Inputs

In the Inputs page, you can add IoCs from various feeds (sources) to Infinity IoC:

To manage the feeds, see Managing Feeds.

Check Point Feeds

The Check Point section includes all feeds created by Check Point:

  • Infinity XDR/XPR

  • Infinity Playblocks

By default, the status of Check Point feeds is Active.

Feed Marketplace

In the Feed Marketplace section, you can set and connect to feeds from external vendors. Supported feeds are:

  • FS-ISAC

  • MS-ISAC

  • Mandiant

  • Swift

  • Health-ISAC

    Important:

    • For some feeds, you must have valid authentication credentials from the third-party vendor in order to connect to the feeds.

    • Feeds will be synced every two hours.

Activating a Feed

  1. Click in the feed row.

  2. Click Set up.

  3. In the Authentication details section, enter the authentication credentials.

  4. In the Indicators default values section, select the values to be applied to indicators with missing data:

    • Confidence

    • Severity

    • Expiration period

      Note - In the Indicators table, if the indicator displays the default values, then it is indicated with a tool tip Inherited from feed.

  5. Click Save.

Custom Integrations

In the Custom Integrations section, you can integrate custom feeds. Supported feed formats are:

  • STIX/TAXII 2.1 with/without authentication

  • MISP (JSON) with/without authentication

  • Line Separated Format without authentication

Note - If the IoC file is placed in a local network behind a firewall, see sk182201 to create a new feed.

To create a new custom integration:

  1. Go to Custom Integrations and click Add feed.

  2. Select the format of your feed:

    • STIX/TAXII

    • MISP

    • Line Separated Format

  3. Enter these:

    1. Name

    2. URL

    3. (Optional) Authentication details

    4. In the Indicators default values section, select the values that will be applied to indicators with missing data:

      • Confidence

      • Severity

      • Expiration period

        Note - In the Indicators table, if the indicator displays the default values, then it is indicated with a tool tip Inherited from feed.

  4. Click Save.

Custom Integration Sync

After creating a new integration, it may take up to 5 minutes to sync. If the sync is successful, then:

  • STIX / TAXII feeds are synced every 2 hours

  • MISP feeds are synced every 2 hours

  • Line Separated Format feeds are synced every 12 hours

If the sync is unsuccessful, it attempts to sync every five minutes until the sync is successful. If the sync is unsuccessful after six attempts, an error message appears.

To initiate an immediate sync, you can edit and save the feed without any changes.

Custom Manual Feeds

In the Custom Manual Feeds section, you can manually add IoCs.

To create a new manual feed:

  1. Go to Custom manual feeds and click Add Feed.

  2. Enter these:

    1. Name

    2. (Optional) Description

  3. In the Indicators default values section, select the values that will be applied to indicators with missing data:

    • Confidence

    • Severity

    • Expiration period

      Note - In the Indicators table, if the indicator displays the default values, then it is indicated with a tool tip Inherited from feed.

  4. Click Save.

Adding IoCs to a Custom Manual Feed

  1. Click the feed you want to edit.

  2. To create a new IoC, do one of these:

    • To add manually up to 50 IoCs:

      1. Click New.

      2. In the Create Indicator window, enter these:

        1. Indicator Value - Value of the IoC. To enter multiple IoCs (up to 50), enter each IoC in a separate line.

        2. Type - The system automatically detects the IoC type based on the Indicator Value.

          Note - If you enter multiple IoCs types in the Indicator Value field, the system auto-detects the Type and a new IoC is created for each entered value.

        3. (Optional) Description

        4. Protection Name - A unique name to identify the IoC in log files.

        5. Confidence

        6. Severity

        7. Expiration Date - The Set expiration date for indicator checkbox is selected by default.

          If you do not want to set an expiration date, clear the checkbox and the system sets the Expiration Date as Never.

      3. Click Save.

    • To import IoCs from a file, click Import (up to 10K IoCs)

      In the Import List window, select the file, click Upload and then click Save.

  3. To edit the details of an IoC, select the IoC and click Edit.

    In the Edit Indicator window, make the necessary changes and click Save.

Managing Feeds

  1. Click in the feed row.

  2. To edit a feed, click Edit.

    The Edit window appears.

  3. Make the necessary changes and click Save.

  4. To disable all IoCs in a feed, click Disable.

  5. To view a feed, click the feed row.

    The system displays the feed details and the indicators table.

    The indicators table displays the following:

    Item

    Description

    IoC type

    Icon Description

    IP address

    File (MD5, SHA1 or SHA256)

    Domain. For example, checkpoint.com

    URL. For example, https://www.checkpoint.com/infinity/portal/

    Disabled IoC. The disabled IoC row is grayed out by default.

    Indicator

    IoC name and Protection name.

    Confidence

    Confidence level of the IoC detection.

    If it displays the default Confidence value inherited from the feed, then it is indicated with a tool tip Inherited from feed.

    Severity

    Severity of the IoC.

    If it displays the default Severity value inherited from the feed, then it is indicated with a tool tip Inherited from feed.

    Expires in (UTC)

    Time until the IoC expires, in the UTC time zone. After the IoC expires, it is automatically deleted.

    indicates that the IoC expiration date is soon.

    Last update

    Date on which the IoC was last updated.

  6. To search for an IoC, in the Search field, enter the value, protection name or description of the IoC and press the Enter key.

    • Enter a minimum of three and maximum of up to 100 characters. If the characters exceed 100, then the system omits the extra characters and shows the search results for the trimmed value.

    • The system shows a maximum of 200 search results.