Requirements for IOC files

When creating IOC Scan tasks, consider the following IOC file requirements and limitations:

The application supports IOC files with the IOC and XML extensions. These files use open standard for IOC description – OpenIOC versions 1.0 and 1.1.
Semantic errors and unsupported IOC terms and tags in IOC files do not cause the task to fail. For such sections of IOC files, the application registers the absence of a match.
IDs of all IOC files used in an IOC Scan task must be unique. Duplicate IDs may affect the correctness of task results.
Example of an IOC file ID:

<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="43e6a866-4f85-4ce2-a369-eabf786ba711" last-modified="2019-05-09T11:08:38" xmlns="http://schemas.mandiant.com/2010/ioc">
We recommend creating an IOC file for each threat. This makes the results of the IOC Scan task easier to read.

The file that can be downloaded by clicking the link below contains a table with the full list of IOC terms of the OpenIOC standard.

DOWNLOAD THE "IOC_Terms.xlsx" FILE

Special considerations and limitations of the way the application supports the OpenIOC standard are listed in the table below.

Features and limitations of the OpenIOC standard versions 1.0 and 1.1

Supported conditions	OpenIOC 1.0: `is` `isnot` (as an exclusion from the set) `contains` `containsnot` (as an exclusion from the set) OpenIOC 1.1: `is` `contains` `starts-with` `ends-with` `matches` `greater-than` `less-than`
Supported attributes of conditions	OpenIOC 1.1: `preserve-case` `negate`
Supported operators	`AND` `OR`
Supported data types	`"date"`: date (applicable conditions: `is`, `greater-than`, `less-than`) `"int"`: integer (applicable conditions: `is`, `greater-than`, `less-than`) `"string"`: string (applicable conditions: `is`, `contains`, `matches`, `starts-with`, `ends-with`) `"duration"`: duration in seconds (applicable terms: `is`, `greater-than`, `less-than`)
Special considerations for interpreting data types	The `"boolean string"`, `"restricted string"`, `"md5"`, `"IP"`, `"sha256"`, `"base64Binary"` data types are interpreted as strings. The application supports the interpretation of the `Content` parameter for `int` and `date` data types specified as intervals: OpenIOC 1.0: Using the `TO` operator in the `Content` field: `<Content type="int">49600 TO 50700</Content>` `<Content type="date">2009-04-28T10:00:00Z TO 2009-04-28T16:00:00Z</Content>` `<Content type="int">[154192 TO 154192]</Content>` OpenIOC 1.1: Using `greater-than` and `less-than` conditions Using the `TO` operator in the `Content` field The application supports the interpretation of the `date` and `duration` data types if the indicators are specified in the `ISO 8601, Zulu time zone, UTC` format.

Page top