https://community.checkpoint.com/t5/General-Topics/Need-Confirmation-on-Correct-IOC-CSV-Format-for-Threat/m-p/222674#M37076 <P>Hello Check Point Community,</P> <P>Thank you&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;Sir.</P> <P>I recently encountered an issue with the installation of the Check Point Threat Prevention Policy and wanted to share the steps taken to resolve it. This might help others facing similar issues.</P> <P><STRONG>Issue:&nbsp;</STRONG>The Threat Prevention Policy installation failed due to incorrect formatting and unsupported types in our Custom Intelligence Feeds CSV file.</P> <P><STRONG>Solution</STRONG>: Through thorough review and correction, we successfully resolved the issue. Below are the detailed steps and technical explanations.</P> <P><U><STRONG>Step 1: Identify the Correct Order of Columns:</STRONG></U></P> <P><STRONG>Correct Order:</STRONG><BR />Based on the Check Point R81.20 Threat Prevention Administration Guide, the CSV file must follow this column order:</P> <OL> <LI>UNIQ-NAME</LI> <LI>VALUE</LI> <LI>TYPE</LI> <LI>CONFIDENCE</LI> <LI>SEVERITY</LI> <LI>PRODUCT</LI> <LI>COMMENT</LI> </OL> <P><U>S<STRONG>tep 2: Supported Indicators and Types:</STRONG></U></P> <P>Supported Formats for Indicators:</P> <UL> <LI>URL</LI> <LI>Domain</LI> <LI>IP</LI> <LI>IP Range</LI> <LI>MD5</LI> <LI>Mail-subject</LI> <LI>Mail-from</LI> <LI>Mail-to</LI> <LI>Mail-cc</LI> <LI>Mail-reply-to</LI> <LI>SHA1 (in Security Gateway versions R80.40 and higher)</LI> <LI>SHA256 (in Security Gateway versions R80.40 and higher)</LI> </UL> <P><STRONG>Supported Types: (In my Issue)</STRONG></P> <UL> <LI>URL</LI> <LI>MD5</LI> <LI>SHA1</LI> <LI>SHA256</LI> </UL> <P><STRONG>Unsupported Types: (In my Issue)</STRONG></P> <UL> <LI>HASH</LI> <LI>Mutex</LI> </UL> <P><U><STRONG>Step 3: Review and Correct CSV File:</STRONG></U></P> <P><STRONG>Corrections Made:</STRONG></P> <UL> <LI>Ensured the columns followed the correct order.</LI> <LI>Removed unsupported types (e.g., HASH and Mutex).</LI> <LI>Verified that all indicators use supported types and formats.</LI> </UL> <P><STRONG>Corrected Format:</STRONG></P> <TABLE width="946"> <TBODY> <TR> <TD width="90">UNIQ-NAME</TD> <TD width="474">VALUE</TD> <TD width="64">TYPE</TD> <TD width="87">CONFIDENCE</TD> <TD width="64">SEVERITY</TD> <TD width="67">PRODUCT</TD> <TD width="100">COMMENT</TD> </TR> <TR> <TD>observ1</TD> <TD>&nbsp;<A href="https://file.io/M9ofMokBC1TN" target="_blank" rel="noopener">https://file.io/M9ofMokBC1TN</A></TD> <TD>&nbsp;URL</TD> <TD>&nbsp;High</TD> <TD>&nbsp;High</TD> <TD>&nbsp;AV</TD> <TD>&nbsp;Malicious URL</TD> </TR> <TR> <TD>observ2</TD> <TD>&nbsp;<A href="http://117.253.14.152:57028/Mozi.a" target="_blank" rel="noopener">http://117.253.14.152:57028/Mozi.a</A></TD> <TD>&nbsp;URL</TD> <TD>&nbsp;High</TD> <TD>&nbsp;High</TD> <TD>&nbsp;AV</TD> <TD>&nbsp;Malicious URL</TD> </TR> <TR> <TD>observ3</TD> <TD>866a9452ac62e73773c09a1e0209142a</TD> <TD>MD5</TD> <TD>high</TD> <TD>high</TD> <TD>AV</TD> <TD>Malicious Hash</TD> </TR> <TR> <TD>observ4</TD> <TD>4d50315e3841aeee6bb05f7529489939</TD> <TD>MD5</TD> <TD>high</TD> <TD>high</TD> <TD>AV</TD> <TD>Malicious