User-defined Suspicious Objects List

On the User-defined Suspicious Objects tab, you can manually add suspicious objects to Deep Discovery Analyzer using the Structured Threat Information eXpression (STIX) format.

The following columns show information about objects on the User-defined Suspicious Objects tab.

Table 1. User-defined Suspicious Objects columns

Column Name

Information

Added

Date and time when the suspicious object was added

Type

IP address, Domain, URL, file SHA-1, or file SHA-256

Object

The IP address, domain, URL, or SHA-1 or SHA-256 hash value of the file

Click Edit to modify the displayed value.

Source

The source (Deep Discovery Director or local) that added the suspicious object

Deep Discovery Analyzer can import STIX files formatted using the 1.2, 1.1.1 and 1.0.1 version specifications. The 1.0.1 specification can only be used for Virtual Analyzer output.

The STIX file can include multiple objects. However, Deep Discovery Analyzer only imports the following supported STIX indicators:

  • Indicator - File Hash Watchlist (SHA-1 and SHA-256)

  • Indicator - URL Watchlist

  • Indicator - Domain Watchlist

  • Indicator - IP Watchlist

STIX indicators can use the following Properties attributes:

  • @condition must be Equals

  • @apply_condition must be ANY