Output (Blends)

Output (Blends) allows you to:

• Enforce IoCs using Check Point Security Gateway or any third-party application or gateway that supports input in the CSV file format.

• Define the feed priority order.

• View a list of all IoCs from different Input Feeds.

Feeds and Configuration

The Feeds and Configuration tab shows the Blend Details and Feeds by priority.

Blend Details

The Blend Details section shows the Public Blend link. The link is to a dynamic CSV file that contains a list of IoCs to be enforced. The CSV file supports a maximum of one million entries. You can use this link as an input to Check Point Security Gateway or any third-party application that supports CSV file format, to enforce IoCs.

It supports three types of links:

• Detect link - Contains the IoCs with low confidence.

• Prevent link - Contains the IoCs with medium or high confidence.

• All indicators link - Contains all the IoCs.

Note - The IoC file available through the Public Blend link does not require authentication.

Integrating Output Blends with a Security Gateway

1. Go to Output (Blends) > Feeds & Configuration > Blend Details.

2. Under Public Blend, enable Show public blend link.

   The URL of the Output Blend in CSV format is displayed.

   

3. Copy the URL and use it as the IoC feed in SmartConsole.

   For more information, see Importing External Custom Intelligence Feeds in SmartConsole.

For cloud-based Check Point products, IoCs are enforced automatically. For more information, see Supported Enforcers.

Feeds by Priority

Feeds by priority shows the order of feeds by priority in the blend and the corresponding number of active IoCs.

The order indicates the IoC to be considered if IoCs with the same value appear in multiple feeds. The IoC in the feed placed higher in the order is prioritized for enforcement.

To set the order of priority for the feed:

1. Go to Output (Blends) > IoC Feeds & Configuration > Feeds by priority.

2. To set the order of the feed in the list, select the feed and click Move up or Move down.

   The order of the feed decides IoC to be considered for enforcement, if the IoC is listed in multiple feeds.

3. To add an existing feed:

   1. Click Add feed.

      The list of available feeds is displayed. The feeds already in the list are marked with .

   2. Select the feed you want to add. When you select the feed, it is marked with +.

      

      The selected feed is added to Feeds by priority.

4. To create a new feed, see Creating a New Input Feed.

5. To remove a feed from the blend:

   1. Select the feed and click Remove feed.

   2. Click Yes in the confirmation dialog.

      The feed is removed from the blend. It is still available in the Input Feeds list.

Indicators

The Indicator tab shows the indicators from all the feeds in the Output (Blends).

To export the IoCs to a CSV IoC file, click Export All (CSV). The system downloads a CSV file that contains information only for enabled IoCs. The disabled IoCs are not included in the file.

Item	Description
IoC type	Icon Description IP address File (MD5, SHA1 or SHA256) Domain. For example, checkpoint.com URL. For example, https://www.checkpoint.com/infinity/portal/ Disabled IoC. The disabled IoC row is grayed out by default.
Indicator	IoC name and Protection name. Protection name is a unique name to identify the IoC in logs.
Feed	The source for IoCs. If an IoC appears in multiple feeds, it is indicated by .
Confidence	Confidence level of the IoC detection. If it displays the default Confidence value inherited from the feed, then it is indicated with a tool tip Inherited from feed.
Severity	Severity of the IoC. If it displays the default Severity value inherited from the feed, then it is indicated with a tool tip Inherited from feed.
Expires in (UTC)	Time until the IoC expires, in the UTC time zone. After the IoC expires, it is automatically deleted. indicates that the IoC expiration date is soon.
Last update	Date on which the IoC was last updated.