Managing the User-defined Suspicious Objects List
- Go to Virtual Analyzer > Suspicious Objects, and click the User-defined Suspicious Objects tab.
-
To specify a single object:
-
Click Add.
The Add Object window appears.
-
Select an object type:
-
IP address: Type the IP address or a hyphenated range
-
Domain: Type a domain name
Note:Wildcards are only allowed in a prefix, and must be connected with a ". " symbol. Use only one wildcard per domain. For example, *.com will match abc.com or test.com.
-
URL: Type the URL
Note:Deep Discovery Analyzer supports both HTTP and HTTPS.
Wildcards are only allowed in a prefix. Wildcards used in the domain part of an URL must be connected with a ". " symbol. Use only one wildcard per URL. For example, http://*.com will match abc.com or test.com.
A wildcard can match any part of the URL's URI part. For example, http://abc.com/*abc will match http://abcd.com/test.abc.
-
File SHA-1: Type the SHA-1 hash value of the file
-
File SHA-256: Type the SHA-256 hash value of the file
-
-
Click Add.
Note:
The User-defined Suspicious Objects list supports a maximum of 25,000 objects.
-
Click Add.
-
To add multiple objects using a STIX file:
- Click Import List from STIX.
- Specify a valid STIX file.
-
Click Import.
Note:
Deep Discovery Analyzer can import STIX files formatted using the 1.2, 1.1.1 and 1.0.1 version specifications. The 1.0.1 specification can only be used for Virtual Analyzer output.
The STIX file can include multiple objects. However, Deep Discovery Analyzer only imports the following supported STIX indicators:
-
Indicator - File Hash Watchlist (SHA-1 and SHA-256)
-
Indicator - URL Watchlist
-
Indicator - Domain Watchlist
-
Indicator - IP Watchlist
STIX indicators can use the following Properties attributes:
-
@condition must be Equals
-
@apply_condition must be ANY
-
-
To remove objects in the list:
-
Select one or more objects, and click Delete to remove the selected objects.
-
Click Delete All to remove all objects in the list.
-
