Hi there PhoneBoy,

Unsure what you mean by "How precisely". I am using multiple custom intelligence "ioc_feeds add" commands to pull different IOC types via an API through https from one threat intelligence provider. The organisation who provides the feeds requires reporting on what IOCs from their feed are seen by the checkpoint.

Is it possible to send logs (from Anti-virus/Anti-bot blades?) to an external syslog server relating to the custom ioc feed IOCSs being seen?

You can also define IoCs via the management APIs, which is different than importing them via ioc_feeds.

Each indicator should have a unique name associated with it.
Offhand, I don't remember exactly what field it shows up in.
@TP_Master do you happen to know?

I would think you could filter based on that (or at the very least the blades used).

I have not seen any information regarding custom intel feeds through management API, only ioc_feed in article sk132193. However that being said, I have the feed already ingesting through ioc_feeds and am now looking to report back to a logging server via cp_export_log (Log Exporter - Check Point Log Export). Really just need any assistance on defining how to filter the cp_export_log to only export on events where an IOC from ioc_feed has been seen. Cheers.

Hi there @PhoneBoy, did you or anyone manage to find out info to be used in "cp_export_log" command  to send events relating to and ioc_feeds being seen?

Nothing that specifically covers this.
The approach I would take to find out is to see what log field(s) contain information related to the IoCs (mostly likely the “unique name” of the IoC, as noted in the IoC file).
Then you should be able to filter based on the contents of that field and the blades I mentioned.