OpenIOC 檔案是包含一或多個入侵指標 (IOC) 的 XML 檔案。請確認 OpenIOC 檔案使用的指標項受所選調查類型支援。
下表列出調查支援的 IOC 指標。
類別 |
項目 |
要求的條件 |
|---|---|---|
DNSENTRYITEM |
HOST |
IS |
RECORDDATA/HOST |
IS |
|
RECORDDATA/IPV4ADDRESS |
IS |
|
FILEITEM |
FILENAME |
IS |
SHA1SUM |
IS |
|
SHA25SUM |
IS |
|
MD5SUM |
IS |
|
PORTITEM |
LOCALIP |
IS |
REMOTEIP |
IS |
|
PROCESSITEM |
ARGUMENTS |
CONTAINS |
NAME |
IS |
|
SECTIONLIST/MEMORYSECTION/SHA1SUM |
IS |
|
SECTIONLIST/MEMORYSECTION/SHA256SUM |
IS |
|
SECTIONLIST/MEMORYSECTION/MD5SUM |
IS |
|
REGISTRYITEM |
KEYPATH |
CONTAINS |
VALUE |
CONTAINS |
|
VALUENAME |
CONTAINS |
|
USERNAME |
IS |
|
URLHISTORYITEM |
URL |
CONTAINS |
註:
選取此項目後,Endpoint Sensor 會顯示 OpenIOC 檔案的預覽。檢閱預覽可確認 OpenIOC 檔案是否包含支援的指標與條件。不受支援的組合採用刪除線這種格式,並在調查過程中被忽略。