An OpenIOC file is an XML file which contains one or more Indicators of Compromise (IOCs). Verify that the OpenIOC file uses indicator terms supported by the type of investigation selected.
The table below lists the IOC indicators supported in investigations.
Category |
Item |
Required Condition |
---|---|---|
DNSENTRYITEM |
HOST |
IS |
RECORDDATA/HOST |
IS |
|
RECORDDATA/IPV4ADDRESS |
IS |
|
FILEITEM |
FILENAME |
IS |
FILEPATH |
IS |
|
SHA1SUM |
IS |
|
SHA25SUM |
IS |
|
MD5SUM |
IS |
|
PORTITEM |
LOCALIP |
IS |
REMOTEIP |
IS |
|
PROCESSITEM |
ARGUMENTS |
CONTAINS |
NAME |
IS |
|
PATH |
IS |
|
SECTIONLIST/MEMORYSECTION/SHA1SUM |
IS |
|
SECTIONLIST/MEMORYSECTION/SHA256SUM |
IS |
|
SECTIONLIST/MEMORYSECTION/MD5SUM |
IS |
|
REGISTRYITEM |
KEYPATH |
CONTAINS |
VALUE |
CONTAINS |
|
VALUENAME |
CONTAINS |
|
USERNAME |
IS |
After selection, Endpoint Sensor displays a preview of the OpenIOC file. Review the preview to verify if the OpenIOC file contains supported indicators and conditions. Unsupported combinations are formatted with a strike-through and are ignored during the investigation.