Appendix 10. IOC file requirements
When creating IOC Scan tasks, consider the following IOC file requirements and limitations:
- The application supports IOC files with the IOC and XML extensions in the open standard OpenIOC versions 1.0 and 1.1 for describing indicators of compromise.
- If, when creating an IOC Scan task on the command line, you upload IOC files, some of which are not supported, when the task is run, the application uses only the supported IOC files. If, when creating an IOC Scan task on the command line, all of the IOC files that you upload turn out to be unsupported, the task can still be run, but it will not detect any indicators of compromise. It is not possible to upload unsupported IOC files using Web Console or Cloud Console.
- Semantic errors and unsupported IOC terms and tags in IOC files do not cause task execution to fail. In such sections of IOC files, the application detects no match.
- The identifiers of all IOC files used in a single IOC Scan task must be unique. If there are IOC files with the same identifier, it might affect the task execution results.
- A single IOC file must not exceed 2 MB in size. Using larger files will cause IOC Scan tasks to terminate with an error. The total size of all files added to the IOC collection should not exceed 10 MB. If the total size of all files exceeds 10 MB, you need to split the IOC collection and create several IOC Scan tasks.
- It is recommended to create one IOC file per threat. This makes it easier to analyze the results of the IOC Scan task.
The file that you can download by clicking the link below, contains a table with the full list of IOC terms of the OpenIOC standard.
DOWNLOAD THE IOC_TERMS.XLSX FILE
Features and limitations of the application’s support for the OpenIOC standard are shown in the following table.
Features and limitations of support for OpenIOC version 1.0 and 1.1.
Supported conditions | OpenIOC 1.0:
OpenIOC 1.1:
|
Supported condition attributes | OpenIOC 1.1:
|
Supported operators |
|
Supported data types |
|
Features of data type interpretation | The The application supports interpretation of the OpenIOC 1.0: Using the
OpenIOC 1.1: Using the Using the The application supports interpretation of the |