次のIOCのサンプルは、IPアドレスに接続するmalware.exeファイルを検索します。
<?xml version="1.0" encoding="us-ascii"?>
<ioc>
<rule_name>CompanyPolicy_1</rule_name>
<rule_type>KnownThreat</rule_type>
<rule_description>malware.exe connect ip</rule_description>
<last_modified_time>2016-02-22T14:32:02</last_modified_time>
<rule_category></rule_category>
<author_name>TM_Tester</author_name>
<source>TMES</source>
<internalnote>malware.exe connect ip</internalnote>
<definition>
<Indicator operator="AND" type="knownthreat">
<Indicator operator="AND">
<IndicatorItem condition="is">
<Context document="FileItem"
search="FileItem/FileName"/>
<Content type="string">malware.exe</Content>
</IndicatorItem>
<IndicatorItem condition="is">
<Context document="FileItem"
search="FileItem/Fileextension "/>
<Content type="string">exe</Content>
</IndicatorItem>
</Indicator>
<Indicator operator="AND">
<IndicatorItem condition="is">
<Context document="DnsEntryItem"
search="DnsEntryItem/Host" type="mir" />
<Content type="string">54.209.221.129</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</definition>
</ioc>