OpenIOC Extraction Rules
Indicators with Operators
If an uploaded OpenIOC file contains conditions that use operators to combine indicators, Apex Central extracts the OpenIOC indicators as suspicious objects and automatically configures scan actions based on the operator used in the OpenIOC indicator condition.
|
Operator |
Scan Action |
|---|---|
|
OR |
Extracted objects apply the user-defined scan action |
|
AND |
Extracted objects always apply the "Log" scan action |
Apex Central supports the following OpenIOC indicator conditions (IndicatorItemCondition):
-
is
-
contains
Suspicious Object Mapping
The following table outlines the corresponding Apex Central suspicious object type for each supported OpenIOC indicator (IndicatorItem) extracted.
|
Object Type |
OpenIOC Indicators |
|---|---|
|
File SHA-1 |
FileItem/Sha1sum |
|
Taskitem/ActionList/Action/ExecProgramSha1sum |
|
|
DriverItem/Sha1sum |
|
|
URL |
Network/URI |
|
FileDownloadHistoryItem/SourceURL |
|
|
UrlHistoryItem/URL |
|
|
Domain |
Network/DNS |
|
DnsEntryItem/Host |
|
|
DnsEntryItem/RecordData/Host |
|
|
UrlHistoryItem/HostName |
|
|
CookieHistoryItem/HostName |
|
|
FormHistoryItem/HostName |
|
|
IP Address |
ArpEntryItem/IPv4Address |
|
DnsEntryItem/RecordData/IPv4Address |
|
|
Email/ReceivedFromIP PortItem/localIP |
|
|
PortItem/remoteIP |
|
|
ProcessItem/PortList/PortItem/localIP |
|
|
ProcessItem/PortList/PortItem/remoteIP |
|
|
RouteEntryItem/Destination RouteEntryItem/Gateway |
|
|
SystemInfoItem/networkArray/networkInfo/dhcpServerArray/dhcpServer |
|
|
SystemInfoItem/networkArray/networkInfo/ipGatewayArray/ipGateway |
