Appendix 11. IOC file requirements
When creating IOC Scan tasks, consider the following IOC file requirements and limitations:
- Kaspersky Endpoint Detection and Response Optimum supports IOC files with the IOC and XML extensions in the open standard OpenIOC versions 1.0 and 1.1 for describing indicators of compromise.
- If during IOC Scan task creation you upload IOC files, some of which are not supported, when the task is run, the application uses only the supported IOC files.
- If during IOC Scan task creation you upload only unsupported IOC files, the task can still be run, but no indicators of compromise will be detected.
- Semantic errors and unsupported IOC terms and tags in IOC files do not cause task execution to fail. In such sections of IOC files, the application detects no match.
- The identifiers of all IOC files used in a single IOC Scan task must be unique. If there are IOC files with the same identifier, it might affect the task execution results.
- A single IOC file must not exceed 3 MB in size. Using larger files will cause IOC Scan tasks to terminate with an error. That said, the total size of all files added to the IOC collection may exceed 3 MB.
- It is recommended to create one IOC file per threat. This makes it easier to analyze the results of the IOC Scan task.
The file that you can download by clicking the link below, contains a table with the full list of IOC terms of the OpenIOC standard that are supported by the Kaspersky Endpoint Detection and Response solution.
DOWNLOAD THE IOC_TERMS.XLSX FILE
Features and limitations of the application’s support for the OpenIOC standard are shown in the following table.
Features and limitations of support for OpenIOC version 1.0 and 1.1.
Supported conditions | OpenIOC 1.0:
OpenIOC 1.1:
|
Supported condition attributes | OpenIOC 1.1:
|
Supported operators |
|
Supported data types |
|
Features of data type interpretation | The The application supports interpretation of the OpenIOC 1.0: Using the
OpenIOC 1.1: Using the Using the The application supports interpretation of the |