Appendix 11. IOC file requirements

When creating IOC Scan tasks, consider the following IOC file requirements and limitations:

The file that you can download by clicking the link below, contains a table with the full list of IOC terms of the OpenIOC standard that are supported by the Kaspersky Endpoint Detection and Response solution.

DOWNLOAD THE IOC_TERMS.XLSX FILE

Features and limitations of the application’s support for the OpenIOC standard are shown in the following table.

Features and limitations of support for OpenIOC version 1.0 and 1.1.

Supported conditions

OpenIOC 1.0:

is

isnot (as an exception from the set)

contains

containsnot (as an exception from the set)

OpenIOC 1.1:

is

contains

starts-with

ends-with

matches

greater-than

less-than

Supported condition attributes

OpenIOC 1.1:

preserve-case

negate

Supported operators

AND

OR

Supported data types

"date": date (applicable conditions: is, greater-than, less-than)

"int": integer (applicable conditions: is, greater-than, less-than)

"string": string (applicable conditions: is, contains, matches, starts-with, ends-with)

"duration": duration in seconds (applicable conditions: is, greater-than, less-than)

Features of data type interpretation

The "boolean string", "restricted string", "md5", "IP", "sha256" and "base64Binary" data types are interpreted as string.

The application supports interpretation of the Content setting for the int and date data types when it is set in the form of intervals:

OpenIOC 1.0:

Using the TO operator in the Content field:

<Content type="int">49600 TO 50700</Content>

<Content type="date">2009-04-28T10:00:00Z TO 2009-04-28T16:00:00Z</Content>

<Content type="int">[154192 TO 154192]</Content>

OpenIOC 1.1:

Using the greater-than and less-than conditions

Using the TO operator in the Content field

The application supports interpretation of the date and duration data types if the indicators are set in ISO 8601, Zulu Time Zone, UTC format.

Page top