Views:

An OpenIOC file is an XML file which contains one or more Indicators of Compromise (IOCs). Verify that the OpenIOC file uses indicator terms supported by the type of investigation selected.

The table below lists the IOC indicators supported in investigations.

Table 1. Supported IOC Indicators for Preliminary Investigations

Category

Item

Required Condition

DNSENTRYITEM

HOST

IS

RECORDDATA/HOST

IS

RECORDDATA/IPV4ADDRESS

IS

FILEITEM

FILENAME

IS

FILEPATH

IS

SHA1SUM

IS

SHA25SUM

IS

MD5SUM

IS

PORTITEM

LOCALIP

IS

REMOTEIP

IS

PROCESSITEM

ARGUMENTS

CONTAINS

NAME

IS

PATH

IS

SECTIONLIST/MEMORYSECTION/SHA1SUM

IS

SECTIONLIST/MEMORYSECTION/SHA256SUM

IS

SECTIONLIST/MEMORYSECTION/MD5SUM

IS

REGISTRYITEM

KEYPATH

CONTAINS

VALUE

CONTAINS

VALUENAME

CONTAINS

USERNAME

IS

Note:

After selection, Endpoint Sensor displays a preview of the OpenIOC file. Review the preview to verify if the OpenIOC file contains supported indicators and conditions. Unsupported combinations are formatted with a strike-through and are ignored during the investigation.