Data Sets

You can associate indicators with Data Sets. This groups indicators with a common semantic and you can publish output feeds of the indicators.

For example, consider the @Tags data set, previously mentioned in the context of qualification of indicators by input feed. @Tags is created automatically on the domain when the analyst tags a host on the Threat Topology Analytics view, and binds the host IPClosed Internet Protocol with the analyst-entered Name. Threat Topology uses the IP indicators on the @Tags data set for tag display. This means that you can add an indicator with the host's IP and associate it with @Tags as an alternative to right-click Add Tag. If you use indicators as a storage repository for tags you can integrate with CMDB systems, load tags in bulk with "Add from File"; and export tags through data set output feeds.

In addition, if you associate indicators with a data set, you can filter the data set to on specific data set indicators.

Data Set Attributes

Each data set is qualified by Name and an optional free-text Description. In addition, these attributes control the output feed publication of the indicators associated with the data set:

  • Public – Enables data set output feed publication outside of the NDRClosed Network Detection and Response system for consumption by Check Point and 3rd party enforcement points.

  • Apply on NDR SensorsCDCClosed Cyber Defense Center-managed dedicated NDR sensors automatically pull and apply the data set output feeds.

Data Set Output Feeds

Public data set output feeds are published on URLs. Select and click Show Data Set URLs:

Each data set is published on two output feed URLs: Prevent and Detect. Each of these feeds includes the indicators associated with the data set with the corresponding action (Prevent or Detect). This separation is useful because Check Point Security Gateways associate action with an individual feed configured on the Security Gateway.

The URLClosed Uniform Resource Locator for each output feed is displayed on the portal and you can easily copy it to the clipboard with the "COPY URL" button. For convenience, a "COPY FULL COMMAND" option is provided. It copies the complete "ioc_feeds" command to paste and run on a Security Gateway command line (in the Expert mode) to pull the output feed.

The criteria for inclusion of an indicator in an output feed include:

  • Indicator must be enabled

  • Indicator must not be expired

  • Indicator action must match the specific output feed (Detect/Prevent)

  • Indicator type must be compatible with the output feed (see below)

Regenerate URLs

The feed URLs are randomly generated on public data sets and include both the feed identifier and authentication. All Security Gateways that receive the feed are configured with these URLs. If these URLs might have been exposed to unapproved parties, use the "Regenerate URLs" command to create new ones. A prompt notifies the user that the existing URLs are no longer used. If any Security Gateways pull these URLs, you must reconfigure them.

A second option, "GENERATE USER-FRIENDLY URLS", is used to share data set output feeds with other organizations. Instead of a randomly-generated URL, the feed is served on a URL constructed from the domain name, detect/prevent action, and the data set name.

For example, for data set "Snort", on domain "test1", the "DETECT" feed is served at:

https://feeds.now.checkpoint.com/public_feeds/test1-Snort-detect.csv

Output Feed Formatting

By default, a data set's output feed is published in a CSVClosed Comma Separated Value file format compatible with sk132193. This allows Check Point Quantum and CloudGuard Security Gateways (version R80.30 and higher) to consume the feeds natively with the Anti-Virus and Anti-Bot blades.

Many enforcement products and versions have limitations on the type, number, and volume of threat indicators and feed formats that they can consume.

If you expand the "Advanced" section of the new data set / edit data set dialog, you see more options that enable the customization of the output feed format to accommodate more enforcement solutions. These options include:

  • Format – File (default) or Text.

  • Content format – "Check Point CSV" (default) or "Values only".

  • Indicators limit (0 for unlimited) – Truncates output feeds to the given number of indicators.

  • Indicator types - Only indicators with the selected types are published on output feeds.

Examples:

  • For Security Gateway R80.30 and Quantum SMB Appliances R80.20.X, clear HASH_SHA1 and HASH_SHA256 as these indicator types are only supported in versions R80.40 and higher.

    This prevents these Security Gateways from receiving these indicator types on the data set, even if such indicators are associated with the data set

  • IPv6 addresses are supported as type IP values by Check Point Security Gateways from version R81 and higher.

  • For Fortinet and Palo Alto Networks firewalls, configure separate data sets per supported indicator type, configured with "Values only" and one indicator type each (e.g. "IP").

Notes:

  • The default Check Point CSV format used for sk132193 compatibility (as well as for input feeds and Add from File) uses these columns in this order:

    "# UNIQ-NAME","VALUE","TYPE","CONFIDENCE","SEVERITY","PRODUCT","COMMENT"

  • IPv6 addresses are supported as type IP values by Check Point Security Gateways from version R81 and higher.