Input Feeds

Input Feeds allows you to collect IoCs from various products. The default feeds are:

  • Default Feed - Shows manually added IoCs.

  • XDR Feed - Automatically shows IoCs from Infinity XDR/XPR (if subscribed).

Creating a New Input Feed

Note - You can also create a new feed from Output (Blends) > IoC Feeds & Configuration > Feeds by priority > Add feed > Create new feed.

To create a new input feed:

  1. Go to Input Feeds and click New:

    • To create a new manual feed, click New manual feed. Manual feed allows you to add IoCs manually.

    • To create a new live feed, click New live feed.

      Live feed allows you to automatically import and sync IoCs from an external feed URL. The system supports import of IoCs in list format and of the type URL, Domain, MD5, SHA256, SHA1, and IPV4.

      Note - If the IoC file is placed in a local network behind a firewall, see sk182201 to create a new live feed.

  2. In the Feed Details section, enter:

    • Name

    • URL - For Live feed only, enter the external feed URL.

      For example, https://example.com/ioc_feed.txt

    • (Optional) Description

  3. In the Indicators Default Values section, configure:

    • Confidence - The default confidence value to be used in the blend for IoCs that have no Confidence value defined in the import file or external feed. If you change this value, it affects all the IoCs without Confidence value (new or existing ones).

    • Severity - The default severity value to be used in the blend for IoCs that have no Severity value defined in the import file or external feed. If you change this value, it affects all the IoCs without Severity value (new or existing ones).

    • Time to live - For IoCs that have no expiration date defined in the import file or external feed, the expiration date is set to the current time plus the number of days specified in this field. If you change this value, it applies only to the new IoCs created subsequently. After the IoC expires, it is automatically deleted.

      Notes:

      • In the Indicators table, if the indicator displays the default values, then it is indicated with a tool tip Inherited from feed.

      • You can create IoCs without Confidence, Severity or Expiration date only when you add the IoCs to the feed using an import file or external feed URL.

  4. Click Save.

Live Feed Sync

Five minutes after you create or edit a live feed, Infinity IoC tries to sync with the IoC file in the URL for updates. If the sync is successful, it makes the next sync after an interval of 12 hours. If the sync is unsuccessful, it attempts to sync every five minutes until the sync is successful. If the sync is unsuccessful after six attempts, an error message appears.

To initiate an immediate sync, you can edit and save a live feed without any changes.

Managing the Input Feeds

  1. Go to Input Feeds.

  2. Select the feed.

  3. To edit:

    1. Click Edit.

    2. In the Edit Manual Feed window, make the necessary changes and click Save.

  4. To delete:

    1. Click Delete.

    2. Click Yes in the confirmation dialog.

      The feed is deleted.

      Note - You cannot delete Default Feed and XDR Feed.

  5. To import indicators:

    1. Click Import.

    2. In the Import List window, select the file and click Upload.

    3. Click Save.

Managing the IoCs

You can edit the details of the IoCs from various input feeds.

  1. Go to Input Feeds.

  2. Click the feed row you want to edit.

    The Indicators table is displayed.

    Item

    Description

    IoC type

    Icon Description

    IP address

    File (MD5, SHA1 or SHA256)

    Domain. For example, checkpoint.com

    URL. For example, https://www.checkpoint.com/infinity/portal/

    Disabled IoC. The disabled IoC row is grayed out by default.

    Indicator

    IoC name and Protection name.

    Confidence

    Confidence level of the IoC detection.

    If it displays the default Confidence value inherited from the feed, then it is indicated with a tool tip Inherited from feed.

    Severity

    Severity of the IoC.

    If it displays the default Severity value inherited from the feed, then it is indicated with a tool tip Inherited from feed.

    Expires in (UTC)

    Time until the IoC expires, in the UTC time zone. After the IoC expires, it is automatically deleted.

    indicates that the IoC expiration date is soon.

    Last update

    Date on which the IoC was last updated.

  3. To create a new IoC, click New.

    The Create Indicator window appears.

    Note - You cannot create new IoCs in live feeds.

    1. In the Create Indicator window, enter these:

      1. Indicator Value - Value of the IoC. To enter multiple IoCs (up to 50), enter each IoC in a separate line.

      2. Type - The system automatically detects the IoC type based on the Indicator Value.

        Note - If you enter multiple IoCs in the Indicator Value field, the system auto-detects the Type and a new IoC is created for each entered value.

      3. (Optional) Description

      4. Protection Name - A unique name to identify the IoC in log files.

      5. Confidence

      6. Severity

      7. Expiration Date - The Set expiration date for indicator checkbox is selected by default.

        If you do not want to set an expiration date, clear the checkbox and the system sets the Expiration Date as Never.

    2. Click Save.

  4. To edit the details of an IoC, select the IoC and click Edit.

    In the Edit Indicator window, make the necessary changes and click Save.

  5. To disable an IoC, select the IoC and click Disable.

    In the dialog box, click Yes.

  6. To enable an IoC, select the IoC and click Enable.

    In the dialog box, click Yes.

  7. To delete an IoC, select the IoC and click Delete.

    In the dialog box, click Yes.

  8. To export all IoCs to a CSV IoC file, click Export All (CSV).

  9. To import IoCs to the feed, click Import.

    In the Import List window, select the file, click Upload and then click Save.

  10. To search for an IoC, in the Search field, enter the value, protection name or description of the IoC and press the Enter key.

    • Enter a minimum of three and maximum of up to 100 characters. If the characters exceed 100, then the system omits the extra characters and shows the search results for the trimmed value.

    • The system shows a maximum of 200 search results.

Known Limitations

  • The number of IoCs in the Indicators table is limited and shows only the most recently created 20,000 IoCs. If the number of IoCs in your feed exceeds this maximum limit, then a tool tip appears near the counter as shown below. This limitation only affects sorting and scrolling in the table. However, the search applies to all the IoCs. For example, the Indicators table below shows only 20,000 IoCs but the search scans all 35808 IoCs.

  • For URL type IoCs, the length of the URL is limited to 2500 characters.