Print Download Complete help as Archive Send Feedback

Previous

Next

Threat Indicators

What can I do here?

Use this window to create or edit a threat Indicator by importing a CSV file or STIX XML (STIX 1.0) file, and selecting an action.

Getting Here

Getting Here - Security Policies > Threat Prevention > Policy > Threat Tools > Indicators > New

Threat Indicator Settings

Threat Indicators lets you upload Indicator files that contain sets of observables. These observables are added to the Threat Prevention policy.

Indicator – Set of observables which represent a malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it.

Observable – An event or a stateful property that can be observed in an operational cyber domain. For example: IP address, MD5 file signature, URL, Mail sender address.

Indicators of Compromise convey an attack campaign by:

Indicators are derived from intelligence, self-analysis and/or governments, partners etc.

To use Threat Indicators:

Indicator files must be in CSV or STIX XML format, and contain records of equal size. If an Indicator file has records which do not have the same number of fields, it will not load.

Each record in the Indicator file has these fields:

Field

Description

Valid Values

Value Criteria

Optional

UNIQ-NAME

Name of the observable

Free text

Must be unique

No

VALUE

A value that is valid for the type of the observable

See the table below

See the table below

No

TYPE

Type of the observable

  • URL
  • Domain
  • IP
  • IP Range
  • MD5
  • Mail-subject
  • Mail-from
  • Mail-to
  • Mail-cc
  • Mail-reply-to

Not case sensitive

No

CONFIDENCE

Degree of confidence the observable presents

  • low
  • medium
  • high
  • critical

Default - high

Yes

SEVERITY

Degree of threat the observable presents

  • low
  • medium
  • high
  • critical

Default - high

Yes

PRODUCT

Check Point Software Blade that processes the observable

  • AV
  • AB

AV - Check Point Anti-Virus Software Blade (default)

AB - Check Point Anti-Bot Software Blade

Note - only the Anti-Virus Software Blade can process MD5 observables.

Yes

COMMENT

 

Free text

 

Yes

Notes -

  • If an optional field is empty, the default value is used.
  • If a mandatory field is empty, the Indicator file will not load.

These are the values that are valid for each observable type:

Observable Type

Validation Criteria

URL

Any valid URL

Domain

Any URL domain

IP

Standard IPv4 address

IP Range

A range of valid IPv4 addresses, separated by a hyphen: <IP>-<IP>

MD5

Any valid MD5

Mail-subject

Any non-empty text string

Mail-to

Mail-from

Mail-cc

Mail-reply-to

Can be one of these:

  • A single email address (Example: abc@domain.com)
  • An email domain (Examples: @domain.com or domain.com)

Requirements for validation of CSV Indicator files:

Notes -

Example of a CSV Indicator File

#! DESCRIPTION = indi file,,,,,,

"#! REFERENCE = Indicator Bulletin; Feb 20, 2014",,,,,,

# FILE FORMAT:,,,,,,

"# All lines beginning ""#"" are comments",,,,,,

"# All lines beginning ""#!"" are metadata read by the SW",,,,,,

"# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT",,,,,,

observ1,8d9b6b8912a2ed175b77acd40cbe9a73,MD5,medium,medium,AV,FILENAME:WUC
Invitation Letter Guests.doc

observ2,76700f862a0c241b8f4b754f76957bda,MD5,high,high,AV,FILENAME:essais~.swf|
NOTE:FWS type Flash file

observ7,http://somemaliciousdomain.com/uploadfiles/upload/exp.swf?info=
789c333432d333b4d4b330d133b7b230b03000001b39033b&infosize=00840000
,URL,high,high,AV,IPV4ADDR:196.168.25.25

observ8,svr01.passport.ServeUser.com,Domain,low,high,AB,TCP:80|
IPV4ADDR:172.18.18.25|NOTE:Embedded EXE Remote C&C and Encoded Data

observ9,somemaliciousdomain2.com,Domain,,low,AV,TCP:8080|IPV4ADDR:172.22.14.10

observ10,http://www.bogusdomain.com/search?q=%24%2B%25&form=MOZSBR&pc=
MOZI,URL,low,low,AB,IPV4ADDR:172.25.1.5

observ11,http://somebogussolution.com/register/card/log.asp?isnew=-1&LocalInfo=
Microsoft%20Windows%20XP%20Service%20Pack%202&szHostName=
ADAM-E512679EFD&tmp3=tmp3,URL,medium,,AB,

