Importing External Custom Intelligence Feeds in CLI

You can import threat indicator feeds from external sources directly to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. After you import the feeds for the first time and install policy, the Security Gateway automatically pulls and enforces the indicator file each time the file is updated. The Security Gateway imports the file over HTTP or HTTPS, or by reading from a local file or folder.

Important - You must import the feed files on each Security Gateway and Cluster Member Security Gateway that is part of a cluster. separately.

Automated custom intelligence feeds support STIX Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) files, CSV files in Check Point format, and CSV files in other formats.

To import Threat Indicator Pattern of relevant observable malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it. files in a CSV format that is different than the Check Point CSV format, follow the syntax rules provided in this section.

Syntax Rules

The supported observables are: Name, Value, Type, Confidence, Severity, Product, Comment.
Define the file's format, delimiter and the comment lines to skip:

Use --format and specify your observables inside square brackets.

Use --comment for content to ignore in the original file.

Note - Comment specified within the square brackets of --format is fetched from the original file. content inside the square brackets of --comment is ignored.
Value and Type observables are mandatory.
The Value observable is specified according to its location in the original file: #<location_of_item>.

For example:

If the Value observable is in the 3rd place in your CSV row, enter:

--format [value:#3]
For all other observables, you can enter their location in the original file, or specify their value.

For example, if you want the value of the Type observable to be the domain specified in every CSV row, enter:

--format [type:domain]
When the feed's resource is a remote source (transport equals HTTP or HTTPS), every time the feed is fetched, it parses according to the format that was specified for this feed.

Examples

Original CSV file is a list of domains

# This list consists of High Level Sensitivity website URLs

# Columns (tab delimited):

# (1) site

#

Site

4kqd3hniqgptupi3p.k7oudl.top

stggsjv6mqiibmax.torshop.li

grrgelpetkavanis4.pv

52ou5k3t73ypjije.ie7t8k.top

ja:many.cu.ma

If you enter this command, the Security Gateway takes the domain specified in the first place of every row, and ignores anything that starts with # and the word Site.

ioc_feeds add --feed_name domain_list --transport https --resource "https://isc.sans.edu/feeds/suspiciousdomains_High.txt" --format [type:domain,value:1] --comment "#, Site"

This is the original CSV file

# category Descriptive tag name for this entry. For this report,

# the text sshpwauth will appear.

#

# A commented footer section shows an aggregate account of ASNs and

# addresses seen in the current report

#

3 | organization A | 18.30.10.26 | 2018-12-15 08:16:39 | sshpwauth

3 | organization B | 18.30.21.197 | 2018-12-28 17:43:41 | sshpwauth

17 | organization C | 128.46.80.71 | 2019-01-04 17:56:00 | sshpwauth

111| organization D | 128.197.31.119 | 2019-01-10 03:12: 18| sshpwauth

If you enter this command, the Security Gateway takes the IP address from the 3rd place in the row, takes the comment from the second place in the row, and ignores all content preceded by #:

ioc_feeds add --feed_name ip_list_with_spaces --transport local_file --resource "/home/admin/ioc/ip_list_with_spaces.txt" --format [value:#3,comment:#2,type:ip] --comment [#] --delimiter "|"

To learn more about Custom Intelligence Feeds, see sk132193.