Adding OpenIOC Objects to the User-Defined Suspicious Object List

You can protect your network from objects not yet identified on your network by importing properly formatted OpenIOC files (*.ioc) and extracting suspicious file SHA-1, IP address, URL, and domain objects to the User-Defined Suspicious Object list. When uploading a file, you can specify the scan action that supported Trend Micro products perform after detecting the suspicious objects.

For details about manually adding suspicious objects directly to the User-Defined Suspicious Object list, see Adding Objects to the User-Defined Suspicious Object List.

Important:

Apex Central only supports OpenIOC 1.0.

Note:

By default, Apex Central automatically extracts suspicious objects to the User-Defined Suspicious Object list when the OpenIOC file upload is complete.

Alternatively, you can choose to upload the OpenIOC file first, and then manually extract suspicious objects after the file upload is complete.

  1. Go to Threat Intel > Custom Intelligence.

    The Custom Intelligence screen appears.

  2. Click the OpenIOC tab.

    The OpenIOC file list appears.

  3. (Optional) To filter the files that display in the file list, use the search box to specify a full or partial string contained in the File Name, Short Description, or Source Added By columns.
  4. Click Add.

    The Add OpenIOC Files screen appears.

  5. Select OpenIOC files (*.ioc) to upload.
    1. Click Select Files....
    2. Select one or more files to upload.
      Note:

      • The maximum file size for each file is 10 MB.

      • The total number of files uploaded at the same time cannot exceed 200 files.

      • The maximum number of objects for each suspicious object type in the User-Defined Suspicious Object list cannot exceed 10,000 objects for each type.

        The extraction task for a suspicious object type will be unsuccessful if the maximum number of objects has been reached for the object type.

    3. Click Open.
  6. (Optional) Click Advanced settings to configure the following settings:

    • To upload the file without automatically extracting the suspicious objects, clear the Extract file SHA-1, IP address, URL, and domain objects to the list of User-Defined Suspicious Objects check box.

      Note:

      If you disable automatic extraction when uploading files, you can still manually extract objects after the file upload is complete.

    • Specify scan actions for supported products to perform after detecting the object.

      Note:

      You can also configure scan actions for suspicious objects on the User-Defined Suspicious Object list.

      For more information, see Suspicious Object Scan Actions.

  7. Click Add.
    Tip:

    • To track the file upload status, perform a log query by using the User Access log type.

      For more information, see Querying Logs.

    • To track the suspicious object extraction status, use the Command Tracking screen.

      For more information, see Command Tracking.

    Apex Central uploads the selected OpenIOC files to the OpenIOC file list.

    Note:

    • If default settings are selected, Apex Central automatically extracts suspicious objects to the User-Defined Suspicious Object list.

    • The Extracted Objects column in the OpenIOC file list displays "N/A" for the following scenarios:

      • You uploaded the OpenIOC file without automatically extracting the suspicious objects.

      • Apex Central was unable to extract suspicious objects from the OpenIOC file.

  8. To manually extract suspicious objects from an uploaded OpenIOC file:
    1. Select the check box next the File Name of the uploaded file.
    2. Click Extract.

      The Extracted Objects column displays the number of suspicious objects from the OpenIOC file to the User-Defined Suspicious Object list.

      • To download a copy of a specific file, click the link in the File Name column.

      • To track the file extraction status, use the Command Tracking screen.

        For more information, see Command Tracking.

      • To view the extracted suspicious objects on a filtered view of the User-Defined Suspicious Object list, click the count in the Extracted Objects column.

      • To delete files, select the check box next to the File Name of at least one file and click Delete.

        Note:

        • Deleting a file does not remove the extracted suspicious objects from the User-Defined Suspicious Object list.

        • You cannot delete a file until Apex Central has finished extracting suspicious objects from the file.

Parent topic: Preemptive Protection Against Suspicious Objects