Importing External Custom Intelligence Feeds in SmartConsole

You can import threat indicator feeds from external sources directly to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. After you import the feeds for the first time and install policy, the Security Gateway automatically pulls and enforces the indicator file each time the file is updated. The Security Gateway imports the file over HTTP or HTTPS, or by reading from a local file or folder.

Important - You must import the feed files on each Security Gateway and Cluster Member Security Gateway that is part of a cluster. separately.

To import an external IoC feed

Step	Instructions
1	Go to the applicable profile > Indicators > Activation > make sure that Enable indicator scanning is selected.
2	In the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. main view, go to Security Policies > Threat Prevention > Policy.
3	In the bottom left section, click Custom Policy Tools.
4	Click Indicators.
5	Click New and select External IOC feed. The Indicator feed configuration window opens.
6	Enter these details: A feed name - Each indicator must have a unique name. Enter the Feed URL Select an Action for this Indicator Pattern of relevant observable malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it. Prevent - Threat Prevention Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. blocks the detected observable Detect - Threat Prevention Software Blade creates a log entry, and lets the detected observable go through You can disable the feed, if you clear the Active checkbox. You can use a Security Gateway proxy for connection.
7	In the Authentication, enter the applicable username and password, if the external feed requires authentication.
8	If the feed is not in Check Point CSV format, click Custom feed settings to adjust it to your needs. See sk132193 for instructions. Custom feed settings are disabled by default.
9	Configure the settings in Fields to Column number mappings.
10	Click Test Connectivity to check if the feed runs properly.
11	Click OK. The new indicator shows in the Indicators page.
12	Install the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

The feeds defined will be fetched every 30 minutes and enforced immediately on the gateway with no need to install a Policy.

To change the fetching interval, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings, go to External Feed, and select the applicable interval.

Limitations

External Indicators of Compromise (IoC Indicator of Compromise. Artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of Malware files, or URLs or domain names of botnet command and control servers. Identified through a process of incident response and computer forensics, intrusion detection systems and anti-virus software can use IoC's to detect future attacks.) added in SmartConsole are supported only on Security Gateways R81 and higher.
IoC feeds are fetched on all connections and are not affected by Threat Prevention Policy.
Policy installation does not fail if a feed is inaccessible. In this case, the Security Gateway only generates a control log can be seen in the Logs view.