IOC Enforcement

The IOC Enforcement connector ensures seamless synchronization between Infinity Playblocks and all connected products enforcing IOC.

It automatically updates and distributes newly added IOC across the security products, enhancing protection through up-to-date threat intelligence.

With Quantum IOC Enforcement, you can select the Security managements you want to fetch the indicators from the output blend of the IOC Management platform. Each gateway connected to the management with anti-bot and anti-virus will start enforcing IOCs after installing the new Threat prevention policy.

When enabling IOC Enforcement, a new list Playblocks IOCs is added. This list sync with a new feed in the Infinity IOC Management platform called Playblocks feed. In this feed is be added every indicator that is found by Infinity Playblocks automations.

To configure a IOC Enforcement connector:

  1. Access Infinity Playblocks and click Connectors.

  2. Select IOC Enforcement.

  3. Turn on the Enable toggle button.

  4. To enable Quantum IOC enforcement, select the Quantum IOC Enforcement checkbox:

    1. In the Select Quantum Managements for automatic enforcement section, select one of these:

      1. All (Recommended) - Automatically enables Quantum IOC Enforcement on all Quantum Managements connected to the Infinity Portal. This includes any current and future environment that connects to the Infinity Portal.

      2. Specific managements - Manually choose which Quantum Managements to enable Quantum IOC Enforcement on. The system does not automatically add new managements that connect to the Infinity Portal.

    2. Search and select the relevant managements.

    3. Click Save.

      The Install updated policy window appears.

      You can see the relevant gateways connected to your management with Anti-Bot and Anti-Virus blades installed on them.

    4. To install the Threat Prevention policy, click Install Policy.

    5. To verify the changes:

      1. In the SmartConsole, navigate to Security Policies > Custom Policy Tools > Indicators.

      2. Access Infinity XDR/XPR and go to IoC Management > New IoC management.

        The connector replaces the manual process creating the objects in the managements based on the output blends links that are in IOC Management platform.

      Now, your management continuously fetch indicators that are added by Infinity Playblocks automations automatically or added manually.

  5. To enable CrowdStrike IOC enforcement, select the CrowdStrike IOC Enforcement checkbox and click Save.

    Notes:

    • Make sure the CrowdStrike connector is enabled.

    • Disabling the CrowdStrike connector also disables IOC enforcement, removing all Infinity Playblocks added indicators from CrowdStrike.

    Now, all existing IOCs in the Infinity Playblocks feed are synced into CrowdStrike IOC, and any new indicators detected by automation are added.

    File hash indicators MD5 and SHA256 are added with the Prevent action and IP indicators are added with the Detect action, as CrowdStrike do not support IP prevention.

  6. To enable SentinelOne IOC enforcement, select the SentinelOne IOC Enforcement checkbox and click Save.

    Notes:

    • Make sure the SentinelOne connector is enabled.

    • Disabling the SentinelOne connector also disables IOC enforcement, removing all Infinity Playblocks added indicators from SentinelOne.

    Now, all existing IOCs in the Infinity Playblocks feed are synced into SentinelOne IOC, and any new indicators detected by automation are added.

    SentinelOne enforces expiration limits on indicators. It adjusts any indicator that exceeds these limits to expire according to these limitations:

    • IP: 30 days

    • URL and Domain: 180 days

    • Hash (SHA1, SHA256, MD5): 180 days

  7. To enable Microsoft Defender IOC enforcement, select the Microsoft Defender IOC Enforcement checkbox and click Save.

    Notes:

    • Make sure the Microsoft Defender connector is enabled.

    • Disabling the Microsoft Defender connector also disables IOC enforcement, removing all Infinity Playblocks added indicators from Microsoft Defender.

    Now, all existing IOCs in the Infinity Playblocks feed are synced into Microsoft Defender IOC, and any new indicators detected by automation are added.

  8. To enable Harmony Endpoint IOC enforcement, select the Harmony Endpoint IOC Enforcement checkbox and click Save.

    Notes:

    • Make sure the Harmony Endpoint service in the Infinity Portal is up and running.

    • Make sure the Harmony Endpoint connector is enabled.

    • If the Harmony Endpoint service is up but the connector is not enabled, contact Check Point Support.

    • Harmony Endpoint do not expire IOCs automatically. However, Infinity Playblocks runs a sync at regular intervals to remove all expired indicators from Harmony Endpoint.

    • Harmony Endpoint supports MD5 and SHA1 file hash indicators, IPv4, HTTP URL, and domain indicators.

    Now, all existing IOCs in the Infinity Playblocks feed are synced into Harmony Endpoint IOC, and any new indicators detected by automation are added.