Disk IOC Rule

Use the Disk IOC rule method to use an uploaded disk IOC file to search for files in a system snapshot. The uploaded disk IOC file has to include at least one fileitem/filepath or fileitem/fullpath indicator.

For details, see Supported IOC Indicator Terms.

Use the IOCTool available in the <Trend Micro Endpoint Sensor server installation path>\CmdTool\IOCTool\ folder to troubleshoot invalid IOC files.

For details, see Troubleshooting Invalid IOC Files.

  • The maximum file size for a disk IOC file is 1024KB.

  • Endpoint Sensor can store a total of 10 disk IOC files. Once this limit is reached, older disk IOC files are removed when new ones are uploaded.

  • Once uploaded, the disk IOC file is available for all future investigations. Ensure that a disk IOC file is selected before you start the investigation.