This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VikingsFan
Collaborator
Monday

R81.20 and STIX File Imports (CISA)

Just starting to look into STIX files and getting our firewalls a little more smarter and importing feeds from outside sources.  My first task is to try and get the CISA alert STIX files imported.  I was hoping it was as easy as just importing the files but there looks to be specific CheckPoint values missing that is causing issues.  When I import the file, everything is assigned to the 'Anti-Virus' product and I assume that's why when I was testing with my IP, nothing was being detected.  I couldn't find a good example of how to get these categories set properly in my STIX file and/or if there was a way to easily massage the CISA (or other party) STIX files into a CheckPoint approved format?

For example, just playing with this latest notice and the STIX file attached: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

Was following this doc and see that IP should be set to Anti-Bot but just not sure how: https://support.checkpoint.com/results/sk/sk132193

See attached on how it imports.

We're running R81.20 for management and the gateways in the cluster.

Labels
Preview file
44 KB
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
Monday

Looks like it's importing the file correctly.
Imported indicators will be enforced in Anti-Virus, so it's expected that will show.

Not clear what it is you are expecting to see here.

0 Kudos
VikingsFan
Collaborator
Tuesday
In response to PhoneBoy

Hi PhoneBoy,

When the observables were loaded and I tested against my IP accessing a web server in our DMZ, there were no detects on my IP which made me believe that it is not working properly.  My theory was, after reading SK132193, the observables needed to be assigned the correct software blade.  For an IP, according to the SK, it should be on the Anti-Bot and not the Anti-Virus, which is what it defaulted to.

 

Observable TypeSoftware BladeFull Software Blade Name
URLAV/ABAnti-Virus / Anti-Bot
DomainAV/ABAnti-Virus / Anti-Bot
IPABAnti-Bot
IP RangeABAnti-Bot
MD5AVAnti-Virus
Mail-subjectAV/ABAnti-Virus / Anti-Bot
Mail-fromAV/ABAnti-Virus / Anti-Bot
Mail-toAV/ABAnti-Virus / Anti-Bot
Mail-ccAV/ABAnti-Virus / Anti-Bot
Mail-reply-toAV/ABAnti-Virus / Anti-Bot
SHA1AVAnti-Virus
SHA256AVAnti-Virus
SnortIPSIPS
0 Kudos
VikingsFan
Collaborator
Tuesday
In response to PhoneBoy

I just did a CSV import with my IP and assigned it the Anti-Bot for the Product instead of the default Anti-Virus and I'm still not getting any detects when browsing to our web servers.  Maybe it doesn't work as I think it would?  Do the threat indicators detect/prevent inbound connections?  I did confirm that my Bot and Virus profiles have the 'Enable Indicator Scanning' checked.

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to VikingsFan

It's supposed to block inbound connections (as of R81), yes.
Recommend engaging with TAC here: https://help.checkpoint.com

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events