Importing External Custom Intelligence Feeds in CLI
You can import threat indicator feeds from external sources directly to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. After you import the feeds for the first time and install policy, the Security Gateway automatically pulls and enforces the indicator file each time the file is updated. The Security Gateway imports the file over HTTP or HTTPS, or by reading from a local file or folder.
|
Important - You must import the feed files on each Security Gateway and Cluster Member Security Gateway that is part of a cluster. separately. |
Automated custom intelligence feeds support STIX Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) files, CSV files in Check Point format, and CSV files in other formats.
To import Threat Indicator Pattern of relevant observable malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it. files in a CSV format that is different than the Check Point CSV format, follow the syntax rules provided in this section.
-
The supported observables are: Name, Value, Type, Confidence, Severity, Product, Comment.
-
Define the file's format, delimiter and the comment lines to skip:
Use
--format
and specify your observables inside square brackets.Use
--comment
for content to ignore in the original file.Note - Comment specified within the square brackets of
--format
is fetched from the original file. content inside the square brackets of--comment
is ignored. -
Value and Type observables are mandatory.
-
The Value observable is specified according to its location in the original file:
#<location_of_item>
.For example:
If the Value observable is in the 3rd place in your CSV row, enter:
--format [value:#3]
-
For all other observables, you can enter their location in the original file, or specify their value.
For example, if you want the value of the Type observable to be the domain specified in every CSV row, enter:
--format [type:domain]
-
When the feed's resource is a remote source (transport equals HTTP or HTTPS), every time the feed is fetched, it parses according to the format that was specified for this feed.
Examples
# This list consists of High Level Sensitivity website URLs
|
|
If you enter this command, the Security Gateway takes the domain specified in the first place of every row, and ignores anything that starts with # and the word Site.
|
|
If you enter this command, the Security Gateway takes the IP address from the 3rd place in the row, takes the comment from the second place in the row, and ignores all content preceded by #:
|
To learn more about Custom Intelligence Feeds, see sk132193.