Procedure

1. Go to Virtual Analyzer → Suspicious Objects, and click the User-defined Suspicious Objects tab.
2. To specify a single object:
   1. Click Add.
      The Add Object window appears.
   2. Select an object type:
      • IP address: type the IP address or a hyphenated range.

        Note Deep Discovery Analyzer supports both IPv4 and IPv6 formats.

      • Domain: type a domain name.

        Note Wildcards are only allowed in a prefix, and must be connected with a ". " symbol. Use only one wildcard per domain. For example, *.com will match abc.com or test.com.

      • URL: type the URL.

        Note Deep Discovery Analyzer supports both HTTP and HTTPS. Wildcards are only allowed in a prefix. Wildcards used in the domain part of an URL must be connected with a ". " symbol. Use only one wildcard per URL. For example, http://*.com will match abc.com or test.com. A wildcard can match any part of the URL's URI part. For example, http://abc.com/*abc will match http://abcd.com/test.abc.

      • File: type the SHA-1 hash value of the file.
   3. Click Add.

      Note The User-defined Suspicious Objects list supports a maximum of 25,000 objects.

3. To add multiple objects using a STIX file:
   1. Click Import List from STIX.
   2. Specify a valid STIX file.
   3. Click Import.

      Note Deep Discovery Analyzer can import STIX files formatted using the 1.2, 1.1.1 and 1.0.1 version specifications. The 1.0.1 specification can only be used for Virtual Analyzer output. The STIX file can include multiple objects. However, Deep Discovery Analyzer only imports the following supported STIX indicators: Indicator - File Hash Watchlist (SHA-1 only) Indicator - URL Watchlist Indicator - Domain Watchlist Indicator - IP Watchlist STIX indicators can use the following Properties attributes: @condition must be Equals @apply_condition must be ANY

4. To remove objects in the list:
   • Select one or more objects, and click Delete to remove the selected objects.
   • Click Delete All to remove all objects in the list.