Importing Threat Indicator Files through the CLI
You can upload indicator files through the CLI in Check Point CSV format and other CSV formats, and in STIX Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) format.
-
URL - HTTP/HTTPS (transport http --resource
http://10.0.0.1/my_feeds/stix_feed.xml
)
*Self-signed certificate HTTPS resource prompts for a user agreement to update the bundle.You can skip the certificate verification by running
on the gateway.
"export EXT_IOC_NO_SSL_VALIDATION=1" -
File on the gateway (
--transport local_file --resource "/home/admin/my_feed.csv"
) -
Directory on the gateway, which contains the same feed_format - (
--transport local_directory --resource "/home/admin/my_feed_folder"
)
Use these commands to upload and manage threat indicator files through the CLI.
Parameter |
Description |
Example |
---|---|---|
|
Push feeds now |
|
|
Print all existing feeds |
|
|
Print specific feed details |
|
|
Print fetching interval |
|
|
Set interval for fetching in seconds *Feed fetching interval - the same for all feeds |
|
|
Print scanning mode |
|
|
Set scanning mode - on/off |
|
|
Add a new feed Mandatory fields:
Optional fields:
(If you do not specify a proxy flag - the gateway proxy is used)
|
Examples:
|
|
Modify existing feed Fields that are not mentioned stay as they were before |
|
|
Delete existing feed |
|
-
Add a new remote feed
[Expert@HostName:0]# ioc_feeds add --feed_name remote_csv_feed --transport http --resource "http://10.10.1.100/ioc/ioc_csv_file.csv" --feed_action Prevent
-
Add a new local feed
[Expert@HostName:0]# ioc_feeds add --feed_name ioc_stix_file --transport local_file --resource "/home/admin/ioc/ioc_stix_file.xml"
-
Print existing feeds
[Expert@HostName:0]# ioc_feeds show
-
Delete a feed
[Expert@HostName:0]# ioc_feeds delete --feed_name ioc_stix_file
-
Test feed fetching and parsing
[Expert@HostName:0]# ioc_feeds add --feed_name remote_stix_file --transport http --resource "http://www.public_indicators.com/ioc_stix_file.xml" --test true