Requirements for IOC files

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

When creating IOC Scan tasks, consider the following requirements and limitations related to IOC files:

Kaspersky Endpoint Agent supports IOC files with the ioc and xml extensions. These files use open standard for IOC description – OpenIOC versions 1.0 and 1.1.
Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.
If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.
If, when creating the IOC Scan task, none of the downloaded IOC files is supported by Kaspersky Endpoint Agent, the task can be started, but as a result of the task execution, no indicators of compromise will be detected.
Semantic errors and IOC terms and tags in IOC files that are not supported by the application do not cause the task execution errors. The application just does not detect matches in such sections of IOC files.
Identifiers of all IOC files that are used in the same IOC Scan task must be unique. The presence of IOC files with the same identifier can affect the correctness of the task execution results.
IOC file identifier example:

<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="43e6a866-4f85-4ce2-a369-eabf786ba711" last-modified="2019-05-09T11:08:38" xmlns="http://schemas.mandiant.com/2010/ioc">
The size of a single IOC file must not exceed 3 MB. Using larger files results in the failure of IOC Scan tasks. In this case, the total size of all added files in the IOC collection can exceed 3 MB.
It is recommended to create one IOC file per each threat. This makes it easier to read the results of the IOC Scan task.

The table below shows the features and limitations of the OpenIOC standard supported by the application.

Features and limitations of the OpenIOC standard versions 1.0 and 1.1

Supported conditions	OpenIOC 1.0: `is` `isnot` (as an exclusion from the set) `contains` `containsnot` (as an exclusion from the set) OpenIOC 1.1: `is` `contains` `starts-with` `ends-with` `matches` `greater-than` `less-than`
Supported condition attributes	OpenIOC 1.1: `preserve-case` `negate`
Supported operators	`AND` `OR`
Supported data types	`date`: date (applicable conditions: `is`, `greater-than`, `less-than`) `int`: integer number (applicable conditions: `is`, `greater-than`, `less-than`) `string`: string (applicable conditions: `is`, `contains`, `matches`, `starts-with`, `ends-with`) `duration`: duration in seconds (applicable conditions: `is, greater-than, less-than`)
Data types interpretation details	The following data types are interpreted as string: `Boolean string`, `restricted string`, `md5`, `IP`, `sha256`, `base64Binary`. The application supports interpretation of the `Content` parameter specified as intervals for the following data types: `int` and `date`: OpenIOC 1.0: Using the `TO` operator in the `Content` field: `<Content type="int">49600 TO 50700</Content>` `<Content type="date">2009-04-28T10:00:00Z TO 2009-04-28T16:00:00Z</Content>` `<Content type="int">[154192 TO 154192]</Content>` OpenIOC 1.1: Using the `greater-than` and `less-than` conditions Using the `TO` operator in the `Content` field The application supports interpretation of the `date` and `duration` data types if the indicators are specified in the `ISO 8601, Zulu time zone, UTC` format.
Supported IOC terms	The full list of supported IOC terms is provided in a separate table.