Threat Indicators
What can I do here?
Use this window to create or edit a threat Indicator Pattern of relevant observable malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it. by importing a CSV file or STIX
Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) file, and selecting an action.
|
Getting Here - Security Policies |
Threat Indicators Overview
Threat Indicators lets you add feeds to the Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and Anti-Virus
Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. engines, in addition to the feeds included in the Check Point packages and ThreatCloud
The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. feeds.
You can add indicator files in two ways:
An Indicator is a set of observables which represent a malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it.
An Observable is an event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. or a stateful property that can be observed in an operational cyber domain. Such as: IP address, MD5 file signature, SHA1 file signature, SHA256 file signature, URL, Mail sender address.
Threat Indicators demonstrate an attack by:
-
Specific observable patterns
-
Additional information intended to represent objects and behaviors of interest in a cyber-security context
Indicators are derived from intelligence, self-analysis, governments, partners, and so on.
Supported Indicator Files
Indicator files must be in CSV or STIX XML (STIX 1.0) format:
-
SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. supports CSV files only in the Check Point format.
-
The CLI also supports other formats of CSV files, as long as their upload complies with the required rules (see Threat Indicators).
Each record in CSV Check Point format and the STIX XML (STIX 1.0) format has these fields (files in CSV format which is not the Check Point format does not have to include all these fields, see Threat Indicators).

Field |
Description |
Valid Values |
Value Criteria |
Optional |
---|---|---|---|---|
UNIQ-NAME |
Name of the observable |
Free text |
Must be unique |
No |
VALUE |
A valid value for the type of the observable |
As provided in this table |
Value of parameter |
No |
TYPE |
Type of the observable |
|
Not case sensitive |
No |
CONFIDENCE |
Degree of confidence the observable presents |
|
Default - high |
Yes |
SEVERITY |
Degree of threat the observable presents |
|
Default - high |
Yes |
PRODUCT |
Check Point Software Blade |
|
AV - Check Point Anti-Virus Software Blade (default) AB - Check Point Anti-Bot Note - only the Anti-Virus Software Blade can process MD5, SHA1 and SHA256 observables. |
Yes |
COMMENT |
|
Free text |
|
Yes |

-
If an optional field is empty, the default value is used.
-
If a mandatory field is empty, the Indicator file does not load.

Observable Type |
Validation Criteria |
---|---|
URL |
Any valid URL |
Domain |
Any URL domain |
IP |
Standard IPv4 address |
IP Range |
A range of valid IPv4 addresses, separated by a hyphen: |
MD5 |
Any valid MD5 |
SHA1 |
Any valid SHA1 |
SHA256 |
Any valid SHA256 |
Mail-subject |
Any non-empty text string |
Mail-to Mail-from Mail-cc Mail-reply-to |
Can be one of these:
|

-
As of this release, STIX 2.0 (JSON file) is not supported.
-
Custom Indicators CLI (load_indicators) are not supported.
-
The supported STIX elements are:
stix:STIX_Package
stix:STIX_Header
stix:Title
stix:Description
stix:Indicators
stix:Indicator
indicator:Title
indicator:Type
indicator:Description
indicator:Observable
Event or stateful property that can be observed in an operational cyber domain.
cybox:Object
cybox:Properties
FileObj:Hashes
cyboxCommon:Hash
cyboxCommon:Type
cyboxCommon:Simple_Hash_Value
stix:Observables
cybox:Observable
URIObj:Value
URIObject:Value
AddressObject:Address_Value
AddressObj:Address_Value
AddressObj:AddressObjectType
AddressObjet:AddressObjectType
cybox:Title
-
Condition Type Enum and Condition Application Enum support Equals and Any.
<cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">
-

#! DESCRIPTION = indi file,,,,,,
observ4,5dda6d1446b3cdb0bd4a3f0adb85d030ff59e975,SHA1,low,high,AV,file_name.pdf
|

<stix:STIX_Package xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:example="http://example.com/" xsi:schemaLocation=" http://stix.mitre.org/stix-1 ../stix_core.xsd http://stix.mitre.org/Indicator-2 ../indicator.xsd http://stix.mitre.org/default_vocabularies-1 ../stix_default_vocabularies.xsd http://cybox.mitre.org/objects#FileObject-2 ../cybox/objects/File_Object.xsd http://cybox.mitre.org/default_vocabularies-2 ../cybox/cybox_default_vocabularies.xsd" id="example:STIXPackage-ac823873-4c51-4dd1-936e-a39d40151cc3" version="1.0.1"> <stix:STIX_Header> <stix:Title>Example file watchlist</stix:Title> <stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Watchlist</stix:Package_Intent> </stix:STIX_Header> <stix:Indicators> <stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-611935aa-4db5-4b63-88ac-ac651634f09b"> <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type> <indicator:Description>Indicator that contains malicious file hashes.</indicator:Description> <indicator:Observable id="example:Observable-c9ca84dc-4542-4292-af54-3c5c914ccbbc"> <cybox:Object id="example:Object-c670b175-bfa3-48e9-a218-aa7c55f1f884"> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0" condition="Equals">MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">0522e955aaee70b102e843f14c13a92c##comma##0522e955aaee70b102e843f14c13a92d##comma##0522e955aaee70b102e843f14c13a92e</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </indicator:Observable> </stix:Indicator> </stix:Indicators> </stix:STIX_Package> |
Manually Uploading Threat Indicator Files through SmartConsole
When you manually upload threat indicator files through SmartConsole, the files must be in a CSV Check Point format or STIX XML (STIX 1.0) format. The files must contain records of equal size. If an Indicator file has records which do not have the same number of fields, it does not load. See Threat Indicators for the required fields and observable values.

-
Use commas to separate the fields in a record
-
Enter one record per line, or use '\n' to separate the records
-
If free text contains quotation marks, commas, or line breaks, it must be enclosed in quotation marks
-
To enclose part of free text in quotations, use double quotation marks:
"<text>"

Step |
Instructions |
---|---|
1 |
Go to Security Policies > Threat Prevention > Policy > Custom Policy Tools > Indicators. The Indicators page opens. |
2 |
Click New. The Indicators configuration window opens. |
3 |
Enter a Name. Each Indicator must have a unique name. |
4 |
Enter Object Comment (optional). |
5 |
Click Import to browse to the Indicator file. The content of each file must be unique. You cannot load duplicate files. |
6 |
Select an action for this Indicator
|
7 |
Add Tag. |
8 |
Click OK. If you leave an optional field empty, a warning notifies you that the default values are used in the empty fields. Click OK. The Indicator file loads. |
9 |
In SmartConsole, install the policy. |

Step |
Instructions |
---|---|
1 |
Select an Indicator. |
2 |
Click Delete. |
3 |
In the window that opens, click Yes to confirm. |
You can edit properties of an Indicator object, except for the file it uses. If you want an Indicator to use a different file, you must delete it and create a new one.