Importing Threat Indicator Files through SmartConsole

When you manually upload threat indicator files through SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., the files must be in a CSV Check Point format or STIXClosed Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) format. The files must contain records of equal size. If an IndicatorClosed Pattern of relevant observable malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it. file has records which do not have the same number of fields, it does not load.

  • Use commas to separate the fields in a record

  • Enter one record per line, or use '\n' to separate the records

  • If free text contains quotation marks, commas, or line breaks, it must be enclosed in quotation marks

  • To enclose part of free text in quotations, use double quotation marks: "<text>"

Step

Instructions

1

Go to the applicable profile > Indicators > Activation > make sure that Enable indicator scanning is selected.

2

Go to Security Policies > Threat Prevention > Policy > Custom Policy Tools > Indicators.

The Indicators page opens.

3

Click New, and select Import file.

The Indicator configuration window opens.

4

Enter a Name.

Each Indicator must have a unique name.

5

Enter Object Comment (optional).

6

Click Import to browse to the Indicator file.

The content of each file must be unique. You cannot load duplicate files.

7

8

Add Tag.

9

Click OK.

If you leave an optional field empty, a warning notifies you that the default values are used in the empty fields. Click OK. The Indicator file loads.

10

In SmartConsole, install the policy.

Step

Instructions

1

Select an Indicator.

2

Click Delete.

3

In the window that opens, click Yes to confirm.

You can edit properties of an Indicator object, except for the file it uses. If you want an Indicator to use a different file, you must delete it and create a new one.