Requirements for IOC files

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

When creating IOC Scan tasks, consider the following requirements and limitations related to IOC files:

The table below shows the features and limitations of the OpenIOC standard supported by the application.

Features and limitations of the OpenIOC standard versions 1.0 and 1.1

Supported conditions

OpenIOC 1.0:

is

isnot (as an exclusion from the set)

contains

containsnot (as an exclusion from the set)

OpenIOC 1.1:

is

contains

starts-with

ends-with

matches

greater-than

less-than

Supported condition attributes

OpenIOC 1.1:

preserve-case

negate

Supported operators

AND

OR

Supported data types

date: date (applicable conditions: is, greater-than, less-than)

int: integer number (applicable conditions: is, greater-than, less-than)

string: string (applicable conditions: is, contains, matches, starts-with, ends-with)

duration: duration in seconds (applicable conditions: is, greater-than, less-than)

Data types interpretation details

The following data types are interpreted as string: Boolean string, restricted string, md5, IP, sha256, base64Binary.

The application supports interpretation of the Content parameter specified as intervals for the following data types: int and date:

OpenIOC 1.0:

Using the TO operator in the Content field:

<Content type="int">49600 TO 50700</Content>

<Content type="date">2009-04-28T10:00:00Z TO 2009-04-28T16:00:00Z</Content>

<Content type="int">[154192 TO 154192]</Content>

OpenIOC 1.1:

Using the greater-than and less-than conditions

Using the TO operator in the Content field

The application supports interpretation of the date and duration data types if the indicators are specified in the ISO 8601, Zulu time zone, UTC format.

Supported IOC terms

The full list of supported IOC terms is provided in a separate table.

See also

About IOC Scan tasks in Kaspersky Endpoint Agent

Supported IOC terms

Managing IOC Scan tasks in Kaspersky Endpoint Agent

Page top