Views:

You can protect your network from objects not yet identified on your network by importing properly formatted OpenIOC files (*.ioc) and extracting suspicious file SHA-1, IP address, URL, and domain objects to the User-Defined Suspicious Object list. When uploading a file, you can specify the scan action that supported Trend Micro products perform after detecting the suspicious objects. After uploading an OpenIOC file, you can also select an uploaded file as the assessment criteria for a preliminary investigation or a detailed investigation.

For details about manually adding suspicious objects directly to the User-Defined Suspicious Object list, see Adding Objects to the User-Defined Suspicious Object List.

Important:

Apex Central only supports OpenIOC 1.0.

Note:

By default, Apex Central automatically extracts suspicious objects to the User-Defined Suspicious Object list when the OpenIOC file upload is complete.

Alternatively, you can choose to upload the OpenIOC file first, and then manually extract suspicious objects after the file upload is complete.

  1. Go to Threat Intel > Custom Intelligence.

    The Custom Intelligence screen appears.

  2. Click the OpenIOC tab.

    The OpenIOC file list appears.

  3. (Optional) To filter the files that display in the file list, use the search box to specify a full or partial string contained in the File Name, Short Description, or Source Added By columns.
  4. Click Add.

    The Add OpenIOC Files screen appears.

  5. Select OpenIOC files (*.ioc) to upload.
    1. Click Select Files....
    2. Select one or more files to upload.
      Note:
      • The maximum file size for each file is 10 MB.

      • The total number of files uploaded at the same time cannot exceed 200 files.

      • The maximum number of objects for each suspicious object type in the User-Defined Suspicious Object list cannot exceed 10,000 objects for each type.

        The extraction task for a suspicious object type will be unsuccessful if the maximum number of objects has been reached for the object type.

    3. Click Open.
  6. (Optional) Click Advanced settings to configure the following settings:
    • To upload the file without automatically extracting the suspicious objects, clear the Extract file SHA-1 hashes, IP addresses, URLs, or domains, and add the suspicious objects to the User-Defined Suspicious Objects list check box.

      Note:

      If you disable automatic extraction when uploading files, you can still manually extract objects after the file upload is complete.

    • Specify scan actions for supported products to perform after detecting the object.

      Note:

      You can also configure scan actions for suspicious objects on the User-Defined Suspicious Object list.

      For more information, see Suspicious Object Scan Actions.

  7. Click Add.
    Tip:
    • To track the file upload status, perform a log query by using the User Access log type.

      For more information, see Querying Logs.

    • To track the suspicious object extraction status, use the Command Tracking screen.

      For more information, see Command Tracking.

    Apex Central uploads the selected OpenIOC files to the OpenIOC file list.

    Note:
    • If default settings are selected, Apex Central automatically extracts suspicious objects to the User-Defined Suspicious Object list.

    • The Extracted Objects column in the OpenIOC file list displays "N/A" for the following scenarios:

      • You uploaded the OpenIOC file without automatically extracting the suspicious objects.

      • Apex Central was unable to extract suspicious objects from the OpenIOC file.

  8. To manually extract suspicious objects from an uploaded OpenIOC file:
    1. Select the check box next the File Name of the uploaded file.
    2. Click Extract.

      The Extracted Objects column displays the number of suspicious objects from the OpenIOC file to the User-Defined Suspicious Object list.

      • To download a copy of a specific file, click the link in the File Name column.

      • To track the file extraction status, use the Command Tracking screen.

        For more information, see Command Tracking.

      • To view the extracted suspicious objects on a filtered view of the User-Defined Suspicious Object list, click the count in the Extracted Objects column.

      • To delete files, select the check box next to the File Name of at least one file and click Delete.

        Note:
        • Deleting a file does not remove the extracted suspicious objects from the User-Defined Suspicious Object list.

        • You cannot delete a file until Apex Central has finished extracting suspicious objects from the file.

  9. To start a threat investigation using an uploaded OpenIOC file as the assessment criteria:
    Important:
    • Threat investigations require a valid Endpoint Sensor license. Ensure that you have a valid Endpoint Sensor license or contact your service provider to obtain an Activation Code.

    • After activating your Endpoint Sensor license, enable the Endpoint Sensor feature by creating an Apex One Agent policy or Apex One (Mac) policy on the Policy Management screen (Policies > Policy Management).

      For more information, see the Apex Central Widget and Policy Management Guide.

    1. Select the check box next the File Name of the uploaded file.
    2. Perform one of the following types of threat investigation:

      Investigation

      Description

      Preliminary Investigation

      A preliminary investigation uses server metadata to identify endpoints that are possible candidates for further analysis.

      Hover over the Analyze Impact button and click Preliminary Investigation.

      Note:

      You can also perform a preliminary investigation from the Preliminary Investigation screen (Response > Preliminary Investigation).

      For more information, see Using Custom Criteria for Preliminary Investigation.

      For specific information about the server metadata used for preliminary investigations, see Endpoint Sensor Metadata.

      One-time Investigation

      A one-time investigation is a detailed investigation that is generated on demand and goes through all files currently on the disk and all processes currently running in memory.

      Hover over the Analyze Impact button and go to Detailed Investigation > One-time.

      Note:

      You can also perform a one-time investigation from the One-time Investigation tab on the Detailed Investigation screen (Response > Detailed Investigation).

      For more information, see One-Time Investigation.

      Scheduled Investigation

      A scheduled investigation is a detailed investigation that runs automatically at specific intervals.

      Hover over the Analyze Impact button and go to Detailed Investigation > Scheduled.

      Note:

      You can also perform a scheduled investigation from the Scheduled Investigation tab on the Detailed Investigation screen (Response > Detailed Investigation).

      For more information, see Scheduled Investigation.