Appendix 4. IOC file requirements

Support

Support for business applications

Kaspersky Endpoint Security 11 for Windows

Detection and Response solutions

Endpoint Detection and Response

Appendix 4. IOC file requirements

April 25, 2024

ID 220828

Get as PDF

When creating IOC Scan tasks, consider the following IOC file requirements and limitations:

The application supports IOC files with the IOC and XML extensions in the open standard OpenIOC versions 1.0 and 1.1 for describing indicators of compromise.
If, when creating an IOC Scan task on the command line, you upload IOC files, some of which are not supported, when the task is run, the application uses only the supported IOC files. If, when creating an IOC Scan task on the command line, all of the IOC files that you upload turn out to be unsupported, the task can still be run, but it will not detect any indicators of compromise. It is not possible to upload unsupported IOC files using Web Console or Cloud Console.
Semantic errors and unsupported IOC terms and tags in IOC files do not cause task execution to fail. In such sections of IOC files, the application detects no match.
The identifiers of all IOC files used in a single IOC Scan task must be unique. If there are IOC files with the same identifier, it might affect the task execution results.
Example of an IOC file identifier:

<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="43e6a866-4f85-4ce2-a369-eabf786ba711" last-modified="2019-05-09T11:08:38" xmlns="http://schemas.mandiant.com/2010/ioc">
A single IOC file must not exceed 2 MB in size. Using larger files will cause IOC Scan tasks to terminate with an error. The total size of all files added to the IOC collection should not exceed 10 MB. If the total size of all files exceeds 10 MB, you need to split the IOC collection and create several IOC Scan tasks.
It is recommended to create one IOC file per threat. This makes it easier to analyze the results of the IOC Scan task.

The file that you can download by clicking the link below, contains a table with the full list of IOC terms of the OpenIOC standard.

DOWNLOAD THE IOC_TERMS.XLSX FILE

Features and limitations of the application’s support for the OpenIOC standard are shown in the following table.

Features and limitations of support for OpenIOC version 1.0 and 1.1.

Supported conditions	OpenIOC 1.0: `is` `isnot` (as an exception from the set) `contains` `containsnot` (as an exception from the set) OpenIOC 1.1: `is` `contains` `starts-with` `ends-with` `matches` `greater-than` `less-than`
Supported condition attributes	OpenIOC 1.1: `preserve-case` `negate`
Supported operators	`AND` `OR`
Supported data types	`"date"`: date (applicable conditions: `is`, `greater-than`, `less-than`) `"int"`: integer (applicable conditions: `is`, `greater-than`, `less-than`) `"string"`: string (applicable conditions: `is`, `contains`, `matches`, `starts-with`, `ends-with`) `"duration"`: duration in seconds (applicable conditions: `is, greater-than, less-than`)
Features of data type interpretation	The `"boolean string"`, `"restricted string"`, `"md5"`, `"IP"`, `"sha256"` and `"base64Binary"` data types are interpreted as string. The application supports interpretation of the `Content` setting for the `int` and `date` data types when it is set in the form of intervals: OpenIOC 1.0: Using the `TO` operator in the `Content` field: `<Content type="int">49600 TO 50700</Content>` `<Content type="date">2009-04-28T10:00:00Z TO 2009-04-28T16:00:00Z</Content>` `<Content type="int">[154192 TO 154192]</Content>` OpenIOC 1.1: Using the `greater-than` and `less-than` conditions Using the `TO` operator in the `Content` field The application supports interpretation of the `date` and `duration` data types if the indicators are set in `ISO 8601, Zulu Time Zone, UTC` format.

Kaspersky Endpoint Security for Windows: Detection of advanced threats

Control systems which prevent damage from the sensitive data theft. Management from a single console. Buy as part of Endpoint Security for Business Advanced.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.