Supported Indicator Files

Indicator Pattern of relevant observable malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it. files must be in CSV or STIX Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) format:

SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. supports CSV files only in the Check Point format.
The CLI also supports other formats of CSV files, as long as their upload complies with the applicable syntax rules.

Each record in CSV Check Point format and the STIX XML (STIX 1.0) format must have these fields (files in other CSV format do not have to include all these fields, see Importing Threat Indicator Files through the CLI and Importing External Custom Intelligence Feeds in CLI).

Fields

Field	Description	Valid Values	Value Criteria	Optional
UNIQ-NAME	Name of the observable	Free text	Must be unique	No
VALUE	A valid value for the type of the observable	As provided in this table	Value of parameter	No
TYPE	Type of the observable	`URL` `Domain` `IP` `IP Range` `MD5` `SHA1` `SHA256` `Mail-subject` `Mail-from` `Mail-to` `Mail-cc` `Mail-reply-to`	Not case sensitive	No
CONFIDENCE	Degree of confidence the observable presents	`low` `medium` `high` `critical`	Default - high	Yes
SEVERITY	Degree of threat the observable presents	`low` `medium` `high` `critical`	Default - high	Yes
PRODUCT	Check Point Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. that processes the observable	`AV` `AB`	AV - Check Point Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. Software Blade (default) AB - Check Point Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. Software Blade Note - only the Anti-Virus Software Blade can process MD5, SHA1 and SHA256 observables.	Yes
COMMENT		Free text		Yes

These are the valid values for each observable type:

Observable Type	Validation Criteria
URL	Any valid URL
Domain	Any URL domain
IP	Standard IPv4 address
IP Range	A range of valid IPv4 addresses, separated by a hyphen: `<IP>-<IP>`
MD5	Any valid MD5
SHA1	Any valid SHA1
SHA256	Any valid SHA256
Mail-subject	Any non-empty text string
Mail-to Mail-from Mail-cc Mail-reply-to	Can be one of these: A single email address (Example: `abc@domain.com`) An email domain (Examples: `@domain.com`, or `domain.com`)

Notes:

As of this release, STIX 2.0 (JSON file) is not supported.
Custom Indicators CLI (load_indicators) are not supported.

The supported STIX elements are:

stix:STIX_Package

stix:STIX_Header

stix:Title

stix:Description

stix:Indicators

stix:Indicator

indicator:Title

indicator:Type

indicator:Description

indicator:Observable Event or stateful property that can be observed in an operational cyber domain.

cybox:Object

cybox:Properties

FileObj:Hashes

cyboxCommon:Hash

cyboxCommon:Type

cyboxCommon:Simple_Hash_Value

stix:Observables

cybox:Observable

URIObj:Value

URIObject:Value

AddressObject:Address_Value

AddressObj:Address_Value

AddressObj:AddressObjectType

AddressObjet:AddressObjectType

cybox:Title

Condition Type Enum and Condition Application Enum support Equals and Any.

<cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">

Example of a CSV Indicator File in Check Point Format:

#! DESCRIPTION = indi file,,,,,,

"#! REFERENCE = Indicator Bulletin; Feb 20, 2014",,,,,,

# FILE FORMAT:,,,,,,

"# All lines beginning ""#"" are comments",,,,,,

"# All lines beginning ""#!"" are metadata read by the SW",,,,,,

"# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT",,,,,,

observ1,8d9b6b8912a2ed175b77acd40cbe9a73,MD5,medium,medium,AV,FILENAME:WUC Invitation Letter Guests.doc

observ2,76700f862a0c241b8f4b754f76957bda,MD5,high,high,AV,FILENAME:essais~.swf| NOTE:FWS type Flash file

observ4,5dda6d1446b3cdb0bd4a3f0adb85d030ff59e975,SHA1,low,high,AV,file_name.pdf
observ5,db435a875be456f088f11c579aa52f30bc83cfff272cfad5a3f6f4de74de0654,SHA256,high,high,AV,file_name.doc

