Threat Indicators

What can I do here?

Use this window to create or edit a threat Indicator by importing a CSV file or STIX XML (STIX 1.0) file, and selecting an action.

Getting Here - Security Policies > Threat Prevention > Policy > Threat Tools > Indicators > New

Threat Indicators Overview

Threat Indicators lets you add feeds to the Anti-Bot and Anti-Virus engines, in addition to the feeds included in the Check Point packages and ThreatCloud feeds.

You can add indicator files in two ways:

• Manually upload the indicator files.
• Import automated Custom Intelligence Feeds.

An Indicator is a set of observables which represent a malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it.

An Observable is an event or a stateful property that can be observed in an operational cyber domain. For example: IP address, MD5 file signature, URL, Mail sender address.

Threat Indicators demonstrate an attack by:

• Specific observable patterns
• Additional information intended to represent objects and behaviors of interest in a cyber-security context

Indicators are derived from intelligence, self-analysis, governments, partners, and so on.

Supported Indicator Files

Indicator files must be in CSV or STIX XML (STIX 1.0) format:

• SmartConsole supports CSV files only in the Check Point format.
• The CLI also supports other formats of CSV files, as long as their upload complies with the required rules (see Importing Automated Custom Intelligence Feeds).

Each record in CSV Check Point format and the STIX XML (STIX 1.0) format has these fields (files in CSV format which is not the Check Point format does not have to include all these fields, see Importing Automated Custom Intelligence Feeds):

Field	Description	Valid Values	Value Criteria	Optional
UNIQ-NAME	Name of the observable	Free text	Must be unique	No
VALUE	A valid value for the type of the observable	As provided in this table	Value of parameter	No
TYPE	Type of the observable	URL Domain IP IP Range MD5 Mail-subject Mail-from Mail-to Mail-cc Mail-reply-to	Not case sensitive	No
CONFIDENCE	Degree of confidence the observable presents	low medium high critical	Default - high	Yes
SEVERITY	Degree of threat the observable presents	low medium high critical	Default - high	Yes
PRODUCT	Check Point Software Blade that processes the observable	AV AB	AV - Check Point Anti-Virus Software Blade (default) AB - Check Point Anti-Bot Software Blade Note - only the Anti-Virus Software Blade can process MD5 observables.	Yes
COMMENT		Free text		Yes

Notes:

• If an optional field is empty, the default value is used.
• If a mandatory field is empty, the Indicator file does not load.

These are the valid values for each observable type:

Observable Type	Validation Criteria
URL	Any valid URL
Domain	Any URL domain
IP	Standard IPv4 address
IP Range	A range of valid IPv4 addresses, separated by a hyphen: <IP>-<IP>
MD5	Any valid MD5
Mail-subject	Any non-empty text string
Mail-to Mail-from Mail-cc Mail-reply-to	Can be one of these: A single email address (Example: abc@domain.com) An email domain (Examples: @domain.com or domain.com)

Notes:

• As of this release, STIX 2.0 (JSON file) is not supported.
• Custom Indicators CLI (load_indicators) are not supported.
• SHA1/SHA256 is not supported as a valid MD5 value.
• The supported STIX elements are:

stix:STIX_Package stix:STIX_Header stix:Title stix:Description stix:Indicators stix:Indicator indicator:Title indicator:Type indicator:Description indicator:Observable cybox:Object cybox:Properties FileObj:Hashes

cyboxCommon:Hash cyboxCommon:Type cyboxCommon:Simple_Hash_Value stix:Observables cybox:Observable URIObj:Value URIObject:Value AddressObject:Address_Value AddressObj:Address_Value AddressObj:AddressObjectType AddressObjet:AddressObjectType cybox:Title

• Condition Type Enum and Condition Application Enum support Equals and Any.

  <cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">

Example of a CSV Indicator File in Check Point Format

#! DESCRIPTION = indi file,,,,,,

"#! REFERENCE = Indicator Bulletin; Feb 20, 2014",,,,,,

# FILE FORMAT:,,,,,,

"# All lines beginning ""#"" are comments",,,,,,

"# All lines beginning ""#!"" are metadata read by the SW",,,,,,

"# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT",,,,,,

observ1,8d9b6b8912a2ed175b77acd40cbe9a73,MD5,medium,medium,AV,FILENAME:WUC
Invitation Letter Guests.doc

observ2,76700f862a0c241b8f4b754f76957bda,MD5,high,high,AV,FILENAME:essais~.swf|
NOTE:FWS type Flash file

observ7,http://somemaliciousdomain.com/uploadfiles/upload/exp.swf?info=
789c333432d333b4d4b330d133b7b230b03000001b39033b&infosize=00840000
,URL,high,high,AV,IPV4ADDR:196.168.25.25

observ8,svr01.passport.ServeUser.com,Domain,low,high,AB,TCP:80|
IPV4ADDR:172.18.18.25|NOTE:Embedded EXE Remote C&C and Encoded Data

observ9,somemaliciousdomain2.com,Domain,,low,AV,TCP:8080|IPV4ADDR:172.22.14.10

observ10,http://www.bogusdomain.com/search?q=%24%2B%25&form=MOZSBR&pc=
MOZI,URL,low,low,AB,IPV4ADDR:172.25.1.5

