IOC Management
IoC stands for Indicators of Compromise. These indicators arrive from various sources, such as Internet, personal research and so on. Such indicators are not identified by default and you can block them manually.
For example, if a user receives an indication that a particular URL is malicious, the user can contact their System Administrator to block access to this URL. The System Administrator tags this URL as an Indication of Compromise IoC and the policy is enforced on all the endpoints through the Harmony Endpoint client or the browser extension.
|
|
Notes:
|
To configure an IoC:
-
In Infinity Portal, go to Policy > Threat Prevention.
-
In the toolbar, select Manage IoC. No need to install policy.
-
In the table that appears, manually add new Indicators of Compromise by type:
IoC Type
Example
Domain checkpoint.comIP Address 192.168.1.1URL checkpoint.com/test.htmMD5 Hash 2eb040283b008eee17aa2988ece13152SHA1 Hash 510ce67048d3e7ec864471831925f12e79b4d70f -
Hover over the icon next to Type to view the capabilities required for each type:
-
URL, Domain and IP require Anti-Bot
Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. capabilities. -
SHA1 and MD5 Hashes require Threat Extraction
Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. and Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. capabilities.
-
-
The user can also upload his own manually-created CSV list of indicators.
-
To verify, on the endpoint, access the IoC (for example, a URL). The system blocks the access to the IoC.