observ14,172.16.47.44,IP,high,medium,AB,TCP:8080

observ15,172.16.73.69,IP,medium,medium,AV,TCP:443|NOTE:Related to Flash
exploitation

observ16,abc@def.com,mail-to,,high,AV,"NOTE:truncated; samples have appended to
the subject the string ""PH000000NNNNNNN"" where NNNNNNN is a varying number"

observ34,stamdomain.com,domain,,,AB,

observ35,stamdomain.com,mail-from,high,medium,AV,

observ37,xyz.com,mail-from,medium,medium,AB,

observ38,@xyz.com,mail-from,medium,medium,AB,

observ39,a@xyz.com,mail-from,medium,medium,AB,

Example of a STIX 1.0 XML Indicator File

<stix:STIX_Package

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:stix="http://stix.mitre.org/stix-1"

xmlns:indicator="http://stix.mitre.org/Indicator-2"

xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"

xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"

xmlns:cybox="http://cybox.mitre.org/cybox-2"

xmlns:cyboxCommon="http://cybox.mitre.org/common-2"

xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"

xmlns:example="http://example.com/"

xsi:schemaLocation="

http://stix.mitre.org/stix-1 ../stix_core.xsd

http://stix.mitre.org/Indicator-2 ../indicator.xsd

http://stix.mitre.org/default_vocabularies-1 ../stix_default_vocabularies.xsd

http://cybox.mitre.org/objects#FileObject-2 ../cybox/objects/File_Object.xsd

http://cybox.mitre.org/default_vocabularies-2 ../cybox/cybox_default_vocabularies.xsd"

id="example:STIXPackage-ac823873-4c51-4dd1-936e-a39d40151cc3"

version="1.0.1">

<stix:STIX_Header>

<stix:Title>Example file watchlist</stix:Title>

<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Watchlist</stix:Package_Intent>

</stix:STIX_Header>

<stix:Indicators>

<stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-611935aa-4db5-4b63-88ac-ac651634f09b">

<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>

<indicator:Description>Indicator that contains malicious file hashes.</indicator:Description>

<indicator:Observable id="example:Observable-c9ca84dc-4542-4292-af54-3c5c914ccbbc">

<cybox:Object id="example:Object-c670b175-bfa3-48e9-a218-aa7c55f1f884">

<cybox:Properties xsi:type="FileObj:FileObjectType">

<FileObj:Hashes>

<cyboxCommon:Hash>

<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0" condition="Equals">MD5</cyboxCommon:Type>

<cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">0522e955aaee70b102e843f14c13a92c##comma##0522e955aaee70b102e843f14c13a92d##comma##0522e955aaee70b102e843f14c13a92e</cyboxCommon:Simple_Hash_Value>

</cyboxCommon:Hash>

</FileObj:Hashes>

</cybox:Properties>

</cybox:Object>

</indicator:Observable>

</stix:Indicator>

</stix:Indicators>

</stix:STIX_Package>

Configuring Indicators in SmartConsole

Define network objects to hold the Indicator files.

To load Indicators:

  1. Go to Security Policies > Threat Prevention > Policy >Threat Tools > Indicators.

    The Indicators page opens.

  2. Click New.

    The Indicators configuration window opens.

  3. Enter a Name.

    Each Indicator must have a unique name.

  4. Enter Object Comment (optional).
  5. Click Import to browse to the Indicator file.

    The content of each file must be unique. You cannot load duplicate files.

  6. Select an action for this Indicator:
    • Ask - Threat Prevention Software Blade asks what to do with the detected observable
    • Prevent - Threat Prevention Software Blade blocks the detected observable
    • Detect - Threat Prevention Software Blade creates a log entry, and lets the detected observable go through
    • Inactive - Threat Prevention Software Blade does nothing
  7. Add Tag.
  8. Click OK.

    If you leave an optional field empty, a warning notifies you that the default values will be used in the empty fields. Click OK. The Indicator file will load.

To delete Indicators:

  1. Select an Indicator.
  2. Click Delete.
  3. In the window that opens, click Yes to confirm.

You can edit properties of an Indicator object, except for the file it uses. If you want an Indicator to use a different file, you must delete it and create a new one.