This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Tal_Ben_Bassat
MVP MVP
MVP
‎2025-10-04 08:32 AM

Playblocks Highlights: IOC Enforcement Connector - Why You Should Enable It ⚡

Playblocks Highlights: IOC Enforcement Connector - Why You Should Enable It

 

Hey CheckMates! 🎯

In this edition of Playblocks Highlights, we’re diving deep into the IOC Enforcement connector - how it links your threat detection to prevention, the enforcement options, and some powerful automations you can enable right away.

🔐 IOC Enforcement bridges detection and enforcement. Instead of just adding IOCs to a list, this connector ensures they are automatically enforced across supported platforms.

 

What is the IOC Enforcement Connector?

  • The IOC Enforcement connector synchronizes Infinity Playblocks with your enforcement platforms, ensuring that indicators detected (by automations or manually) are pushed out to your security products.
  • When enabled, a new list called Playblocks IOCs is created and synced with the Infinity IOC Management feed. New indicators (from Playblocks automations or manual additions) flow into that feed and are distributed.
  • It replaces the manual, error-prone process of creating indicator objects in each product. With the connector on, your infrastructures automatically fetch and enforce the indicators.

Tal_Ben_Bassat_0-1759592463146.png

 

Enforcement Options & Platforms

When configuring the connector, you decide which platforms should enforce the IOCs:

  • Quantum IOC Enforcement
    • You can enable enforcement on all Quantum Managements or pick specific ones.
    • Once enabled, any gateway under those managements with Anti-Bot or Anti-Virus blades will start enforcing the IOCs upon policy push.
  • CrowdStrike IOC Enforcement
    • Requires that the CrowdStrike connector is already enabled.
    • Hash indicators (e.g. MD5, SHA256) are added with Prevent actions; IP indicators are added with Detect actions (since CrowdStrike does not support IP prevention).
  • SentinelOne IOC Enforcement
    • Requires the SentinelOne connector active.
    • SentinelOne enforces automatic expiration limits:
      • IP indicators expire in 30 days
      • URLs, domains, and file hashes expire in 180 days
  • Microsoft Defender IOC Enforcement
    • Requires the Microsoft Defender connector active.
    • Once enabled, new indicators flow into Defender’s IOC engine for enforcement.
  • Harmony Endpoint IOC Enforcement
    • Requires Harmony Endpoint service and connector enabled.
    • Harmony Endpoint supports file hashes (MD5, SHA1), IPv4, URLs, and domains. It doesn’t expire IOCs automatically - but Playblocks periodically removes expired indicators from Harmony.

How to Enable & Configure

    1. In Playblocks → Connectors, locate and enable IOC Enforcement.
    2. Toggle on Quantum IOC Enforcement, CrowdStrike IOC Enforcement, SentinelOne IOC Enforcement, Microsoft Defender IOC Enforcement, and Harmony Endpoint IOC Enforcement as required.
    3. For Quantum, choose whether to apply enforcement to all managements or select specific ones.
    4. Save and install the updated Threat Prevention policy on the affected gateways.

Once configured, existing indicators in the Playblocks feed are automatically synchronized into the enforcement platforms.

 

Tal_Ben_Bassat_0-1759592281231.png Tal_Ben_Bassat_2-1759592372805.png

 

Examples for predefined automations that use IOC Enforcement

These predefined automations automatically add malicious files or URLs into the Playblocks IOC feed for enforcement:

Automation

What It Does

Notes / Parameters

Block malicious file indicator identified by Threat Extraction (Harmony Endpoint)

Adds file indicators from Threat Extraction to the IOC feed and enforces them

Requires IOC Enforcement to propagate these indicators

Add malicious file indicator identified by CrowdStrike to IOC feed

Adds file hashes flagged by CrowdStrike into the IOC feed

Includes Expiration in days parameter; ensures consistent blocking

Add malicious file indicator identified by Microsoft Defender to IOC feed

Adds file hash and source URL flagged by Defender into IOC feed

Shares Defender detections with your broader enforcement

Add malicious file indicator identified by SentinelOne to IOC feed

Adds file hash indicators flagged by SentinelOne into the IOC feed

Integrates SentinelOne detections across your stack

Block malicious indicator identified by Anti-Bot

Pushes malicious URLs detected by Anti-Bot into the IOC feed for automatic blocking

Great for reinforcing Quantum and Harmony layers

Block malicious indicator identified by Zero Phishing (Quantum)

Ingests malicious URL indicators flagged by Zero Phishing into the IOC feed for enforcement

Often paired with URL/domain blocking via Anti-Bot and AV blades

 

💡 Pro Tip: Filter the Automations page by IOC Enforcement connector to discover even more automations that add URLs and file indicators to your threat feed - there are many more to explore!

 

Why You Should Connect It Today

    • Closes the loop: Automatically turns threat detections into enforced protections.
    • Unified control: Your entire stack - Quantum, Endpoint, Defender, and more - enforces IOCs consistently.
    • Hands-free scaling: Once connected, every new indicator flows to all enabled products automatically.

🔗 Connect now: Enable IOC Enforcement Connector

 

Continue the Journey

Did you miss our previous highlight on powerful Playblocks automations?
👉 Check out the first Playblocks Highlights post

Stay tuned for the next Playblocks Highlights - where we’ll keep uncovering connectors, automations, and AI-powered workflows that make security smarter and faster.

(1)
Who rated this post