Threat Indicators

What can I do here?

Use this window to create or edit a threat Indicator by importing a CSV file or STIX XML (STIX 1.0) file, and selecting an action.

Getting Here - Security Policies > Threat Prevention > Policy > Threat Tools > Indicators > New

Threat Indicator Settings

Threat Indicators lets you upload Indicator files that contain sets of observables. These observables are added to the Threat Prevention policy.

Indicator – Set of observables which represent a malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it.

Observable – An event or a stateful property that can be observed in an operational cyber domain. For example: IP address, MD5 file signature, URL, Mail sender address.

Indicators of Compromise convey an attack campaign by:

• Specific observable patterns
• Additional information intended to represent artifacts & behaviors of interest within a cyber-security context

Indicators are derived from intelligence, self-analysis and/or governments, partners etc.

To use Threat Indicators:

Indicator files must be in CSV or STIX XML format, and contain records of equal size. If an Indicator file has records which do not have the same number of fields, it will not load.

Each record in the Indicator file has these fields:

Field		Description	Valid Values	Value Criteria	Optional
UNIQ-NAME		Name of the observable	Free text	Must be unique	No
VALUE		A value that is valid for the type of the observable	See the table below	See the table below	No
TYPE		Type of the observable	URL Domain IP IP Range MD5 Mail-subject Mail-from Mail-to Mail-cc Mail-reply-to	Not case sensitive	No
CONFIDENCE		Degree of confidence the observable presents	low medium high critical	Default - high	Yes
SEVERITY		Degree of threat the observable presents	low medium high critical	Default - high	Yes
PRODUCT		Check Point Software Blade that processes the observable	AV AB	AV - Check Point Anti-Virus Software Blade (default) AB - Check Point Anti-Bot Software Blade Note - only the Anti-Virus Software Blade can process MD5 observables.	Yes
COMMENT			Free text		Yes
	Notes - If an optional field is empty, the default value is used. If a mandatory field is empty, the Indicator file will not load.

These are the values that are valid for each observable type:

Observable Type	Validation Criteria
URL	Any valid URL
Domain	Any URL domain
IP	Standard IPv4 address
IP Range	A range of valid IPv4 addresses, separated by a hyphen: <IP>-<IP>
MD5	Any valid MD5
Mail-subject	Any non-empty text string
Mail-to Mail-from Mail-cc Mail-reply-to	Can be one of these: A single email address (Example: abc@domain.com) An email domain (Examples: @domain.com or domain.com)

Requirements for validation of CSV Indicator files:

• Use commas to separate the fields in a record
• Enter one record per line, or use '\n' to separate the records
• If free text contains quotation marks, commas, or line breaks, it must be enclosed in quotation marks
• To enclose part of free text in quotations, use double quotation marks: ""<text>""

Notes -

• As of this release, STIX 2.0 (JSON file) is not supported.
• Custom Indicators CLI (load_indicators) are not supported.
• SHA1/SHA256 is not supported as a valid MD5 value.
• The supported STIX elements are: stix:STIX_Package, stix:STIX_Header, stix:Title, stix:Description, stix:Indicators, stix:Indicator, indicator:Title, indicator:Type, indicator:Description, indicator:Observable. cybox:Object, cybox:Properties, FileObj:Hashes, cyboxCommon:Hash, cyboxCommon:Type, cyboxCommon:Simple_Hash_Value, stix:Observables, cybox:Observable, URIObj:Value, URIObject:Value, AddressObject:Address_Value, AddressObj:Address_Value, AddressObj:AddressObjectType, AddressObjet:AddressObjectType, cybox:Title
• Condition Type Enum and Condition Application Enum support Equals and Any.

  <cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">

Example of a CSV Indicator File

#! DESCRIPTION = indi file,,,,,,

"#! REFERENCE = Indicator Bulletin; Feb 20, 2014",,,,,,

# FILE FORMAT:,,,,,,

"# All lines beginning ""#"" are comments",,,,,,

"# All lines beginning ""#!"" are metadata read by the SW",,,,,,

"# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT",,,,,,

observ1,8d9b6b8912a2ed175b77acd40cbe9a73,MD5,medium,medium,AV,FILENAME:WUC
Invitation Letter Guests.doc

observ2,76700f862a0c241b8f4b754f76957bda,MD5,high,high,AV,FILENAME:essais~.swf|
NOTE:FWS type Flash file

observ7,http://somemaliciousdomain.com/uploadfiles/upload/exp.swf?info=
789c333432d333b4d4b330d133b7b230b03000001b39033b&infosize=00840000
,URL,high,high,AV,IPV4ADDR:196.168.25.25

observ8,svr01.passport.ServeUser.com,Domain,low,high,AB,TCP:80|
IPV4ADDR:172.18.18.25|NOTE:Embedded EXE Remote C&C and Encoded Data

