Kaspersky Endpoint Security 12 for Windows

Appendix 10. IOC file requirements

April 25, 2024

ID 220828

When creating IOC Scan tasks, consider the following IOC file requirements and limitations:

  • The application supports IOC files with the IOC and XML extensions in the open standard OpenIOC versions 1.0 and 1.1 for describing indicators of compromise.
  • If, when creating an IOC Scan task on the command line, you upload IOC files, some of which are not supported, when the task is run, the application uses only the supported IOC files. If, when creating an IOC Scan task on the command line, all of the IOC files that you upload turn out to be unsupported, the task can still be run, but it will not detect any indicators of compromise. It is not possible to upload unsupported IOC files using Web Console or Cloud Console.
  • Semantic errors and unsupported IOC terms and tags in IOC files do not cause task execution to fail. In such sections of IOC files, the application detects no match.
  • The identifiers of all IOC files used in a single IOC Scan task must be unique. If there are IOC files with the same identifier, it might affect the task execution results.
  • A single IOC file must not exceed 2 MB in size. Using larger files will cause IOC Scan tasks to terminate with an error. The total size of all files added to the IOC collection should not exceed 10 MB. If the total size of all files exceeds 10 MB, you need to split the IOC collection and create several IOC Scan tasks.
  • It is recommended to create one IOC file per threat. This makes it easier to analyze the results of the IOC Scan task.

The file that you can download by clicking the link below, contains a table with the full list of IOC terms of the OpenIOC standard.


Features and limitations of the application’s support for the OpenIOC standard are shown in the following table.

Features and limitations of support for OpenIOC version 1.0 and 1.1.

Supported conditions

OpenIOC 1.0:


isnot (as an exception from the set)


containsnot (as an exception from the set)

OpenIOC 1.1:








Supported condition attributes

OpenIOC 1.1:



Supported operators



Supported data types

"date": date (applicable conditions: is, greater-than, less-than)

"int": integer (applicable conditions: is, greater-than, less-than)

"string": string (applicable conditions: is, contains, matches, starts-with, ends-with)

"duration": duration in seconds (applicable conditions: is, greater-than, less-than)

Features of data type interpretation

The "boolean string", "restricted string", "md5", "IP", "sha256" and "base64Binary" data types are interpreted as string.

The application supports interpretation of the Content setting for the int and date data types when it is set in the form of intervals:

OpenIOC 1.0:

Using the TO operator in the Content field:

<Content type="int">49600 TO 50700</Content>

<Content type="date">2009-04-28T10:00:00Z TO 2009-04-28T16:00:00Z</Content>

<Content type="int">[154192 TO 154192]</Content>

OpenIOC 1.1:

Using the greater-than and less-than conditions

Using the TO operator in the Content field

The application supports interpretation of the date and duration data types if the indicators are set in ISO 8601, Zulu Time Zone, UTC format.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.