Requirements for Monitoring IOCs

Ensure that monitoring IOCs strictly meet the following requirements:

  • Contain the following header info:
    <ioc>
      <rule_name></rule_name>
      <rule_type></rule_type>
      <rule_description></rule_description>
      <last_modified_time></last_modified_time>
      <rule_category></rule_category>
      <author_name></author_name>
      <source></source>
      <internalnote></internalnote>
      <definition></definition>
    </ioc>
  • Include type="knownthreat" as an attribute of the first Indicator term.
      <Indicator operator="AND" type="knownthreat">
  • Use only the Indicator terms that are supported by monitoring IOCs.

    For details, see Supported IOC Indicator Terms.

  • Use "AND" operators and "IS" conditions only. Any other condition (such as "contains", "starts-with", etc.) will be ignored.

  • Indicator items should explicitly specify the details of the objects to be monitored. Endpoint Sensor will take action only if all given indicator items are exactly matched.

If another IOC rule type is intended to be converted as a monitoring IOC, verify that all the above requirements are met. Add any missing information to ensure compatibility.

As a general rule, Endpoint Sensor matches all indicator items before performing the action specified in the Submission Settings screen. However, if any of the following indicator items are present in the monitoring IOC, finding a match will trigger the action immediately:

  • Processitem/Portlist/Portitem/Remoteip

  • Fileitem/FullPath

  • Fileitem/Md5sum

  • Fileitem/Sha1sum

  • Portitem/Remoteip

  • Dnsentryitem/Host

  • Dnsentryitem/Recorddata/Ipv4address

For details, see Submission Settings.