Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
krit
Participant

Importing External Custom Intelligence Feeds in SmartConsole - Custom feed settings

Jump to solution

Dear Mates,

We would like to use the "indicators" option in Threat Prevention policy and create an External IOC feed object pointing to a file with IP addresses only, one per line.

In specific, we would like to use Talos IP blacklist, for a start ( http://www.talosintelligence.com/documents/ip-blacklist )

First of all, I would like to ask if this is possible through Smartconsole. Documentation mentions that feeds which do not match Checkpoint's format, cannot be used in Smartconsole.

Secondly, if the above is possible, is there any documentation on how to fill up the "Custom feed settings"? In our case with an IP address file, I assume that we choose "type: IP address" on the dropdown menu and leave the "ignore lines that start with:" and "fields delimeter:" fields as blank.

What about the "Fields to column number mappings" section? "Value:" field cannot be empty. I guess that since I have "one column" in the file, shall I use "1" in that field?

 

indicator.PNG

Please be also informed of the versions in our environment.

Management server: R81.10, jhf 30
Security gateways: R80.30, most in jhf 237

Thank you in advance!

Best Regards

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The custom feed would need more information than IP address, I believe, which means you couldn't use the Talos file as-is.
That said, I believe you'll be able to use this file as-is with R81.20 using a Network Feed object.

View solution in original post

5 Replies
PhoneBoy
Admin
Admin

The custom feed would need more information than IP address, I believe, which means you couldn't use the Talos file as-is.
That said, I believe you'll be able to use this file as-is with R81.20 using a Network Feed object.

krit
Participant

Thank you for the clarification.

As assumed, I only have the cli import option for Talos list, for now.

0 Kudos
_Val_
Admin
Admin

Did you look into sk132193 yet? Talos case is mentioned there.

0 Kudos
krit
Participant

Yes, did it already.

My concern was about importing Talos list through Smartconsole, not cli.

Regards

0 Kudos
r1der
Collaborator

Hi @krit , did you figure out the custom settings or figure out how to ingest these into CP?


My indicators is setup like yours and are uploaded in to SmartConsole (by URL that will take you to a .txt file with values depending on IPs/domains/or hashes only. "Testing Connectivity" successfully runs, but if I understand correctly, it isn't setup right, since its not in a CheckPoint CSV Format.

0 Kudos