Administrators can now automatically block-list URLs coming from live IOC feeds their SOC team uses.

In their hunt for elusive security incidents and to enrich their investigation into detected security events, SOC teams often use 3rd party live feeds of Indicators of Compromise (IOCs).

These feeds are essentially a large repository that is constantly updated with hundreds or thousands of malicious indicators – URLs, hashes, email addresses and more – daily.

This work, whether manual or automated, almost always happens after users have been exposed to emails or files containing these indicators.

Harmony Email & Collaboration uses multiple security layers to prevent malicious emails and other threats from reaching your users or unauthorized destinations. Some of these layers are based on AI engines and some on Check Point’s market leading repository of malicious indicators – ThreatCloud ©.

Harmony Email & Collaboration can now be integrated with these 3rd party feeds, so that each malicious URL received from them is automatically enforced as a block-listed URL when inspecting emails, messages and files.

These URL IOCs will be enforced not only in Harmony Email & Collaboration, but also in all Check Point solutions, saving your SOC team a lot of time defining block-lists in many dashboards.

To connect to a 3rd party live feed:

  1. Browse to this link: https://portal.checkpoint.com/dashboard/xdr-xpr/centralizediocmanagement#/ThreatCloudIOCMgmt/input_feeds
    1. Alternatively, you can open the nine-dot menu at the top bar of your Infinity Portal and go to Horizon XDR/XPR > New IOC Management > Input Feeds
    2. If needed, click “Try Now” – don’t worry, you don’t need to purchase any license for this functionality
  2. Create a new Input feed of type Live feed and follow the instructions in the wizard

 

For more information about managing IOCs globally for all Check Point solutions, refer to this chapter in the relevant admin guide.

You may also like