Importing Threat Indicator Files through SmartConsole
When you manually upload threat indicator files through SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., the files must be in a CSV Check Point format or STIX Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) format. The files must contain records of equal size. If an indicator file has records which do not have the same number of fields, it does not load.
Before you start - Go to the applicable profile > Indicators > Activation > make sure that Enable indicator scanning is selected.
Step |
Instructions |
---|---|
1 |
In the SmartConsole main view, go to Security Policies>Threat Prevention> Custom Policy >Custom Policy Tools> Indicators. |
2 |
Click New, and select Import file. The Indicator configuration window opens. |
3 |
Enter a Name. Each Indicator Pattern of relevant observable malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it. must have a unique name. |
4 |
Enter Object Comment (optional). |
5 |
Click Import to browse to the Indicator file. The content of each file must be unique. You cannot load duplicate files. |
6 |
Select an action for this Indicator:
|
7 |
Add Tag. |
8 |
Click OK. If you leave an optional field empty, a warning notifies you that the default values are used in the empty fields. Click OK. The Indicator file loads. |
9 |
Install the Threat Prevention Policy. |
Step |
Instructions |
---|---|
1 |
Select an Indicator. |
2 |
Click Delete. |
3 |
In the window that opens, click Yes to confirm. |
You can edit properties of an Indicator object, except for the file it uses. If you want an Indicator to use a different file, you must delete it and create a new one.