Importing External Custom Intelligence Feeds in SmartConsole

Step |
Instructions |
---|---|
1 |
Go to the applicable profile > Indicators > Activation > make sure that Enable indicator scanning is selected. |
2 |
In the SmartConsole![]() |
3 |
In the bottom left section, click Custom Policy Tools. |
4 |
Click Indicators. |
5 |
Click New and select External IOC feed. The Indicator feed configuration window opens. |
6 |
Enter these details:
|
7 |
In the Authentication, enter the applicable username and password, if the external feed requires authentication. |
8 |
If the feed is not in Check Point CSV format, click Custom feed settings to adjust it to your needs. See sk132193 for instructions. Custom feed settings are disabled by default. |
9 |
Configure the settings in Fields to Column number mappings. |
10 |
Click Test Connectivity to check if the feed runs properly. |
11 |
Click OK. The new indicator shows in the Indicators page. |
12 |
The feeds defined will be fetched every 30 minutes and enforced immediately on the gateway with no need to install a Policy.
To change the fetching interval, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings, go to External Feed, and select the applicable interval.
Limitations
-
External Indicators of Compromise (IoC
Indicator of Compromise. Artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of Malware files, or URLs or domain names of botnet command and control servers. Identified through a process of incident response and computer forensics, intrusion detection systems and anti-virus software can use IoC's to detect future attacks.) added in SmartConsole are supported only on Security Gateways R81 and higher.
-
IoC feeds are fetched on all connections and are not affected by Threat Prevention Policy.
-
Policy installation does not fail if a feed is inaccessible. In this case, the Security Gateway only generates a control log can be seen in the Logs view.