observ11,http://somebogussolution.com/register/card/log.asp?isnew=-1&LocalInfo=
Microsoft%20Windows%20XP%20Service%20Pack%202&szHostName=
ADAM-E512679EFD&tmp3=tmp3,URL,medium,,AB,

observ14,172.16.47.44,IP,high,medium,AB,TCP:8080

observ15,172.16.73.69,IP,medium,medium,AV,TCP:443|NOTE:Related to Flash
exploitation

observ16,abc@def.com,mail-to,,high,AV,"NOTE:truncated; samples have appended to
the subject the string ""PH000000NNNNNNN"" where NNNNNNN is a varying number"

observ34,stamdomain.com,domain,,,AB,

observ35,stamdomain.com,mail-from,high,medium,AV,

observ37,xyz.com,mail-from,medium,medium,AB,

observ38,@xyz.com,mail-from,medium,medium,AB,

observ39,a@xyz.com,mail-from,medium,medium,AB,

Example of a STIX 1.0 XML Indicator File

<stix:STIX_Package

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:stix="http://stix.mitre.org/stix-1"

xmlns:indicator="http://stix.mitre.org/Indicator-2"

xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"

xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"

xmlns:cybox="http://cybox.mitre.org/cybox-2"

xmlns:cyboxCommon="http://cybox.mitre.org/common-2"

xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"

xmlns:example="http://example.com/"

xsi:schemaLocation="

http://stix.mitre.org/stix-1 ../stix_core.xsd

http://stix.mitre.org/Indicator-2 ../indicator.xsd

http://stix.mitre.org/default_vocabularies-1 ../stix_default_vocabularies.xsd

http://cybox.mitre.org/objects#FileObject-2 ../cybox/objects/File_Object.xsd

http://cybox.mitre.org/default_vocabularies-2 ../cybox/cybox_default_vocabularies.xsd"

id="example:STIXPackage-ac823873-4c51-4dd1-936e-a39d40151cc3"

version="1.0.1">

<stix:STIX_Header>

<stix:Title>Example file watchlist</stix:Title>

<stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Watchlist</stix:Package_Intent>

</stix:STIX_Header>

<stix:Indicators>

<stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-611935aa-4db5-4b63-88ac-ac651634f09b">

<indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>

<indicator:Description>Indicator that contains malicious file hashes.</indicator:Description>

<indicator:Observable id="example:Observable-c9ca84dc-4542-4292-af54-3c5c914ccbbc">

<cybox:Object id="example:Object-c670b175-bfa3-48e9-a218-aa7c55f1f884">

<cybox:Properties xsi:type="FileObj:FileObjectType">

<FileObj:Hashes>

<cyboxCommon:Hash>

<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0" condition="Equals">MD5</cyboxCommon:Type>

<cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">0522e955aaee70b102e843f14c13a92c##comma##0522e955aaee70b102e843f14c13a92d##comma##0522e955aaee70b102e843f14c13a92e</cyboxCommon:Simple_Hash_Value>

</cyboxCommon:Hash>

</FileObj:Hashes>

</cybox:Properties>

</cybox:Object>

</indicator:Observable>

</stix:Indicator>

</stix:Indicators>

</stix:STIX_Package>

Manually Uploading Threat Indicator Files through SmartConsole

When you manually upload threat indicator files through SmartConsole, the files must be in a CSV Check Point format or STIX XML (STIX 1.0) format. The files must contain records of equal size. If an Indicator file has records which do not have the same number of fields, it does not load. See Supported Indicator Files for the required fields and observable values.

Syntax rules of CSV Indicator files in Check Point format:

• Use commas to separate the fields in a record
• Enter one record per line, or use '\n' to separate the records
• If free text contains quotation marks, commas, or line breaks, it must be enclosed in quotation marks
• To enclose part of free text in quotations, use double quotation marks: ""<text>""

To load Indicator files through SmartConsole:

1. Go to Security Policies > Threat Prevention > Policy >Threat Tools > Indicators.

   The Indicators page opens.

2. Click New.

   The Indicators configuration window opens.

3. Enter a Name.

   Each Indicator must have a unique name.

4. Enter Object Comment (optional).
5. Click Import to browse to the Indicator file.

   The content of each file must be unique. You cannot load duplicate files.

6. Select an action for this Indicator:
   • Ask - Threat Prevention Software Blade asks what to do with the detected observable
   • Prevent - Threat Prevention Software Blade blocks the detected observable
   • Detect - Threat Prevention Software Blade creates a log entry, and lets the detected observable go through
   • Inactive - Threat Prevention Software Blade does nothing
7. Add Tag.
8. Click OK.

   If you leave an optional field empty, a warning notifies you that the default values are used in the empty fields. Click OK. The Indicator file loads.

9. Install Policy.

To delete Indicators:

1. Select an Indicator.
2. Click Delete.
3. In the window that opens, click Yes to confirm.

You can edit properties of an Indicator object, except for the file it uses. If you want an Indicator to use a different file, you must delete it and create a new one.