Importing External Custom Intelligence Feeds in SmartConsole

Custom Intelligence Feeds lets you fetch feeds from a third-party server directly to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to be enforced by the Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). blades. The Custom Intelligence Feeds feature helps you manage and monitor indicators with minimum operational overhead.

Note - Starting from R81.20, the Check Point Security Gateway can support at least 2 million patterns/observables for these observable types: URL, Domain, IP addresses, and Hashes. The maximum number of supported patterns/observables is limited by the available memory and disk space on the Security Gateway. Before the Security Gateway loads more patterns/observables, it checks if 50% of the total memory is free.

How to Import an External IoC Feed

Before you start - In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the applicable profile > Indicators > Activation > make sure that Enable indicator scanning is selected.

Step

Instructions

In the SmartConsole main view, go to Security Policies > Threat Prevention > Custom Policy > Custom Policy Tools > Indicators.

If you are working with Autonomous Threat Prevention, go to Security Policies > Threat Prevention > Autonomous Policy > Autonomous Policy Tools > Indicators.

Click New and select New IoC Feed.

The New IoC Feed configuration window opens.

In the top field, enter a unique object name.

In the Action field, select the applicable action:

In the Feed URL field, enter the full URL that starts with http:// or https://.

From the Format drop-down menu, select the applicable format (see sk132193):

Check Point format/STIX - Configure the applicable feed parsing settings.
Custom CSV - Configure the applicable feed parsing settings.
Snort - Configure the applicable feed parsing settings.
To use the Snort format, you must first:
1. Enable the IPS Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..
2. Install the Threat Prevention policy.

Expand the Advanced section (click the ^ icon on the right side).

In the Authentication section, enter the applicable username and password, if the external feed requires authentication.

In the Network section, select Use gateway proxy for connection, if the Security Gateway must connect to the external feed through a proxy server.

Make sure the Security Gateways can get this feed:

Click Test Feed.
From the Select the Security Gateway drop-down menu, select the applicable Security Gateway.
Click Test Feed.
Click Close.

Note - The Select the Security Gateway menu does not show Virtual Switches.

Click OK.

The new indicator appears on the Indicators page.

Install the Threat Prevention Policy.

Note - The Security Gateways fetch the configured feeds every 30 minutes and enforce them immediately without the need to install a Threat Prevention Policy.

To change the fetching interval:

From the left navigation panel, click Manage & Settings.
In the top middle pane, click Blades.
In the Threat Prevention section, click Advanced Settings.
From the left tree, click External Feed.
Configure the applicable interval.
Click OK.
Install the Threat Prevention Policy.

Limitations

External Indicators of Compromise (IoC Indicator of Compromise. Artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of Malware files, or URLs or domain names of botnet command and control servers. Identified through a process of incident response and computer forensics, intrusion detection systems and anti-virus software can use IoC's to detect future attacks.) added in SmartConsole are supported only on Security Gateways R81 and higher.
IoC feeds are fetched on all connections and are not affected by Threat Prevention Policy.
Policy installation does not fail if a Security Gateway cannot get a feed.

In this case, the Security Gateway generates a control log.