IOC Enforcement

The IOC Enforcement connector ensures seamless synchronization between Infinity Playblocks and all connected products enforcing IoCs.

It automatically updates and distributes newly added IoCs across the security products, enhancing protection through up-to-date threat intelligence.

With Quantum IOC Enforcement, you can select the Security managements you want to fetch the indicators from the output blend of the IOC Management platform. Each gateway connected to the management with anti-bot and anti-virus will start enforcing IOCs after installing the new Threat prevention policy.

When enabling IOC Enforcement, a new list Playblocks IOCs is added. This list sync with a new feed in the Infinity IoC Management platform called Playblocks feed. In this feed is be added every indicator that is found by Infinity Playblocks automations.

To configure a IOC Enforcement connector:

1. Access Infinity Playblocks and click Connectors.

2. Select IOC Enforcement.
   

   

3. Turn on the Enable toggle button.

4. To enable Quantum IoC enforcement, select the Quantum IOC Enforcement checkbox:

   1. In the Select Quantum Managements for automatic enforcement section, select either of these:

      1. All (Recommended)

      2. Specific managements

   2. Search and select the relevant managements.

   3. Click Save.

      The Install updated policy window appears.

      You can see the relevant gateways connected to your management with Anti-Bot and Anti-Virus blades installed on them.

      

   4. To install the Threat Prevention policy, click Install Policy.

   5. To verify the changes:

      1. In the SmartConsole, navigate to Security Policies > Custom Policy Tools > Indicators.

         

      2. Access Infinity XDR/XPR and go to IoC Management > New IoC management.

         The connector replaces the manual process creating the objects in the managements based on the output blends links that are in IoC Management platform.

         

      Now, your management continuously fetch indicators that are added by Infinity Playblocks automations automatically or added manually.

5. To enable Crowdstrike IoC enforcement, select the Crowdstrike IOC Enforcement checkbox and click Save.

   Notes: Make sure the Crowdstrike connector is enabled. Disabling the Crowdstrike connector also disables IoC enforcement, removing all Infinity Playblocks added indicators from Crowdstrike.

   Now, all existing IOCs in the Infinity Playblocks feed are synced into CrowdStrike IOC, and any new indicators detected by automation are added.

   File hash indicators MD5 and SHA256 are added with the Prevent action and IP indicators are added with the Detect action, as CrowdStrike do not support IP prevention.

6. To enable SentinelOne IoC enforcement, select the SentinelOne IOC Enforcement checkbox and click Save.

   Notes: Make sure the SentinelOne connector is enabled. Disabling the SentinelOne connector also disables IoC enforcement, removing all Infinity Playblocks added indicators from SentinelOne.

   Now, all existing IOCs in the Infinity Playblocks feed are synced into SentinelOne IOC, and any new indicators detected by automation are added.

   SentinelOne enforces expiration limits on indicators. It adjusts any indicator that exceeds these limits to expire according to these limitations:

   • IP: 30 days

   • URL and Domain: 180 days

   • Hash (SHA1, SHA256, MD5): 180 days

7. To enable Microsoft Defender IoC enforcement, select the Microsoft Defender IOC Enforcement checkbox and click Save.

   Notes: Make sure the Microsoft Defender connector is enabled. Disabling the Microsoft Defender connector also disables IoC enforcement, removing all Infinity Playblocks added indicators from Microsoft Defender.

   Now, all existing IOCs in the Infinity Playblocks feed are synced into Microsoft Defender IOC, and any new indicators detected by automation are added.