Importing Threat Indicator Files through the CLI

You can upload indicator files through the CLI in Check Point CSV format and other CSV formats, and in STIXClosed Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) format.

  • URL - HTTP/HTTPS (transport http --resource http://10.0.0.1/my_feeds/stix_feed.xml)
    *Self-signed certificate HTTPS resource prompts for a user agreement to update the bundle.

    You can skip the certificate verification by running
    "export EXT_IOC_NO_SSL_VALIDATION=1"     on the gateway.

  • File on the gateway (--transport local_file --resource "/home/admin/my_feed.csv")

  • Directory on the gateway, which contains the same feed_format - (--transport local_directory --resource "/home/admin/my_feed_folder")

Use these commands to upload and manage threat indicator files through the CLI.

Parameter

Description

Example

push

Push feeds now

ioc_feeds push

show

Print all existing feeds

ioc_feeds show

show --feed_name <feed>

Print specific feed details 

ioc_feeds show --feed_name local_feed

show_interval 

Print fetching interval 

ioc_feeds show_interval 

set_interval sec

Set interval for fetching in seconds

*Feed fetching interval - the same for all feeds

ioc_feeds set_interval 1000 

show_scanning_mode 

Print scanning mode 

ioc_feeds show_scanning_mode 

set_scanning_mode 

Set scanning mode - on/off 

ioc_feeds set_scanning_mode off

add

Add a new feed

Mandatory fields:

--feed_name <feed>

--transport <http/https/local_file/local_directory>

--resource <url/full_path>

Optional fields:

--state <true/false> - Active/inactive. Default = true.

--feed_action <Prevent/Detect/Ask> - Default = PreventClosed UserCheck rule action that blocks traffic and files and can show a UserCheck message.

--user_name <user> - Prompt for password appears

--proxy <none> - Do not use proxy

--proxy <proxy:port> - Override gateway proxy for feed

(If you do not specify a proxy flag - the gateway proxy is used)

--proxy_user_name <user> - Prompt for password appears

--test true - Test feed fetching and parsing

Examples:

ioc_feeds add --feed_name local_feed --transport local_file --resource /home/admin/my_feed.csv

ioc_feeds add --feed_name remote_feed --transport http --resource 10.0.0.1/my_feeds/stix_feed.xml --proxy 127.10.10.1:8080 --state false -feed_action detect --user_name admin@checkpoint.com

modify

Modify existing feed

Fields that are not mentioned stay as they were before

ioc_feeds modify --feed_name local_feed --state true

delete

Delete existing feed

ioc_feeds delete --feed_name local_feed

  • [Expert@HostName:0]# ioc_feeds add --feed_name remote_csv_feed --transport http --resource "http://10.10.1.100/ioc/ioc_csv_file.csv" --feed_action Prevent
  • [Expert@HostName:0]# ioc_feeds add --feed_name ioc_stix_file --transport local_file --resource "/home/admin/ioc/ioc_stix_file.xml"
  • [Expert@HostName:0]# ioc_feeds show
  • [Expert@HostName:0]# ioc_feeds delete --feed_name ioc_stix_file
  • [Expert@HostName:0]# ioc_feeds add --feed_name remote_stix_file --transport http --resource "http://www.public_indicators.com/ioc_stix_file.xml" --test true