IOC feeds: how to monitor and escalate issues? How...

Sergej_Gurenko · ‎2024-01-24

Hello,

I read several posts What is the maximum IOC feed range? and IOC Feeds does not work properly, describing potential issues with IOC feeds on older Check Point software. It is looks like all IOC feed suscess and failure erros are stored in ioc_feeder.elg

There are two scenarios i'm seeking assistance with:

Alerting traditional NOC if the feature is not working or is degraded. And further escalation via the ticket.
Alerting MDR analysts that the IOC feed is successfully imported and processed by the gateways. The analysts could modify and update IOC files by hand or using semi-automated playbooks and security tools.

Can you please suggest on reliable option for getting the significant errors from ioc_feeder.elg to (Service Desk) tools.

We can use scheduled SNMP polls, email integration or other old school methods.For example less preferred syslog alerts and SNMP-traps (as less reliable). We have not tried Skyline (OpenTelemetry prometheus grafana) yet and do not integrate with Infinity Portal for co-management. I read that *.ELG is a plain text file.

Regards, Serg

Henrik_Noerr1 · ‎2024-01-25

Hey,

All our firewall logs are sent to an elastic instance with the log exporter. From here we have set up alerts on various logs. So when IOC stops working the firewall logs it, and we sent a webhook from elastic to our ITSM with relevant info.

Furthermore we have a query every X minute from a tooling server, that queries an item agreed to be in the feed. The query should be stopped. If it is not, we sent an alert to our ITSM system.

/Henrik

Sergej_Gurenko · ‎2024-01-25

I think it is an excellent hint to pre-provision a bunch of test remote destinations and hand over the details to the analysts. Rather than testing if (potentially dangerous) malicious URL is blocked, the analysts can test the harmless test URLs.

Sergej_Gurenko · ‎2024-01-26

Add-on question: Does anyone know if a single error in the feed file blocks the update/refresh or if lines with the errors are ignored while the incorrect lines are pushed? The documentation does not provide a clear answer. Especially the "sk165932 "IOC_FAILED_WHILE_PARSING" error message when the Custom Intelligence Feeds automatic process fails after editing the source file" gives me the impression this is a bug.

From the documentation:

"IOC_FAILED_WHILE_PARSING" error message when Custom Intelligence Feeds automatic process fails after editing source file.
When adding an IP address, or domain, to the list, the system does not block the new address (still blocks the existing entries), and shows a parsing error: "IOC_FAILED_WHILE_PARSING"

Sergej_Gurenko · ‎2024-01-28

If anyone is interested, i tested it in the lab. When detected, the lines with errors are ignored, and the rest of the feed is applied. Single error does not stop the fewst of the IOC file to be processed.

Errors are stored in *_custom.csv.err file on the gateways.

Even so, the details about the updates of the feed files are only available in ioc_feeder.elg log file on the Gateway, the most important is forwarded to SmartConsole fw.log file.

Smart Console events:

Sergej_Gurenko · ‎2024-03-20

Hello Experts, does anyone know if one can generate alerts from _specific_ messages in the SmartConsole fw.log file?

Thinking about handling IOC errors by firing Emails or SNMP traps to the monitoring platform.

PhoneBoy · ‎2024-03-20

The filtering would have to occur in a script, sending mail or snmp trap only when specific messages are encountered.

Are you a member of CheckMates?

IOC feeds: how to monitor and escalate issues? How to get alerts from ioc_feeder.elg to Service Desk