An OpenIOC file is an XML file which contains one or more Indicators of
Compromise (IOCs). Verify that the OpenIOC file uses indicator terms supported by
the type of
investigation selected.
The table below lists the IOC indicators supported in
investigations.
|
Category
|
Item
|
Required Condition
|
|
DNSENTRYITEM
|
HOST
|
IS
|
|
RECORDDATA/HOST
|
IS
|
|
|
RECORDDATA/IPV4ADDRESS
|
IS
|
|
|
FILEITEM
|
FILENAME
|
IS
|
|
FILEPATH
|
IS
|
|
|
SHA1SUM
|
IS
|
|
|
SHA2SUM
|
IS
|
|
|
MD5SUM
|
IS
|
|
|
PORTITEM
|
LOCALIP
|
IS
|
|
REMOTEIP
|
IS
|
|
|
PROCESSITEM
|
ARGUMENTS
|
CONTAINS
|
|
NAME
|
IS
|
|
|
PATH
|
IS
|
|
|
SECTIONLIST/MEMORYSECTION/SHA1SUM
|
IS
|
|
|
SECTIONLIST/MEMORYSECTION/SHA256SUM
|
IS
|
|
|
SECTIONLIST/MEMORYSECTION/MD5SUM
|
IS
|
|
|
REGISTRYITEM
|
KEYPATH
|
CONTAINS
|
|
VALUE
|
CONTAINS
|
|
|
VALUENAME
|
CONTAINS
|
|
|
USERNAME
|
IS
|
 |
NoteAfter selection, Endpoint Sensor displays a preview of the OpenIOC
file. Review the preview to verify if the OpenIOC file contains supported indicators
and
conditions. Unsupported combinations are formatted with a strike-through and are ignored
during
the investigation.
|