IOC Management

IoC stands for Indicators of Compromise. These indicators arrive from various sources: the Internet, personal research, etc. Such indicators are not identified by default, and still, the user may wish to initiate a block on them. For example, if he receives an indication that a particular URL is malicious, he may want his system to block access to this URL. The user would then tag this URL as an Indication of Compromise (IoC). Often there are IoC clouds that update the organization's endpoints automatically, so the user does not need to define these indicators manually.

To configure an IoC:

  1. In Infinity Portal, go to Policy > Threat Prevention.

  2. In the toolbar, select Manage IoC. No need to install policy.

  3. In the table that appears, manually add new Indicators of Compromise by type: URL, Domain, IP, SHA1 Hash, MD5 Hash.

    Examples:

    IoC Type

    Example

    Domain checkpoint.com
    IP Address 192.168.1.1
    URL checkpoint.com/test.htm
    MD5 Hash 2eb040283b008eee17aa2988ece13152
    SHA1 Hash 510ce67048d3e7ec864471831925f12e79b4d70f
  4. Hover over the icon next to Type to view the capabilities required for each type:

  5. The user can also upload his own manually-created CSV list of indicators.

Note - To use IoC Management, your client version must be higher than E86.20.