On the User-defined Suspicious
Objects tab, you can manually add suspicious objects to Deep Discovery Analyzer using the Structured
Threat Information eXpression (STIX) format.
The following columns show information about objects on the
User-defined Suspicious Objects tab.
User-defined Suspicious Objects columns
|
Column Name
|
Information
|
|
Added
|
Date and time when the suspicious object was added
|
|
Type
|
IP address, Domain, URL, file SHA-1, or file SHA-256
|
|
Object
|
The IP address, domain, URL, or SHA-1 or SHA-256 hash value of the file
Click Edit to modify the displayed value.
|
|
Source
|
The source (Deep Discovery Director, local, or Trend Vision One) that added the suspicious
object
|
Deep Discovery Analyzer can
import STIX files formatted using the 1.2, 1.1.1 and 1.0.1 version specifications.
The 1.0.1
specification can only be used for Virtual Analyzer output.
The STIX file can include multiple objects. However, Deep Discovery Analyzer only imports the following
supported STIX indicators:
-
Indicator - File Hash Watchlist (SHA-1 and SHA-256)
-
Indicator - URL Watchlist
-
Indicator - Domain Watchlist
-
Indicator - IP Watchlist
STIX indicators can use the following Properties attributes:
-
@conditionmust beEquals -
@apply_conditionmust beANY