次のIOCサンプルは、ファイル名にvmtoolsd.exeを含み、ファイルパスにC:\Program Files\VMware\VMware Toolsを含むファイルを検索します。
<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
id="72b85cfa-ea89-4633-983b-c2aa01a2b312"
last-modified="2014-03-12T12:03:59"
xmlns="http://schemas.mandiant.com/2010/ioc">
<short_description>QA</short_description>
<authored_by>Smart Sensor Team</authored_by>
<authored_date>2014-03-12T11:48:50</authored_date>
<links />
<definition>
<Indicator operator="OR"
id="5be0c2e0-53e0-49e9-842d-75d92d3261b3">
<Indicator operator="AND"
id="5be0c2e0-53e0-49e9-842d-75d92d3261b3">
<IndicatorItem
id="10ee8b41-3586-41ad-b8ce-90e088706ef4"
condition="contains">
<Context document="FileItem"
search="FileItem/FilePath" type="mir" />
<Content type="string">
C:\Program Files\VMware\VMware Tools</Content>
</IndicatorItem>
<IndicatorItem
id="10ee8b41-3586-41ad-b8ce-90e088706ef4"
condition="contains">
<Context document="FileItem"
search="FileItem/FileName" type="mir" />
<Content type="string">vmtoolsd.exe</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</definition>
</ioc>