Adding OpenIOC Objects to the User-Defined Suspicious Object List

The Custom Intelligence screen appears.

The OpenIOC file list appears.

The Add OpenIOC Files screen appears.

1. Click Select Files....
2. Select one or more files to upload.
   Note:

   • The maximum file size for each file is 10 MB.

   • The total number of files uploaded at the same time cannot exceed 200 files.

   • The maximum number of objects for each suspicious object type in the User-Defined Suspicious Object list cannot exceed 10,000 objects for each type.

     The extraction task for a suspicious object type will be unsuccessful if the maximum number of objects has been reached for the object type.

3. Click Open.

• To upload the file without automatically extracting the suspicious objects, clear the Extract file SHA-1 hashes, IP addresses, URLs, or domains, and add the suspicious objects to the User-Defined Suspicious Objects list check box.

  Note:

  If you disable automatic extraction when uploading files, you can still manually extract objects after the file upload is complete.

• Specify scan actions for supported products to perform after detecting the object.

  Note:

  You can also configure scan actions for suspicious objects on the User-Defined Suspicious Object list.

  For more information, see Suspicious Object Scan Actions.

Apex Central uploads the selected OpenIOC files to the OpenIOC file list.

1. Select the check box next the File Name of the uploaded file.
2. Click Extract.

   The Extracted Objects column displays the number of suspicious objects from the OpenIOC file to the User-Defined Suspicious Object list.

   • To download a copy of a specific file, click the link in the File Name column.

   • To track the file extraction status, use the Command Tracking screen.

     For more information, see Command Tracking.

   • To view the extracted suspicious objects on a filtered view of the User-Defined Suspicious Object list, click the count in the Extracted Objects column.

   • To delete files, select the check box next to the File Name of at least one file and click Delete.

     Note:

     • Deleting a file does not remove the extracted suspicious objects from the User-Defined Suspicious Object list.

     • You cannot delete a file until Apex Central has finished extracting suspicious objects from the file.

1. Select the check box next the File Name of the uploaded file.
2. Perform one of the following types of threat investigation:

   Investigation	Description
   Preliminary Investigation	A preliminary investigation uses server metadata to identify endpoints that are possible candidates for further analysis. Hover over the Analyze Impact button and click Preliminary Investigation. Note: You can also perform a preliminary investigation from the Preliminary Investigation screen (Response > Preliminary Investigation). For more information, see Using Custom Criteria for Preliminary Investigation. For specific information about the server metadata used for preliminary investigations, see Endpoint Sensor Metadata.
   One-time Investigation	A one-time investigation is a detailed investigation that is generated on demand and goes through all files currently on the disk and all processes currently running in memory. Hover over the Analyze Impact button and go to Detailed Investigation > One-time. Note: You can also perform a one-time investigation from the One-time Investigation tab on the Detailed Investigation screen (Response > Detailed Investigation). For more information, see One-Time Investigation.
   Scheduled Investigation	A scheduled investigation is a detailed investigation that runs automatically at specific intervals. Hover over the Analyze Impact button and go to Detailed Investigation > Scheduled. Note: You can also perform a scheduled investigation from the Scheduled Investigation tab on the Detailed Investigation screen (Response > Detailed Investigation). For more information, see Scheduled Investigation.