dark sea green
  • pink
  • turquoise
  • dark blue
  • firebrick
  • brown
  • forest green
  • gold
  • dark gold
  • gray
  • dark gray
  • light green
  • lemon chiffon
  • coral
  • sea green
  • sky blue
  • magenta
  • purple
  • slate blue
  • violet red
  • navy blue
  • olive
  • orange
  • red
  • sienna
  • yellow
Color of the object. Should be one of existing colors.
comments
string
Comments string.
details_level
string
    Choices:
  • uid
  • standard
  • full
The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object.
ignore_errors
boolean
    Choices:
  • no
  • yes
Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
ignore_warnings
boolean
    Choices:
  • no
  • yes
Apply changes ignoring warnings.
name
string / required
Object name.
observables
list / elements=string
The indicator's observables.
comments
string
Comments string.
confidence
string
    Choices:
  • low
  • medium
  • high
  • critical
The confidence level the indicator has that a real threat has been uncovered.
domain
string
The name of a domain.
ignore_errors
boolean
    Choices:
  • no
  • yes
Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
ignore_warnings
boolean
    Choices:
  • no
  • yes
Apply changes ignoring warnings.
ip_address
string
A valid IP-Address.
ip_address_first
string
A valid IP-Address, the beginning of the range. If you configure this parameter with a value, you must also configure the value of the 'ip-address-last' parameter.
ip_address_last
string
A valid IP-Address, the end of the range. If you configure this parameter with a value, you must also configure the value of the 'ip-address-first' parameter.
mail_cc
string
A valid E-Mail address, cc field.
mail_from
string
A valid E-Mail address, sender field.
mail_reply_to
string
A valid E-Mail address, reply-to field.
mail_subject
string
Subject of E-Mail.
mail_to
string
A valid E-Mail address, recipient filed.
md5
string
A valid MD5 sequence.
name
string
Object name. Should be unique in the domain.
product
string
    Choices:
  • AV
  • AB
The software blade that processes the observable, AV - AntiVirus, AB - AntiBot.
severity
string
    Choices:
  • low
  • medium
  • high
  • critical
The severity level of the threat.
url
string
A valid URL.
observables_raw_data
string
The contents of a file containing the indicator's observables.
profile_overrides
list / elements=string
Profiles in which to override the indicator's default action.
action
string
    Choices:
  • Inactive
  • Ask
  • Prevent
  • Detect
The indicator's action in this profile.
profile
string
The profile in which to override the indicator's action.
state
string
    Choices:
  • present
  • absent
State of the access rule (present or absent). Defaults to present.
tags
list / elements=string
Collection of tag identifiers.
version
string
Version of checkpoint. If not given one, the latest version taken.
wait_for_task
boolean
    Choices:
  • no
  • yes
Wait for the task to end. Such as publish task.
wait_for_task_timeout
integer
Default:
30
How many minutes to wait until throwing a timeout error.

Examples

- name: add-threat-indicator
  cp_mgmt_threat_indicator:
    action: ask
    ignore_warnings: true
    name: My_Indicator
    observables:
    - confidence: medium
      mail_to: someone@somewhere.com
      name: My_Observable
      product: AV
      severity: low
    profile_overrides:
    - action: detect
      profile: My_Profile
    state: present

- name: set-threat-indicator
  cp_mgmt_threat_indicator:
    action: prevent
    ignore_warnings: true
    name: My_Indicator
    state: present

- name: delete-threat-indicator
  cp_mgmt_threat_indicator:
    name: My_Indicator
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
cp_mgmt_threat_indicator
dictionary
always, except when deleting the object.
The checkpoint object created or updated.



Authors

  • Or Soffer (@chkp-orso)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_threat_indicator_module.html