Supported Indicator Files

IndicatorClosed Pattern of relevant observable malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it. files must be in CSV or STIXClosed Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) format:

Each record in CSV Check Point format and the STIX XML (STIX 1.0) format must have these fields (files in other CSV format do not have to include all these fields, see Importing Threat Indicator Files through the CLI and Importing External Custom Intelligence Feeds in CLI).

Notes:

  • As of this release, STIX 2.0 (JSON file) is not supported.

  • Custom Indicators CLI (load_indicators) are not supported.

  • The supported STIX elements are:

    stix:STIX_Package

    stix:STIX_Header

    stix:Title

    stix:Description

    stix:Indicators

    stix:Indicator

    indicator:Title

    indicator:Type

    indicator:Description

    indicator:ObservableClosed Event or stateful property that can be observed in an operational cyber domain.

    cybox:Object

    cybox:Properties

    FileObj:Hashes

     

    cyboxCommon:Hash

    cyboxCommon:Type

    cyboxCommon:Simple_Hash_Value

    stix:Observables

    cybox:Observable

    URIObj:Value

    URIObject:Value

    AddressObject:Address_Value

    AddressObj:Address_Value

    AddressObj:AddressObjectType

    AddressObjet:AddressObjectType

    cybox:Title

    Condition Type Enum and Condition Application Enum support Equals and Any.

    <cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">