Requirements for IOC files

Kaspersky Endpoint Agent supports IOC files with the ioc and xml extensions. These files use open standard for IOC description – OpenIOC versions 1.0 and 1.1.

If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.

If, when creating the IOC Scan task, none of the downloaded IOC files is supported by Kaspersky Endpoint Agent, the task can be started, but as a result of the task execution, no indicators of compromise will be detected.

Semantic errors and IOC terms and tags in IOC files that are not supported by the application do not cause the task execution errors. The application just does not detect matches in such sections of IOC files.

Identifiers of all IOC files that are used in the same IOC Scan task must be unique. The presence of IOC files with the same identifier can affect the correctness of the task execution results.

Features and limitations of the OpenIOC standard support by the application are listed in the following table.

Features and limitations of the OpenIOC versions 1.0 and 1.1 standard support.

Supported conditions	OpenIOC 1.0: `is` `isnot` (as an exclusion from the set) `contains` `containsnot` (as an exclusion from the set) OpenIOC 1.1: `is` `contains` `starts-with` `ends-with` `matches` `greater-than` `less-than`
Supported condition attributes	OpenIOC 1.1: `preserve-case` `negate`
Supported operators	`AND` `OR`
Supported data types	`date`: date (applicable conditions: `is`, `greater-than`, `less-than`) `int`: integer number (applicable conditions: `is`, `greater-than`, `less-than`) `string`: string (applicable conditions: `is`, `contains`, `matches`, `starts-with`, `ends-with`) `duration`: duration in seconds (applicable conditions: `is, greater-than, less-than`)
Data types interpretation details	The following data types are interpreted as string: `Boolean string`, `restricted string`, `md5`, `IP`, `sha256`, `base64Binary`. The application supports interpretation of the `Content` parameter specified as intervals for the following data types: `int` and `date`: OpenIOC 1.0: Using the `TO` operator in the `Content` field: `<Content type="int">49600 TO 50700</Content>` `<Content type="date">2009-04-28T10:00:00Z TO 2009-04-28T16:00:00Z</Content>` `<Content type="int">[154192 TO 154192]</Content>` OpenIOC 1.1: Using the `greater-than` and `less-than` conditions Using the `TO` operator in the `Content` field The application supports interpretation of the `date` and `duration` data types if the indicators are specified in the `ISO 8601, Zulu time zone, UTC` format.
Supported IOC terms	The full list of supported IOC terms is provided in a separate table.