This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chinmaya_Naik
Advisor
‎2024-07-21 10:34 PM

Need Confirmation on Correct IOC CSV Format for Threat Prevention Policy

Dear Community Team,

We are currently facing an issue with installing the Threat Prevention policy and require your assistance to confirm the correct format for our IOC CSV file.

Here is the context of our current situation and the formats we are using:

Existing Format:

CSV format 1.jpg

Wrong Format (Not sure):

CSV Format 3.jpg

We are particularly concerned about the formats for different types of indicators such as FILENAME, Mutex, and Email. Furthermore, we want to ensure we are using the correct order of columns in our CSV file. Which of the following orders is correct?

  1. UNIQ-NAME, VALUE, TYPE, PRODUCT, CONFIDENCE, SEVERITY, COMMENT
  2. UNIQ-NAME, VALUE, TYPE, CONFIDENCE, SEVERITY, PRODUCT, COMMENT

Your assistance in confirming the correct format and order for the indicators will help ensure our configuration is compliant with the Checkpoint SmartConsole GUI client requirements.

 

Regards

@Chinmaya_Naik 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2024-07-22 05:56 AM

The exact format is in the Product Documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/... 

Chinmaya_Naik
Advisor
4 weeks ago

Hello Check Point Community,

Thank you @PhoneBoy Sir.

I recently encountered an issue with the installation of the Check Point Threat Prevention Policy and wanted to share the steps taken to resolve it. This might help others facing similar issues.

Issue: The Threat Prevention Policy installation failed due to incorrect formatting and unsupported types in our Custom Intelligence Feeds CSV file.

Solution: Through thorough review and correction, we successfully resolved the issue. Below are the detailed steps and technical explanations.

Step 1: Identify the Correct Order of Columns:

Correct Order:
Based on the Check Point R81.20 Threat Prevention Administration Guide, the CSV file must follow this column order:

  1. UNIQ-NAME
  2. VALUE
  3. TYPE
  4. CONFIDENCE
  5. SEVERITY
  6. PRODUCT
  7. COMMENT

Step 2: Supported Indicators and Types:

Supported Formats for Indicators:

  • URL
  • Domain
  • IP
  • IP Range
  • MD5
  • Mail-subject
  • Mail-from
  • Mail-to
  • Mail-cc
  • Mail-reply-to
  • SHA1 (in Security Gateway versions R80.40 and higher)
  • SHA256 (in Security Gateway versions R80.40 and higher)

Supported Types: (In my Issue)

  • URL
  • MD5
  • SHA1
  • SHA256

Unsupported Types: (In my Issue)

  • HASH
  • Mutex

Step 3: Review and Correct CSV File:

Corrections Made:

  • Ensured the columns followed the correct order.
  • Removed unsupported types (e.g., HASH and Mutex).
  • Verified that all indicators use supported types and formats.

Corrected Format:

UNIQ-NAME VALUE TYPE CONFIDENCE SEVERITY PRODUCT COMMENT
observ1  https://file.io/M9ofMokBC1TN  URL  High  High  AV  Malicious URL
observ2  http://117.253.14.152:57028/Mozi.a  URL  High  High  AV  Malicious URL
observ3 866a9452ac62e73773c09a1e0209142a MD5 high high AV Malicious Hash
observ4 4d50315e3841aeee6bb05f7529489939 MD5 high high AV Malicious Hash
observ5 8f609f60dd82dc13878b1d82ebc56e5056cb9274234df1510ee737e62ba22aaa SHA256 high high AV Malicious Hash
observ6 90f7d3f354a1637d7467962fe87449532881d06ed76acaae696cc286cba02de7 SHA256 high high AV Malicious Hash
observ7 5186eb42f2d1a652f9fee0cdf3788b492582aca0 SHA1 high high AV Malicious Hash
observ8 2faff8718f8f0ee4dcd0be5eb987b77e47961742 SHA1 high high AV Malicious Hash 
 

 Step 4: Import Corrected CSV File:

After making the necessary corrections, we imported the CSV file into the Check Point Threat Prevention system. The policy installation was successful without any errors.

Conclusion:

Ensuring the CSV file is formatted correctly and only includes supported indicator types is crucial for the successful installation of the Check Point Threat Prevention Policy. This process has strengthened our security posture and streamlined our threat prevention measures.

Regards

@Chinmaya_Naik 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events