Hash</TD> </TR> <TR> <TD>observ5</TD> <TD>8f609f60dd82dc13878b1d82ebc56e5056cb9274234df1510ee737e62ba22aaa</TD> <TD>SHA256</TD> <TD>high</TD> <TD>high</TD> <TD>AV</TD> <TD>Malicious Hash</TD> </TR> <TR> <TD>observ6</TD> <TD>90f7d3f354a1637d7467962fe87449532881d06ed76acaae696cc286cba02de7</TD> <TD>SHA256</TD> <TD>high</TD> <TD>high</TD> <TD>AV</TD> <TD>Malicious Hash</TD> </TR> <TR> <TD>observ7</TD> <TD>5186eb42f2d1a652f9fee0cdf3788b492582aca0</TD> <TD>SHA1</TD> <TD>high</TD> <TD>high</TD> <TD>AV</TD> <TD>Malicious Hash</TD> </TR> <TR> <TD>observ8</TD> <TD>2faff8718f8f0ee4dcd0be5eb987b77e47961742</TD> <TD>SHA1</TD> <TD>high</TD> <TD>high</TD> <TD>AV</TD> <TD>Malicious Hash</TD> </TR> </TBODY> </TABLE> <PRE>&nbsp;</PRE> <P><STRONG>&nbsp;Step 4: Import Corrected CSV File:</STRONG></P> <P>After making the necessary corrections, we imported the CSV file into the Check Point Threat Prevention system. The policy installation was successful without any errors.</P> <P><STRONG>Conclusion:</STRONG></P> <P>Ensuring the CSV file is formatted correctly and only includes supported indicator types is crucial for the successful installation of the Check Point Threat Prevention Policy. This process has strengthened our security posture and streamlined our threat prevention measures.</P> <P>Regards</P> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/25509">@Chinmaya_Naik</a>&nbsp;</P> Mon, 05 Aug 2024 05:59:34 GMT Chinmaya_Naik 2024-08-05T05:59:34Z https://community.checkpoint.com/t5/General-Topics/Need-Confirmation-on-Correct-IOC-CSV-Format-for-Threat/m-p/221513#M36935 <P>Dear Community Team,</P> <P>We are currently facing an issue with installing the Threat Prevention policy and require your assistance to confirm the correct format for our IOC CSV file.</P> <P>Here is the context of our current situation and the formats we are using:</P> <P><FONT face="arial black,avant garde"><STRONG>Existing Format:</STRONG></FONT></P> <P><FONT face="arial black,avant garde"><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CSV format 1.jpg" style="width: 738px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26915i9CDA966C110DE296/image-size/large?v=v2&amp;px=999" role="button" title="CSV format 1.jpg" alt="CSV format 1.jpg" /></span></STRONG></FONT></P> <P><U><FONT face="arial black,avant garde"><STRONG>Wrong Format (Not sure):</STRONG></FONT></U></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CSV Format 3.jpg" style="width: 759px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26914iECD65A88F97AE9BE/image-size/large?v=v2&amp;px=999" role="button" title="CSV Format 3.jpg" alt="CSV Format 3.jpg" /></span></P> <P>We are particularly concerned about the formats for different types of indicators such as <CODE>FILENAME</CODE>, <CODE>Mutex</CODE>, and <CODE>Email</CODE>. Furthermore, we want to ensure we are using the correct order of columns in our CSV file. Which of the following orders is correct?