Requirements for IOC files

Kaspersky Endpoint Agent supports IOC files with the ioc and xml extensions. These files use open standard for IOC description – OpenIOC versions 1.0 and 1.1.

If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.

If, when creating the IOC Scan task, none of the downloaded IOC files is supported by Kaspersky Endpoint Agent, the task can be started, but as a result of the task execution, no indicators of compromise will be detected.

Semantic errors and IOC terms and tags in IOC files that are not supported by the application do not cause the task execution errors. The application just does not detect matches in such sections of IOC files.

Identifiers of all IOC files that are used in the same IOC Scan task must be unique. The presence of IOC files with the same identifier can affect the correctness of the task execution results.

Features and limitations of the OpenIOC standard support by the application are listed in the following table.

Features and limitations of the OpenIOC versions 1.0 and 1.1 standard support.

Supported conditions

OpenIOC 1.0:

is

isnot (as an exclusion from the set)

contains

containsnot (as an exclusion from the set)

OpenIOC 1.1:

is

contains

starts-with

ends-with

matches

greater-than

less-than

Supported condition attributes

OpenIOC 1.1:

preserve-case

negate

Supported operators

AND

OR

Supported data types

date: date (applicable conditions: is, greater-than, less-than)

int: integer number (applicable conditions: is, greater-than, less-than)

string: string (applicable conditions: is, contains, matches, starts-with, ends-with)

duration: duration in seconds (applicable conditions: is, greater-than, less-than)

Data types interpretation details

The following data types are interpreted as string: Boolean string, restricted string, md5, IP, sha256, base64Binary.

The application supports interpretation of the Content parameter specified as intervals for the following data types: int and date:

OpenIOC 1.0:

Using the TO operator in the Content field:

<Content type="int">49600 TO 50700</Content>

<Content type="date">2009-04-28T10:00:00Z TO 2009-04-28T16:00:00Z</Content>

<Content type="int">[154192 TO 154192]</Content>

OpenIOC 1.1:

Using the greater-than and less-than conditions

Using the TO operator in the Content field

The application supports interpretation of the date and duration data types if the indicators are specified in the ISO 8601, Zulu time zone, UTC format.

Supported IOC terms

The full list of supported IOC terms is provided in a separate table.

See also

Supported IOC terms

Creating and configuring Standard IOC Scan task

Configuring Standard IOC Scan task

IOC collection export

Viewing IOC Scan task execution results

Page top