observ7,http://somemaliciousdomain.com/uploadfiles/upload/exp.swf?info= 789c333432d333b4d4b330d133b7b230b03000001b39033b&infosize=00840000 ,URL,high,high,AV,IPV4ADDR:196.168.25.25

observ8,svr01.passport.ServeUser.com,Dpmain,low,high,AB,TCP:80| IPV4ADDR:172.18.18.25|NOTE:Embedded EXE Remote C&C and Encoded Data

observ9,somemaliciousdomain2.com,Domain,,low,AV,TCP:8080|IPV4ADDR:172.22.14.10

observ10,http://www.bogusdomain.com/search?q=%24%2B%25&form=MOZSBR&pc= MOZI,URL,low,low,AB,IPV4ADDR:172.25.1.5

observ11,http://somebogussolution.com/register/card/log.asp?isnew=-1&LocalInfo= Microsoft%20Windows%20XP%20Service%20Pack%202&szHostName= ADAM-E512679EFD&tmp3=tmp3,URL,medium,,AB,

observ14,172.16.47.44,IP,high,medium,AB,TCP:8080

observ15,172.16.73.69,IP,medium,medium,AV,TCP:443|NOTE:Related to Flash exploitation

observ16,abc@def.com,mail-to,,high,AV,"NOTE:truncated; samples have appended to the subject the string ""PH000000NNNNNNN"" where NNNNNNN is a varying number"

observ34,stamdomain.com,domain,,,AB,

observ35,stamdomain.com,mail-from,high,medium,AV,

observ37,xyz.com,mail-from,medium,medium,AB,

observ38,@xyz.com,mail-from,medium,medium,AB,

observ39,a@xyz.com,mail-from,medium,medium,AB,

Example of a STIX 1.0 XML Indicator File

<stix:STIX_Package

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xmlns:stix="http://stix.mitre.org/stix-1"

    xmlns:indicator="http://stix.mitre.org/Indicator-2"

    xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"

    xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"

    xmlns:cybox="http://cybox.mitre.org/cybox-2"

    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"

    xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"

    xmlns:example="http://example.com/"

    xsi:schemaLocation="

    http://stix.mitre.org/stix-1 ../stix_core.xsd

    http://stix.mitre.org/Indicator-2 ../indicator.xsd

    http://stix.mitre.org/default_vocabularies-1 ../stix_default_vocabularies.xsd

    http://cybox.mitre.org/objects#FileObject-2 ../cybox/objects/File_Object.xsd

    http://cybox.mitre.org/default_vocabularies-2 ../cybox/cybox_default_vocabularies.xsd"

    id="example:STIXPackage-ac823873-4c51-4dd1-936e-a39d40151cc3"

    version="1.0.1">

    <stix:STIX_Header>

        <stix:Title>Example file watchlist</stix:Title>

        <stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Watchlist</stix:Package_Intent>

    </stix:STIX_Header>

    <stix:Indicators>

        <stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-611935aa-4db5-4b63-88ac-ac651634f09b">

            <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>

            <indicator:Description>Indicator that contains malicious file hashes.</indicator:Description>

            <indicator:Observable id="example:Observable-c9ca84dc-4542-4292-af54-3c5c914ccbbc">

                <cybox:Object id="example:Object-c670b175-bfa3-48e9-a218-aa7c55f1f884">

                    <cybox:Properties xsi:type="FileObj:FileObjectType">

                        <FileObj:Hashes>

                            <cyboxCommon:Hash>

                                <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0" condition="Equals">MD5</cyboxCommon:Type>

                                <cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">0522e955aaee70b102e843f14c13a92c##comma##0522e955aaee70b102e843f14c13a92d##comma##0522e955aaee70b102e843f14c13a92e</cyboxCommon:Simple_Hash_Value>

                            </cyboxCommon:Hash>

                        </FileObj:Hashes>

                    </cybox:Properties>

                </cybox:Object>

            </indicator:Observable>

        </stix:Indicator>

    </stix:Indicators>

</stix:STIX_Package>