</P> <OL> <LI><CODE>UNIQ-NAME, VALUE, TYPE, PRODUCT, CONFIDENCE, SEVERITY, COMMENT</CODE></LI> <LI><CODE>UNIQ-NAME, VALUE, TYPE, CONFIDENCE, SEVERITY, PRODUCT, COMMENT</CODE></LI> </OL> <P>Your assistance in confirming the correct format and order for the indicators will help ensure our configuration is compliant with the Checkpoint SmartConsole GUI client requirements.</P> <P>&nbsp;</P> <P>Regards</P> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/25509">@Chinmaya_Naik</a>&nbsp;</P> <P><CODE></CODE></P> <P><CODE></CODE><CODE></CODE><CODE></CODE></P> Mon, 22 Jul 2024 05:35:52 GMT https://community.checkpoint.com/t5/General-Topics/Need-Confirmation-on-Correct-IOC-CSV-Format-for-Threat/m-p/221513#M36935 Chinmaya_Naik 2024-07-22T05:35:52Z https://community.checkpoint.com/t5/General-Topics/Need-Confirmation-on-Correct-IOC-CSV-Format-for-Threat/m-p/221557#M36944 <P>The exact format is in the Product Documentation:&nbsp;<A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/Content/Topics-TPG/Supported-Indicator-Files-Custom.htm?tocpath=Custom%20Threat%20Prevention%7CConfiguring%20Advanced%20Threat%20Prevention%20Settings%7CConfiguring%20Threat%20Indicators%7C_____1" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/Content/Topics-TPG/Supported-Indicator-Files-Custom.htm?tocpath=Custom%20Threat%20Prevention%7CConfiguring%20Advanced%20Threat%20Prevention%20Settings%7CConfiguring%20Threat%20Indicators%7C_____1</A>&nbsp;</P> Mon, 22 Jul 2024 12:56:59 GMT https://community.checkpoint.com/t5/General-Topics/Need-Confirmation-on-Correct-IOC-CSV-Format-for-Threat/m-p/221557#M36944 PhoneBoy 2024-07-22T12:56:59Z https://community.checkpoint.com/t5/General-Topics/Need-Confirmation-on-Correct-IOC-CSV-Format-for-Threat/m-p/222674#M37076 <P>Hello Check Point Community,</P> <P>Thank you&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;Sir.</P> <P>I recently encountered an issue with the installation of the Check Point Threat Prevention Policy and wanted to share the steps taken to resolve it. This might help others facing similar issues.</P> <P><STRONG>Issue:&nbsp;</STRONG>The Threat Prevention Policy installation failed due to incorrect formatting and unsupported types in our Custom Intelligence Feeds CSV file.</P> <P><STRONG>Solution</STRONG>: Through thorough review and correction, we successfully resolved the issue. Below are the detailed steps and technical explanations.</P> <P><U><STRONG>Step 1: Identify the Correct Order of Columns:</STRONG></U></P> <P><STRONG>Correct Order:</STRONG><BR />Based on the Check Point R81.20 Threat Prevention Administration Guide, the CSV file must follow this column order:</P> <OL> <LI>UNIQ-NAME</LI> <LI>VALUE</LI> <LI>TYPE</LI> <LI>CONFIDENCE</LI> <LI>SEVERITY</LI> <LI>PRODUCT</LI> <LI>COMMENT</LI> </OL> <P><U>S<STRONG>tep 2: Supported Indicators and Types:</STRONG></U></P> <P>Supported Formats for Indicators:</P> <UL> <LI>URL</LI> <LI>Domain</LI> <LI>IP</LI> <LI>IP Range</LI> <LI>MD5</LI> <LI>Mail-subject</LI> <LI>Mail-from</LI> <LI>Mail-to</LI> <LI>Mail-cc</LI> <LI>Mail-reply-to</LI> <LI>SHA1 (in Security Gateway versions R80.40 and higher)</LI> <LI>SHA256 (in Security Gateway versions R80.40 and higher)</LI> </UL> <P><STRONG>Supported Types: (In my Issue)</STRONG></P> <UL> <LI>URL</LI> <LI>MD5</LI> <LI>SHA1</LI> <LI>SHA256</LI> </UL> <P><STRONG>Unsupported Types: (In my Issue)</STRONG></P> <UL> <LI>HASH</LI> <LI>Mutex</LI> </UL> <P><U><STRONG>Step 3: Review and Correct CSV File:</STRONG></U></P> <P><STRONG>Corrections Made:</STRONG></P> <UL> <LI>Ensured the columns followed the correct order.