Configuring Threat Indicators

Threat Indicators lets you add feeds to the Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. engines on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., in addition to the feeds included in the Check Point packages and ThreatCloudClosed The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. feeds.

You can add indicator files in two ways:

An Indicator is a set of observables which represent a malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it.

An Observable is an event or a stateful property that can be observed in an operational cyber domain. Such as: IP address, MD5 file signature, SHA1 file signature, SHA256 file signature, URL, Mail sender address.

Threat Indicators demonstrate an attack by:

  • Specific observable patterns

  • Additional information intended to represent objects and behaviors of interest in a cyber-security context

Indicators are derived from intelligence, self-analysis, governments, partners, and so on.

Supported Indicator Files

IndicatorClosed Pattern of relevant observable malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it. files must be in CSV or STIXClosed Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) format:

Each record in CSV Check Point format and the STIX XML (STIX 1.0) format has these fields (files in CSV format which is not the Check Point format does not have to include all these fields, see Importing Automated Custom Intelligence Feeds).

Notes:

  • If an optional field is empty, the default value is used.

  • If a mandatory field is empty, the Indicator file does not load.

Notes:

  • As of this release, STIX 2.0 (JSON file) is not supported.

  • Custom Indicators CLI (load_indicators) are not supported.

The supported STIX elements are:

stix:STIX_Package

stix:STIX_Header

stix:Title

stix:Description

stix:Indicators

stix:Indicator

indicator:Title

indicator:Type

indicator:Description

indicator:ObservableClosed Event or stateful property that can be observed in an operational cyber domain.

cybox:Object

cybox:Properties

FileObj:Hashes

cyboxCommon:Hash

cyboxCommon:Type

cyboxCommon:Simple_Hash_Value

stix:Observables

cybox:Observable

URIObj:Value

URIObject:Value

AddressObject:Address_Value

AddressObj:Address_Value

AddressObj:AddressObjectType

AddressObjet:AddressObjectType

cybox:Title

  • Condition Type Enum and Condition Application Enum support Equals and Any.

    <cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">

Manually Uploading Threat Indicator Files through SmartConsole

When you manually upload threat indicator files through SmartConsole, the files must be in a CSV Check Point format or STIX XML (STIX 1.0) format. The files must contain records of equal size. If an Indicator file has records which do not have the same number of fields, it does not load. See Supported Indicator Files for the required fields and observable values.

Uploading Threat Indicator Files through the CLI

You can upload indicator files through the CLI in Check Point CSV format and other CSV formats, and in STIX XML (STIX 1.0) format.

Use these commands to upload and manage threat indicator files through the CLI.

Examples:

Importing Automated Custom Intelligence Feeds

You can import threat indicator feeds from external sources directly to the Security Gateway. The gateway automatically pulls and enforces an indicator file, over HTTP or HTTPS, or by reading from a local file or folder. There is no need to install policy to enforce the feeds, but you must import the files on each gateway separately.

Automated custom intelligence feeds support STIX XML (STIX 1.0) files, CSV files in Check Point format, and CSV files in other formats. To import Threat Indicator files in CSV format that is different than the Check Point CSV format, follow the syntax rules provided in this section.

Examples:

To learn more about Custom Intelligence Feeds, see sk132193.