Legacy IoC Management

With IoC Management, you can view, create and edit Indicators of Compromise (IoCs) that apply to all the products on-boarded with Infinity XDR Extended Detection & Response/XPR Extended Prevention & Response.

To view the Legacy IoC Management page, access Infinity XDR/XPR and go to IoC Management > Legacy IoC Management.

Note - The legacy IoC Management will be deprecated soon. We recommend that you migrate to the New IoC Management. For the procedure to migrate, see Migrating to the New IoC Management.

Note - For the tenants created from July 23, 2023 onwards, the Legacy IoC Management is disabled and only the New IoC Management is supported.

IoC Management Overview

During the Infinity XDR/XPR onboarding process, two separate feeds for Detect and Prevent actions are created. To configure these feeds on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., see Configuring IoC Management.

Infinity XDR/XPR IoC management requires no new rules or policy installation. IoC management works directly on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. After configuration, the Security Gateway continually fetches intelligence data stored in a .cvs file on the Check Point web server. You can use the CSV file link with other products that support intelligence feeds from external sources, such as cloud-based mail protection platforms.

Working with IoC Management

The IoC Management table shows only the latest 30 IoCs added to IoC Management. To view the all IoCs, click Export > Export All. See Exporting IoCs.

Item	Description
Enabled	Indicates whether the Action is enabled (enforced) on the IoC.
Action	The action enforced on the IoC: Detect Prevent
Blade	The software blade that the IoC triggers: Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.(AB) Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV.(AV)
Name	Name of the IoC.
Type	IoC type: Domain IP address URL File - MD5, SHA1 or SHA256 hash key
Value	Value of the IoC.
Confidence	Confidence level of the IoC detection.
Severity	Severity of the IoC.
Created	Date and time on which the IoC was created.
Modified	Date and time on which the IoC was last modified.
Expires	Date and time when the IoC expires. After the IoC expires, it is deleted automatically.

Creating a New IoC

Note - You can also add IoCs to IoC Management from the Incidents tab. See Adding or Editing an Indicator or Artifact in IoC Management.

1. In the Legacy IoC Management menu bar, click New.

   The Add Indicators window appears.

   

2. Enter these:

   • Indicator Type - Select the IoC type.

   • Value - Enter the value of the IoC.

   • Name - Enter a name for the IoC.

   • (Optional) Comment

     This name and comment appears in the log created when the relevant blade detects or prevents the IoC.

   • Enable an Action - Detect or Prevent.

3. Click Advanced.

   • Select a Blade that the IoC triggers.

   • Select Confidence and Severity levels for the trigger.

   • Select an Expiration Date. After the expiration date, the IoC is deleted automatically.

     If the values for these fields are not defined, indicators are added with default values, as shown in the previous screen.

4. Click Add.

Adding IoCs by Uploading a CSV File

1. In the Legacy IoC Management menu bar, click Upload from File.

   The Upload CSV File window appears.

   

2. If you have the CSV file to upload:

   1. Click Choose file.

   2. Browse the select the file and click Upload.

3. If you do not know the format of the CSV file:

   1. Click Info > Download CSV Format.

      The system downloads Upload_Format.xls.

   2. Enter the IoC information in Upload_Format.xls and upload this file.

Editing and Deleting an IoC

1. To edit an IoC, select the IoC in the IoC Management table.

2. In the Legacy IoC Management menu bar, click Edit.

   In the Edit Indicators window, enter the details and click Update.

3. To delete an IoC, select the IoC and click Delete.

Filtering IoCs

1. In the Legacy IoC Management menu bar, click .

   The Filter pane appears.

2. Select the parameter to filter the IoCs.

   The IoC Management table refreshes and shows only the IoCs relevant to the applied filter.

Exporting IoCs

1. In the Legacy IoC Management menu bar, click Export.

2. Select one of these export options:

   • Export All - To export information of all the IoCs in the IoC Management table.

   • Export Filtered - To export information of the IoCs relevant to the applied filter.

   • Export Selected - To export information of only the selected IoCs in the IoC Management table.

   System downloads a CSV file with the IoC information.

Configuring IoC Management

After you successfully onboard to Infinity XDR/XPR:

1. In the Legacy IoC Management menu bar, click Show feed URLs.

   The Feed URLS window appears.

   

   When you onboard to Infinity XDR/XPR, two feeds in .cvs format are created for Prevent and Detect actions. To create these files again, click Regenerate URLs.

2. Copy the Prevent URL and the Detect URL to a text file.

   For example:

   https://feeds.now.checkpoint.com/public_feeds/xxxxxxxxxx.csv   https://feeds.now.checkpoint.com/public_feeds/xxxxxxxxxx.csv

3. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

   1. From the left navigation panel, click Security Policies.

   2. In the middle top pane, click Threat Prevention > Indicators.

   3. From the top toolbar, click New > External IoC Feed.

      The Indicator window appears.

      

   4. In Feed URL, enter the Prevent URL from step 2.

   5. In Action, select Prevent and click OK.

   6. Create a new External IoC Feed (Follow steps a to c).

   7. In Feed URL, enter the Detect URL from step 2.

   8. In Action, select Detect and click OK.

      You have now created IoC feeds for Prevent and Detect actions.

      

   9. Install the Threat Prevention policy on this Security Gateway.

      For more information, see Importing External Custom Intelligence Feeds in SmartConsole.

4. In Infinity XDR/XPR, go to Legacy IoC Management and click Show Feed URLs.

   Copy the full Security Gateway commands for Prevent and Detect.

   Example:

   ioc_feeds add --feed_name InfinitySOCPrevent --transport https --resource "https://feeds.now.checkpoint.com/public_feeds/xxxxxxxxxx1.csv" --feed_action Prevent

   ioc_feeds add --feed_name InfinitySOCDetect --transport https --resource "https://feeds.now.checkpoint.com/public_feeds/xxxxxxxxxx2.csv" --feed_action Detect

5. In SmartConsole:

   1. From the left navigation panel, click Gateways & Servers.

   2. Right-click the Security Gateway object and click Actions > Open Shell.

   Alternatively, connect to the command line on the Security Gateway through a SSH client.

6. Run the commands you copied in step 4 from Infinity XDR/XPR:

   Example:

   ioc_feeds add --feed_name InfinitySOCPrevent --transport https --resource "https://feeds.now.checkpoint.com/public_feeds/xxxxxxxxxx1.csv" --feed_action Prevent

   ioc_feeds add --feed_name InfinitySOCDetect --transport https --resource "https://feeds.now.checkpoint.com/public_feeds/xxxxxxxxxx2.csv" --feed_action Detect

7. Close the shell after the operation completes successfully.

Note - If you generate the URLs again, the old feeds are no longer accessible. You must update the feeds on the Security Gateway and the indicator URL in SmartConsole.