observ9,somemaliciousdomain2.com,Domain,,low,AV,TCP:8080|IPV4ADDR:172.22.14.10

observ10,http://www.bogusdomain.com/search?q=%24%2B%25&form=MOZSBR&pc=
MOZI,URL,low,low,AB,IPV4ADDR:172.25.1.5

observ11,http://somebogussolution.com/register/card/log.asp?isnew=-1&LocalInfo=
Microsoft%20Windows%20XP%20Service%20Pack%202&szHostName=
ADAM-E512679EFD&tmp3=tmp3,URL,medium,,AB,

observ14,172.16.47.44,IP,high,medium,AB,TCP:8080

observ15,172.16.73.69,IP,medium,medium,AV,TCP:443|NOTE:Related to Flash
exploitation

observ16,abc@def.com,mail-to,,high,AV,"NOTE:truncated; samples have appended to
the subject the string ""PH000000NNNNNNN"" where NNNNNNN is a varying number"

observ34,stamdomain.com,domain,,,AB,

observ35,stamdomain.com,mail-from,high,medium,AV,

observ37,xyz.com,mail-from,medium,medium,AB,

observ38,@xyz.com,mail-from,medium,medium,AB,

observ39,a@xyz.com,mail-from,medium,medium,AB,

Example of a STIX 1.0 XML Indicator File

<stix:STIX_Package

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:stix="http://stix.mitre.org/stix-1"

xmlns:indicator="http://stix.mitre.org/Indicator-2"

xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"

xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"

xmlns:cybox="http://cybox.mitre.org/cybox-2"

xmlns:cyboxCommon="http://cybox.mitre.org/common-2"

xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"

xmlns:example="http://example.com/"

xsi:schemaLocation="

http://stix.mitre.org/stix-1 ../stix_core.xsd

http://stix.mitre.org/Indicator-2 ../indicator.xsd

http://stix.mitre.org/default_vocabularies-1 ../stix_default_vocabularies.xsd

http://cybox.mitre.org/objects#FileObject-2 ../cybox/objects/File_Object.xsd

http://cybox.mitre.org/default_vocabularies-2 ../cybox/cybox_default_vocabularies.xsd"

id="example:STIXPackage-ac823873-4c51-4dd1-936e-a39d40151cc3"

version="1.0.1">

<stix:STIX_Header>

<stix:Title>Example file watchlist</stix:Title>

<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Watchlist</stix:Package_Intent>

</stix:STIX_Header>

<stix:Indicators>

<stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-611935aa-4db5-4b63-88ac-ac651634f09b">

<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>

<indicator:Description>Indicator that contains malicious file hashes.</indicator:Description>

<indicator:Observable id="example:Observable-c9ca84dc-4542-4292-af54-3c5c914ccbbc">

<cybox:Object id="example:Object-c670b175-bfa3-48e9-a218-aa7c55f1f884">

<cybox:Properties xsi:type="FileObj:FileObjectType">

<FileObj:Hashes>

<cyboxCommon:Hash>

<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0" condition="Equals">MD5</cyboxCommon:Type>

<cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">0522e955aaee70b102e843f14c13a92c##comma##0522e955aaee70b102e843f14c13a92d##comma##0522e955aaee70b102e843f14c13a92e</cyboxCommon:Simple_Hash_Value>

</cyboxCommon:Hash>

</FileObj:Hashes>

</cybox:Properties>

</cybox:Object>

</indicator:Observable>

</stix:Indicator>

</stix:Indicators>

</stix:STIX_Package>

Configuring Indicators in SmartConsole

Define network objects to hold the Indicator files.

To load Indicators:

1. Go to Security Policies > Threat Prevention > Policy >Threat Tools > Indicators.

   The Indicators page opens.

2. Click New.

   The Indicators configuration window opens.

3. Enter a Name.

   Each Indicator must have a unique name.

4. Enter Object Comment (optional).
5. Click Import to browse to the Indicator file.

   The content of each file must be unique. You cannot load duplicate files.

6. Select an action for this Indicator:
   • Ask - Threat Prevention Software Blade asks what to do with the detected observable
   • Prevent - Threat Prevention Software Blade blocks the detected observable
   • Detect - Threat Prevention Software Blade creates a log entry, and lets the detected observable go through
   • Inactive - Threat Prevention Software Blade does nothing
7. Add Tag.
8. Click OK.

   If you leave an optional field empty, a warning notifies you that the default values will be used in the empty fields. Click OK. The Indicator file will load.

To delete Indicators:

1. Select an Indicator.
2. Click Delete.
3. In the window that opens, click Yes to confirm.

You can edit properties of an Indicator object, except for the file it uses. If you want an Indicator to use a different file, you must delete it and create a new one.