- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Playblocks Highlights: IOC Enforcement Connector - Why You Should Enable It ⚡
Hey CheckMates! 🎯
In this edition of Playblocks Highlights, we’re diving deep into the IOC Enforcement connector - how it links your threat detection to prevention, the enforcement options, and some powerful automations you can enable right away.
🔐 IOC Enforcement bridges detection and enforcement. Instead of just adding IOCs to a list, this connector ensures they are automatically enforced across supported platforms.
What is the IOC Enforcement Connector?
- The IOC Enforcement connector synchronizes Infinity Playblocks with your enforcement platforms, ensuring that indicators detected (by automations or manually) are pushed out to your security products.
- When enabled, a new list called Playblocks IOCs is created and synced with the Infinity IOC Management feed. New indicators (from Playblocks automations or manual additions) flow into that feed and are distributed.
- It replaces the manual, error-prone process of creating indicator objects in each product. With the connector on, your infrastructures automatically fetch and enforce the indicators.
Enforcement Options & Platforms
When configuring the connector, you decide which platforms should enforce the IOCs:
- Quantum IOC Enforcement
- You can enable enforcement on all Quantum Managements or pick specific ones.
- Once enabled, any gateway under those managements with Anti-Bot or Anti-Virus blades will start enforcing the IOCs upon policy push.
- CrowdStrike IOC Enforcement
- Requires that the CrowdStrike connector is already enabled.
- Hash indicators (e.g. MD5, SHA256) are added with Prevent actions; IP indicators are added with Detect actions (since CrowdStrike does not support IP prevention).
- SentinelOne IOC Enforcement
- Requires the SentinelOne connector active.
- SentinelOne enforces automatic expiration limits:
- IP indicators expire in 30 days
- URLs, domains, and file hashes expire in 180 days
- Microsoft Defender IOC Enforcement
- Requires the Microsoft Defender connector active.
- Once enabled, new indicators flow into Defender’s IOC engine for enforcement.
- Harmony Endpoint IOC Enforcement
- Requires Harmony Endpoint service and connector enabled.
- Harmony Endpoint supports file hashes (MD5, SHA1), IPv4, URLs, and domains. It doesn’t expire IOCs automatically - but Playblocks periodically removes expired indicators from Harmony.
How to Enable & Configure
- In Playblocks → Connectors, locate and enable IOC Enforcement.
- Toggle on Quantum IOC Enforcement, CrowdStrike IOC Enforcement, SentinelOne IOC Enforcement, Microsoft Defender IOC Enforcement, and Harmony Endpoint IOC Enforcement as required.
- For Quantum, choose whether to apply enforcement to all managements or select specific ones.
- Save and install the updated Threat Prevention policy on the affected gateways.
Once configured, existing indicators in the Playblocks feed are automatically synchronized into the enforcement platforms.
Examples for predefined automations that use IOC Enforcement
These predefined automations automatically add malicious files or URLs into the Playblocks IOC feed for enforcement:
|
Automation |
What It Does |
Notes / Parameters |
|
Block malicious file indicator identified by Threat Extraction (Harmony Endpoint) |
Adds file indicators from Threat Extraction to the IOC feed and enforces them |
Requires IOC Enforcement to propagate these indicators |
|
Add malicious file indicator identified by CrowdStrike to IOC feed |
Adds file hashes flagged by CrowdStrike into the IOC feed |
Includes Expiration in days parameter; ensures consistent blocking |
|
Add malicious file indicator identified by Microsoft Defender to IOC feed |
Adds file hash and source URL flagged by Defender into IOC feed |
Shares Defender detections with your broader enforcement |
|
Add malicious file indicator identified by SentinelOne to IOC feed |
Adds file hash indicators flagged by SentinelOne into the IOC feed |
Integrates SentinelOne detections across your stack |
|
Block malicious indicator identified by Anti-Bot |
Pushes malicious URLs detected by Anti-Bot into the IOC feed for automatic blocking |
Great for reinforcing Quantum and Harmony layers |
|
Block malicious indicator identified by Zero Phishing (Quantum) |
Ingests malicious URL indicators flagged by Zero Phishing into the IOC feed for enforcement |
Often paired with URL/domain blocking via Anti-Bot and AV blades |
💡 Pro Tip: Filter the Automations page by IOC Enforcement connector to discover even more automations that add URLs and file indicators to your threat feed - there are many more to explore!
Why You Should Connect It Today
- Closes the loop: Automatically turns threat detections into enforced protections.
- Unified control: Your entire stack - Quantum, Endpoint, Defender, and more - enforces IOCs consistently.
- Hands-free scaling: Once connected, every new indicator flows to all enabled products automatically.
🔗 Connect now: Enable IOC Enforcement Connector
Continue the Journey
Did you miss our previous highlight on powerful Playblocks automations?
👉 Check out the first Playblocks Highlights post
✨ Stay tuned for the next Playblocks Highlights - where we’ll keep uncovering connectors, automations, and AI-powered workflows that make security smarter and faster.
Wed 05 Nov 2025 @ 11:00 AM (EST)
TechTalk: Access Control and Threat Prevention Best PracticesThu 06 Nov 2025 @ 10:00 AM (CET)
CheckMates Live BeLux: Get to Know Veriti – What It Is, What It Does, and Why It MattersTue 11 Nov 2025 @ 05:00 PM (CET)
Hacking LLM Applications: latest research and insights from our LLM pen testing projects - AMERTue 11 Nov 2025 @ 10:00 AM (CST)
Hacking LLM Applications: latest research and insights from our LLM pen testing projects - EMEA