IOC Rule

Use the IOC rule method to search events and their activity chain based on the indicator terms parsed from an uploaded IOC file. An IOC file is an XML file which contains one or more Indicators of Compromise (IOCs) using indicator terms defined in the OpenIOC schema. Verify that the IOC file to be uploaded uses indicator terms supported by Endpoint Sensor .

For details, see Supported IOC Indicator Terms.

Use the IOCTool available in the <Trend Micro Endpoint Sensor server installation path>\CmdTool\IOCTool\ folder to troubleshoot invalid IOC files.

For details, see Troubleshooting Invalid IOC Files.

Note:
  • The maximum file size for an IOC file is 1024KB.

  • Endpoint Sensor can store a total of 10 IOC files. Once this limit is reached, Endpoint Sensor hides the Upload IOC Rule button. Delete one or more IOC files to show the Upload IOC Rule button again.

  • Once uploaded, the IOC file is available for all future investigations. Ensure that an IOC file is selected before you start the investigation.