</LI> <LI>Removed unsupported types (e.g., HASH and Mutex).</LI> <LI>Verified that all indicators use supported types and formats.</LI> </UL> <P><STRONG>Corrected Format:</STRONG></P> <TABLE width="946"> <TBODY> <TR> <TD width="90">UNIQ-NAME</TD> <TD width="474">VALUE</TD> <TD width="64">TYPE</TD> <TD width="87">CONFIDENCE</TD> <TD width="64">SEVERITY</TD> <TD width="67">PRODUCT</TD> <TD width="100">COMMENT</TD> </TR> <TR> <TD>observ1</TD> <TD>&nbsp;<A href="https://file.io/M9ofMokBC1TN" target="_blank" rel="noopener">https://file.io/M9ofMokBC1TN</A></TD> <TD>&nbsp;URL</TD> <TD>&nbsp;High</TD> <TD>&nbsp;High</TD> <TD>&nbsp;AV</TD> <TD>&nbsp;Malicious URL</TD> </TR> <TR> <TD>observ2</TD> <TD>&nbsp;<A href="http://117.253.14.152:57028/Mozi.a" target="_blank" rel="noopener">http://117.253.14.152:57028/Mozi.a</A></TD> <TD>&nbsp;URL</TD> <TD>&nbsp;High</TD> <TD>&nbsp;High</TD> <TD>&nbsp;AV</TD> <TD>&nbsp;Malicious URL</TD> </TR> <TR> <TD>observ3</TD> <TD>866a9452ac62e73773c09a1e0209142a</TD> <TD>MD5</TD> <TD>high</TD> <TD>high</TD> <TD>AV</TD> <TD>Malicious Hash</TD> </TR> <TR> <TD>observ4</TD> <TD>4d50315e3841aeee6bb05f7529489939</TD> <TD>MD5</TD> <TD>high</TD> <TD>high</TD> <TD>AV</TD> <TD>Malicious Hash</TD> </TR> <TR> <TD>observ5</TD> <TD>8f609f60dd82dc13878b1d82ebc56e5056cb9274234df1510ee737e62ba22aaa</TD> <TD>SHA256</TD> <TD>high</TD> <TD>high</TD> <TD>AV</TD> <TD>Malicious Hash</TD> </TR> <TR> <TD>observ6</TD> <TD>90f7d3f354a1637d7467962fe87449532881d06ed76acaae696cc286cba02de7</TD> <TD>SHA256</TD> <TD>high</TD> <TD>high</TD> <TD>AV</TD> <TD>Malicious Hash</TD> </TR> <TR> <TD>observ7</TD> <TD>5186eb42f2d1a652f9fee0cdf3788b492582aca0</TD> <TD>SHA1</TD> <TD>high</TD> <TD>high</TD> <TD>AV</TD> <TD>Malicious Hash</TD> </TR> <TR> <TD>observ8</TD> <TD>2faff8718f8f0ee4dcd0be5eb987b77e47961742</TD> <TD>SHA1</TD> <TD>high</TD> <TD>high</TD> <TD>AV</TD> <TD>Malicious Hash</TD> </TR> </TBODY> </TABLE> <PRE>&nbsp;</PRE> <P><STRONG>&nbsp;Step 4: Import Corrected CSV File:</STRONG></P> <P>After making the necessary corrections, we imported the CSV file into the Check Point Threat Prevention system. The policy installation was successful without any errors.</P> <P><STRONG>Conclusion:</STRONG></P> <P>Ensuring the CSV file is formatted correctly and only includes supported indicator types is crucial for the successful installation of the Check Point Threat Prevention Policy. This process has strengthened our security posture and streamlined our threat prevention measures.</P> <P>Regards</P> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/25509">@Chinmaya_Naik</a>&nbsp;</P> Mon, 05 Aug 2024 05:59:34 GMT https://community.checkpoint.com/t5/General-Topics/Need-Confirmation-on-Correct-IOC-CSV-Format-for-Threat/m-p/222674#M37076 Chinmaya_Naik 2024-08-05T05:59:34Z