Output (Blends)
Output (Blends) allows you to:
-
Enforce IoCs using Check Point Security Gateway or any third-party application or gateway that supports input in the CSV file format.
-
Define the feed priority order.
-
View a list of all IoCs from different Input Feeds.
Feeds and Configuration
The Feeds and Configuration tab shows the Blend Details and Feeds by priority.
Blend Details
The Blend Details section shows the Public Blend link. The link is to a dynamic CSV file that contains a list of IoCs to be enforced. The CSV file supports a maximum of one million entries. You can use this link as an input to Check Point Security Gateway or any third-party application that supports CSV file format, to enforce IoCs.
It supports three types of links:
-
Detect link - Contains the IoCs with low confidence.
-
Prevent link - Contains the IoCs with medium or high confidence.
-
All indicators link - Contains all the IoCs.
|
Note - The IoC file available through the Public Blend link does not require authentication. |
Integrating Output Blends with a Security Gateway
-
Go to Output (Blends) > Feeds & Configuration > Blend Details.
-
Under Public Blend, enable Show public blend link.
The URL of the Output Blend in CSV format is displayed.
-
Copy the URL and use it as the IoC feed in SmartConsole.
For more information, see Importing External Custom Intelligence Feeds in SmartConsole.
Feeds by Priority
Feeds by priority shows the order of feeds by priority in the blend and the corresponding number of active IoCs.
The order indicates the IoC to be considered if IoCs with the same value appear in multiple feeds. The IoC in the feed placed higher in the order is prioritized for enforcement.
For example, if an IoC appears in both Default Feed and XDR Feed, and XDR Feed is higher in the order, then the IoC from the XDR IoC Feed is enforced. If the IoC is disabled in the XDR IoC Feed, then the IoC from Default Feed is enforced.
To set the order of priority for the feed:
-
Go to Output (Blends) > IoC Feeds & Configuration > Feeds by priority.
-
To set the order of the feed in the list, select the feed and click Move up or Move down.
The order of the feed decides IoC to be considered for enforcement, if the IoC is listed in multiple feeds.
-
To add an existing feed:
-
To create a new feed, see Creating a New Input Feed.
-
To remove a feed from the blend:
-
Select the feed and click Remove feed.
-
Click Yes in the confirmation dialog.
The feed is removed from the blend. It is still available in the Input Feeds list.
-
Indicators
The Indicator tab shows the indicators from all the feeds in the Output (Blends).
To export the IoCs to a CSV IoC file, click Export All (CSV). The system downloads a CSV file that contains information only for enabled IoCs. The disabled IoCs are not included in the file.
Item |
Description |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
IoC type |
|
||||||||||||
Indicator |
IoC name and Protection name. Protection name is a unique name to identify the IoC in logs. |
||||||||||||
Feed |
The source for IoCs. If an IoC appears in multiple feeds, it is indicated by .
|
||||||||||||
Confidence |
Confidence level of the IoC detection. If it displays the default Confidence value inherited from the feed, then it is indicated with a tool tip Inherited from feed. |
||||||||||||
Severity |
Severity of the IoC. If it displays the default Severity value inherited from the feed, then it is indicated with a tool tip Inherited from feed. |
||||||||||||
Expires in (UTC) |
Time until the IoC expires, in the UTC time zone. After the IoC expires, it is automatically deleted. indicates that the IoC expiration date is soon. |
||||||||||||
Last update |
Date on which the IoC was last updated. |