https://community.checkpoint.com/t5/General-Topics/External-IOC-Log-questions/m-p/185369#M30905 <P>Hello,</P><P>I've been testing out some external IOCs for a production rollout and was hoping to get some understandings on some of the log messages.&nbsp; &nbsp;I have 3 feeds running for testing:&nbsp; &nbsp;one IP host list, one url list and one domain list.</P><P>When looking at "blade:Anti-Virus AND type:Control" in smartconsole, I get these logs under the 'forensics Details =&gt; Description" and what my understanding is:</P><UL><LI>External IOC - Fetch succeeded<UL><LI>I know that the configs are setup to fetch the feed every 5min but the log seems to show up only when there was an actual update to the feed txt/csv file on the remote server.<UL><LI>So....my understanding is when i see this message it means at least 1 of the 3 feeds had an update and such fetch is good.</LI></UL></LI></UL></LI><LI><SPAN><SPAN class="">External IOC - Partial success, IP_TEST: Success, URL_TEST: Success, DOMAIN_TEST: Feed format problem. Empty feed"</SPAN></SPAN><UL><LI><SPAN><SPAN class="">I read this the same as the above message except that one of the feeds had a problem due to the feed having no domains listed (which was the test case).&nbsp; &nbsp; The other two feeds 'fetched'&nbsp;</SPAN></SPAN></LI></UL></LI><LI><SPAN><SPAN class="">External IOC - External Indicators processing failed</SPAN></SPAN><UL><LI><SPAN><SPAN class="">This one seems straightforward&nbsp;to me as it detailed out that the processing failed and the reason.</SPAN></SPAN><UL><LI><SPAN><SPAN class="">Our reason was&nbsp;"Couldn't connect to server"; which is accurate during our testing and the remote server was down.</SPAN></SPAN></LI><LI><SPAN><SPAN class="">I also noticed that I got this message every 5 min; which solidifies&nbsp;that the GW was attempting updates within the defined interval.&nbsp; &nbsp;&nbsp;</SPAN></SPAN></LI></UL></LI></UL></LI></UL><P><SPAN><SPAN class="">So.....now my questions <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</SPAN></SPAN></P><OL><LI>Is my understanding about these 3 log messages&nbsp;correct?</LI><LI>If so, is there any way to get a "External IOC - Fetch succeeded" type message that includes the actual feed that was updated verse getting the general one I got here?<OL><LI>When I look at the partial success one, I can see the details of all 3 feeds, the 2 that updated and the other one with the error.&nbsp; &nbsp;</LI><LI>For our testing, I would like to get a more clear log of the success of the single feed we updated that our SIEM can filter on as a means to know our updates were processed.<OL><LI>I noticed that "External IOC - Fetch succeeded" messages can get noisy depending on the # of feeds you use; especially on a 3rd party one that might update a lot.</LI><LI>Therefore, our key is to have our feed file update =&gt; allow our GWs to fetch every 5min =&gt; log back when the update was successfully updated for the given feed =&gt; avoid the manual labor of logging into various GWs to validate the feed in question updated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></LI></OL></LI></OL></LI></OL><P>&nbsp;</P><P>Thanks in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>**note**</P><P>GW &amp; MGMT running R81.10 Take 95</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 30 Jun 2023 21:57:02 GMT Scottc98 2023-06-30T21:57:02Z https://community.checkpoint.com/t5/General-Topics/External-IOC-Log-questions/m-p/185369#M30905 <P>Hello,</P><P>I've been testing out some external IOCs for a production rollout and was hoping to get some understandings on some of the log messages.&nbsp; &nbsp;I have 3 feeds running for testing:&nbsp; &nbsp;one IP host list, one url list and one domain list.</P><P>When looking at "blade:Anti-Virus AND type:Control" in smartconsole, I get these logs under the 'forensics Details =&gt; Description" and what my understanding is:</P><UL><LI>External IOC - Fetch succeeded<UL><LI>I know that the configs are setup to fetch the feed every 5min but the log seems to show up only when there was an actual update to the feed txt/csv file on the remote server.<UL><LI>So....my understanding is when i see this message it means at least 1 of the 3 feeds had an update and such fetch is good.</LI></UL></LI></UL></LI><LI><SPAN><SPAN class="">External IOC - Partial success, IP_TEST: Success, URL_TEST: Success, DOMAIN_TEST: Feed format problem. Empty feed"</SPAN></SPAN><UL><LI><SPAN><SPAN class="">I read this the same as the above message except that one of the feeds had a problem due to the feed having no domains listed (which was the test case).&nbsp; &nbsp; The other two feeds 'fetched'&nbsp;</SPAN></SPAN></LI></UL></LI><LI><SPAN><SPAN class="">External IOC - External Indicators processing failed</SPAN></SPAN><UL><LI><SPAN><SPAN class="">This one seems straightforward&nbsp;to me as it detailed out that the processing failed and the reason.</SPAN></SPAN><UL><LI><SPAN><SPAN class="">Our reason was&nbsp;"Couldn't connect to server"; which is accurate during our testing and the remote server was down.</SPAN></SPAN></LI><LI><SPAN><SPAN class="">I also noticed that I got this message every 5 min; which solidifies&nbsp;that the GW was attempting updates within the defined interval.&nbsp; &nbsp;&nbsp;</SPAN></SPAN></LI></UL></LI></UL></LI></UL><P><SPAN><SPAN class="">So.....now my questions <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</SPAN></SPAN></P><OL><LI>Is my understanding about these 3 log messages&nbsp;correct?</LI><LI>If so, is there any way to get a "External IOC - Fetch succeeded" type message that includes the actual feed that was updated verse getting the general one I got here?<OL><LI>When I look at the partial success one, I can see the details of all 3 feeds, the 2 that updated and the other one with the error.&nbsp; &nbsp;</LI><LI>For our testing, I would like to get a more clear log of the success of the single feed we updated that our SIEM can filter on as a means to know our updates were processed.<OL><LI>I noticed that "External IOC - Fetch succeeded" messages can get noisy depending on the # of feeds you use; especially on a 3rd party one that might update a lot.</LI><LI>Therefore, our key is to have our feed file update =&gt; allow our GWs to fetch every 5min =&gt; log back when the update was successfully updated for the given feed =&gt; avoid the manual labor of logging into various GWs to validate the feed in question updated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></LI></OL></LI></OL></LI></OL><P>&nbsp;</P><P>Thanks in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>**note**</P><P>GW &amp; MGMT running R81.10 Take 95</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 30 Jun 2023 21:57:02 GMT https://community.checkpoint.com/t5/General-Topics/External-IOC-Log-questions/m-p/185369#M30905 Scottc98 2023-06-30T21:57:02Z https://community.checkpoint.com/t5/General-Topics/External-IOC-Log-questions/m-p/185376#M30908 <P>As far as I know, you have a clear understanding of this.<BR />Unfortunately, I don't believe you can change the detail of the logging about what feeds were updated.<BR />It's possible this is improved in R81.20 where we can support a larger number of indicators and Network Feeds are an option.</P> Sat, 01 Jul 2023 15:40:45 GMT https://community.checkpoint.com/t5/General-Topics/External-IOC-Log-questions/m-p/185376#M30908 PhoneBoy 2023-07-01T15:40:45Z