What can I do here?
Use this window to create or edit a threat Indicator by importing a CSV file or STIX XML (STIX 1.0) file, and selecting an action.
Getting Here - Security Policies > Threat Prevention > Policy > Threat Tools > Indicators > New |
Threat Indicators lets you upload Indicator files that contain sets of observables. These observables are added to the Threat Prevention policy.
Indicator – Set of observables which represent a malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it.
Observable – An event or a stateful property that can be observed in an operational cyber domain. For example: IP address, MD5 file signature, URL, Mail sender address.
Indicators of Compromise convey an attack campaign by:
Indicators are derived from intelligence, self-analysis and/or governments, partners etc.
To use Threat Indicators:
Indicator files must be in CSV or STIX XML format, and contain records of equal size. If an Indicator file has records which do not have the same number of fields, it will not load.
Each record in the Indicator file has these fields:
Field |
Description |
Valid Values |
Value Criteria |
Optional |
||
---|---|---|---|---|---|---|
UNIQ-NAME |
Name of the observable |
Free text |
Must be unique |
No |
||
VALUE |
A value that is valid for the type of the observable |
See the table below |
See the table below |
No |
||
TYPE |
Type of the observable |
|
Not case sensitive |
No |
||
CONFIDENCE |
Degree of confidence the observable presents |
|
Default - high |
Yes |
||
SEVERITY |
Degree of threat the observable presents |
|
Default - high |
Yes |
||
PRODUCT |
Check Point Software Blade that processes the observable |
|
AV - Check Point Anti-Virus Software Blade (default) AB - Check Point Anti-Bot Software Blade Note - only the Anti-Virus Software Blade can process MD5 observables. |
Yes |
||
COMMENT |
|
Free text |
|
Yes |
||
Notes -
|
These are the values that are valid for each observable type:
Observable Type |
Validation Criteria |
---|---|
URL |
Any valid URL |
Domain |
Any URL domain |
IP |
Standard IPv4 address |
IP Range |
A range of valid IPv4 addresses, separated by a hyphen: |
MD5 |
Any valid MD5 |
Mail-subject |
Any non-empty text string |
Mail-to Mail-from Mail-cc Mail-reply-to |
Can be one of these:
|
Requirements for validation of CSV Indicator files:
<text>
""Notes -
<cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">
#! DESCRIPTION = indi file,,,,,,
"#! REFERENCE = Indicator Bulletin; Feb 20, 2014",,,,,,
# FILE FORMAT:,,,,,,
"# All lines beginning ""#"" are comments",,,,,,
"# All lines beginning ""#!"" are metadata read by the SW",,,,,,
"# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT",,,,,,
observ1,8d9b6b8912a2ed175b77acd40cbe9a73,MD5,medium,medium,AV,FILENAME:WUC
Invitation Letter Guests.doc
observ2,76700f862a0c241b8f4b754f76957bda,MD5,high,high,AV,FILENAME:essais~.swf|
NOTE:FWS type Flash file
observ7,http://somemaliciousdomain.com/uploadfiles/upload/exp.swf?info=
789c333432d333b4d4b330d133b7b230b03000001b39033b&infosize=00840000
,URL,high,high,AV,IPV4ADDR:196.168.25.25
observ8,svr01.passport.ServeUser.com,Domain,low,high,AB,TCP:80|
IPV4ADDR:172.18.18.25|NOTE:Embedded EXE Remote C&C and Encoded Data
observ9,somemaliciousdomain2.com,Domain,,low,AV,TCP:8080|IPV4ADDR:172.22.14.10
observ10,http://www.bogusdomain.com/search?q=%24%2B%25&form=MOZSBR&pc=
MOZI,URL,low,low,AB,IPV4ADDR:172.25.1.5
observ11,http://somebogussolution.com/register/card/log.asp?isnew=-1&LocalInfo=
Microsoft%20Windows%20XP%20Service%20Pack%202&szHostName=
ADAM-E512679EFD&tmp3=tmp3,URL,medium,,AB,
observ14,172.16.47.44,IP,high,medium,AB,TCP:8080
observ15,172.16.73.69,IP,medium,medium,AV,TCP:443|NOTE:Related to Flash
exploitation
observ16,abc@def.com,mail-to,,high,AV,"NOTE:truncated; samples have appended to
the subject the string ""PH000000NNNNNNN"" where NNNNNNN is a varying number"
observ34,stamdomain.com,domain,,,AB,
observ35,stamdomain.com,mail-from,high,medium,AV,
observ37,xyz.com,mail-from,medium,medium,AB,
observ38,@xyz.com,mail-from,medium,medium,AB,
observ39,a@xyz.com,mail-from,medium,medium,AB,
<stix:STIX_Package
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:example="http://example.com/"
xsi:schemaLocation="
http://stix.mitre.org/stix-1 ../stix_core.xsd
http://stix.mitre.org/Indicator-2 ../indicator.xsd
http://stix.mitre.org/default_vocabularies-1 ../stix_default_vocabularies.xsd
http://cybox.mitre.org/objects#FileObject-2 ../cybox/objects/File_Object.xsd
http://cybox.mitre.org/default_vocabularies-2 ../cybox/cybox_default_vocabularies.xsd"
id="example:STIXPackage-ac823873-4c51-4dd1-936e-a39d40151cc3"
version="1.0.1">
<stix:STIX_Header>
<stix:Title>Example file watchlist</stix:Title>
<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Watchlist</stix:Package_Intent>
</stix:STIX_Header>
<stix:Indicators>
<stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-611935aa-4db5-4b63-88ac-ac651634f09b">
<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>
<indicator:Description>Indicator that contains malicious file hashes.</indicator:Description>
<indicator:Observable id="example:Observable-c9ca84dc-4542-4292-af54-3c5c914ccbbc">
<cybox:Object id="example:Object-c670b175-bfa3-48e9-a218-aa7c55f1f884">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0" condition="Equals">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">0522e955aaee70b102e843f14c13a92c##comma##0522e955aaee70b102e843f14c13a92d##comma##0522e955aaee70b102e843f14c13a92e</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
</stix:Indicator>
</stix:Indicators>
</stix:STIX_Package>
Define network objects to hold the Indicator files.
To load Indicators:
The Indicators page opens.
The Indicators configuration window opens.
Each Indicator must have a unique name.
The content of each file must be unique. You cannot load duplicate files.
If you leave an optional field empty, a warning notifies you that the default values will be used in the empty fields. Click OK. The Indicator file will load.
To delete Indicators:
You can edit properties of an Indicator object, except for the file it uses. If you want an Indicator to use a different file, you must delete it and create a new one.