Input Feeds

Input feeds are a mechanism to automate indicator ingestion into Network Detection and Response (NDRClosed Network Detection and Response) Intel. The input feed determines a source for the indicators, what initial metadata attributes they receive (through policy assignment), and the initial data sets they are published on. The feed source is automatically pulled by NDR and the indicators from the feed created and/or updated in NDR Intel. After an indicator is created, you can modify its metadata and data set assignments.

The following attributes characterize an input feed:

  • Name – Identifies the indicators that are generated from this feed.

  • Active – Controls whether indicators are generated or not.

  • Periodicity - determines the poll period for the feed (default: once a day).

  • Type – Characterizes the input feed source. Supported types include:

    • Check Point CSV – Same file format used for CSVClosed Comma Separated Value output feeds. A header is mandatory as it determines the column order. Only TYPE and VALUE are mandatory.

    • Single-type CSV/list – A file that contains only indicator values, one per line.

      (Further qualified by has-header, indicator type, and column if the format is CSV.)

    • Multi-type CSV/list – A file that contains only indicator values, one per line. Indicator types may be intermixed, with the type inferred from the indicator value. Supported types include: IPClosed Internet Protocol, DOMAIN, URLClosed Uniform Resource Locator (with protocol specifier), MD5, SHA1, SHA256.

      (Further qualified by has-header, and column if the format is CSV.)

    • STIX/TAXII – Mitre STIXClosed Structured Threat Information eXpression™/TAXIIClosed Trusted Automated eXchange of Indicator Information™ v1.0 or v1.1.

    • Behavioral AnalyticsNDR Behavioral Analytics AIClosed Artificial Intelligence engines.

    • IOC HarvesterIoCClosed Indicator of Compromise extraction from Check Point Threat Prevention logs.

    • API - Used for managing indicators via NDR Intel API.

    • Third Party Threat Intelligence Platforms (TIPs) via REST API

      • Anomali (IoCs)

      • Cybernet (IoCs)

      • ThreatConnect – Signatures (Snort signatures)

  • URL – Source of the input feed (not needed for Behavioral Analytics).

    (Optional server credentials can be defined – username and password.)

  • Collection – (Optional) Qualifies the pulled indicators (supported by some feed types).

  • Policy – Initial metadata attributes for indicators created by the input feed.

  • Data Sets - The initial data set associations for indicators created by the feed.

Indicator Updates

New indicators received on an input feed are added to the indicator repository and the Created time-stamp set. When an indicator value is pulled from an input feed, and that indicator already exists in NDR Intel, the indicator's Modified time-stamp is refreshed. If the input feed provides metadata attributes in addition to the type and value, these metadata attributes overwrite the existing attribute values (unless the "Override" setting was enabled in the policy). Other indicator metadata attributes persist.

For example, on a Check Point CSV input feed, the source can override confidence, severity, product, and comment (i.e. description). However, action and status are not affected as they are not included in the input feed. An Anomaly feed updates indicators deactivated on Anomaly to the DISABLED state, which immediately removes them from any output feed.

Delta Feeds and Indicator Expiration

Depending on the input feed Type, NDR Intel might pull all of the source's indicators on each pull ("full feed"), or only the newly added or updated indicators since the previous pull ("delta feed").

These types are full feeds:

  • Check Point CSV

  • Single type List

  • ThreatConnect – Signatures

These types are delta feeds:

  • STIX/TAXII

  • Anomali

  • Cybernet

The indicator expiration provides the primary mechanism to synchronize with delta feed sources. The indicator's expiration attribute is refreshed whenever the source updates the indicator, and add the Time To Live value defined in the input feed's policy object to the current time.

On a delta feed, when the source deactivates or deletes an indicator, it is not refreshed on NDR Intel (except of "Anomali"), and eventually expires based on the policy expiration setting. After it expires, it is immediately removed from all data set output feeds it is associated with, and is deleted from NDR Intel 14 days later (unless its expiration is refreshed by a subsequent update).

Expired indicators' expiration is displayed in red in the Indicators view.

Policies

A Policy object determines the default metadata attribute values that an indicator receives when it is generated from an input feed or from an Add from File operation. These policy attributes are supported:

  • Name – The Policy name, also used as the Indicator name where not available

  • Description – Describes the Policy's objective

  • Enabled – The initial status (ENABLED/DISABLED) of newly-generated indicators

  • Prevent – The initial action (DETECT/PREVENT) of newly-generated indicators

  • Minimum confidence – If action is "Prevent", specifies the minimum confidence for which this is applied. Lower confidence levels will remain in "Detect".

  • Blade, Confidence, Severity – The initial attribute values for newly-generated indicators

  • Expiration In Days – The Time To Live (TTL) for a newly-generated indicator, from the current time. Relevant only for delta feed and Add from File. Ignored on full feeds

  • Override – Determines feed behavior if the feed source provides metadata attributes (e.g. Confidence) in addition to indicator name, type, and value. By default, the feed-provided value takes precedence. If Override is enabled, all indicators on the input feed receive the metadata attribute values defined in the Policy, regardless of feed-provided values.

Add from File

The input feed mechanism can also be invoked manually by specifying a file as the source for the indicators. A policy object determines the metadata attribute values as with automated input feeds. The indicators read from the file can be assigned to one or more data sets.

Add from File supports these file types:

  • Check Point (.csv) - Same file format as used for CSV output feeds

  • Single-type CSV/list (.txt .csv) – List with one value per line. Configuration options include:

    • Has header – Causes the first line in the file to be skipped.

    • Indicator type – One of the supported types.

    • Value column (if CSV) – If the input is a CSV file, extracts the specified column.

  • Multi-type CSV/list (.txt .csv) – Untyped list, one value per line

  • SNORT (.rules) – One Snort rule per line.

  • STIX 1.x (.xml) – STIX indicator file.

Behavioral Analytics

The NDR platform includes a set of Behavioral Analytics AI engines that process logs and identify different types of anomalies (Geo, Port, User, etc.). These anomalies are then correlated with Check Point ThreatCloud reputation services and with application categorization and risk scoring to determine if they are suspicious events that should trigger an alert.

In some cases, Behavioral Analytics also sign an IP or URL involved in the anomaly by publishing a threat indicator on NDR Intel. These indicators are mapped to an input feed of type "Behavioral Analytics". When available, confidence is also associated to some of these indicators.

NDR automatically creates an active input feed, a policy object, and a data set named "Behavioral" when a new NDR domain is created.

This scheme lets you control if the indicators should be generated (Active on the input feed), and if they are created in ENABLED state, DETECT or PREVENT (qualified by confidence level), etc.

The input feed "Collection" attribute provides finer-grained control over indicator generation. Currently supported collections include: Geo, Protocol, Users, and RecurrentConnections. Specifying a collection is optional – an empty value matches all Behavioral Analytics engines.