IOC management

Accessing the IOC gallery

To access the IOC gallery, click Settings in the top menu. Click IOC gallery in the side panel. A list appears of all imported IOCs.

Required permissions

To view and access the IOCs feature, it is necessary for the Search for and manage IOCs permission to be assigned to the user account role. For more information about this permission, see section Search for and manage IOCs.

IOC search tasks are compatible with Windows computers.

IOC gallery

The IOC gallery shows a list of all IOCs imported or created with the wizard. For each IOC, the following information is provided:

Field Description Values

Name

Name assigned to the IOC when it was created or imported.

Character string

Description

IOC description field.

Character string

Type

IOC status:

  • STIX (Pending approval): The IOC was imported from an external source and requires approval to adapt it to the format supported by Advanced EDR.

  • STIX: The IOC was imported from an external source and was approved. Therefore it is adapted to the format supported by Advanced EDR and can be used in searches.

  • Created by the user: IOC created through the web console wizard. It does not require approval to be used in searches.

See Approving an imported IOC section for more information.

Enumeration

Modified

Date the IOC was modified.

Date

Created

Date the IOC was created.

Date

List of IOCs created or imported

Creating a new IOC

  • Click Add in the upper-right corner of the page. The Add IOC page opens.

  • Complete the Name, Author, and Description fields.

  • In the Select a property field, choose a feature of the attack you want to detect:

    • File MD5: Checks to see if there is a file with the specified MD5 hash.

    • File SHA-256: Checks to see if there is a file with the specified SHA-256 hash.

    • File name: Checks to see if there is a file with the specified name.

    • File path: Checks to see if there is a file with the specified path.

    • Domain: Checks to see if there is a network connection via TCP or UDP to or from the specified domain.

    • IPv4: Checks to see if there is a TCP or UDP connection to or from the specified IPv4 address.

    • IPv6: Checks to see if there is a TCP or UDP connection to or from the specified IPv6 address.

    • YARA rule: Checks to see if there is a file with content that matches the pattern described in the YARA rule.

  • Select an operator: Determine the way of comparing the property found on the computer with the reference value set by you in the IOC.

    • In: When one or more properties are indicated in the value field, the computer needs to comply only with one.

    • Is equal to: The property found on the computer exactly matches the property specified by you in the value field.

  • Value: Set the properties used for the search:

    • One or more values separated by a carriage return.

    • Wildcards are not supported.

  • New condition: Add more conditions to the rule. Logical operators AND/OR are applied.

Logical operators

To combine two or more conditions into a single rule, the logical operators AND and OR are used. Adding further conditions to a rule automatically displays a drop-down menu with the logical operators that will apply to the adjacent conditions.

Rule condition groupings

In a logical expression, parentheses are used to change the order in which the operators that relate rule conditions are evaluated.

As such, to group two or more conditions in a parenthesis, you must create a grouping by selecting the consecutive rules that will be part of the group and clicking Group conditions. A thin line appears connecting the monitoring rules that are part of the grouping.

The use of parentheses enables you to group operands at different levels in a logical expression.

Conditions for using YARA rules

An IOC cannot include more than one YARA rule. If you add a YARA rule to an empty IOC, no other properties can be used. Similarly, if you add other properties to an IOC, the YARA rules are disabled.

If a rule does not comply with the YARA syntax, the console displays an error message and does not allow the IOC to be saved.

Copying IOCs

You can copy IOCs from the IOC gallery list by following these steps:

  • Click the icon. A context menu appears.

  • Select the Make a copy option. The Edit IOC page opens, with the same data as the original IOC except for:

  • Name: The same name as the original IOC, preceded by the “Copy of” text string.

  • ID: This is not shown. A new ID is automatically generated when you save the IOC.

Deleting IOCs

You cannot delete IOCs that are part of a task that is in progress, regardless of the status of the task. If you try to do so, an error message appears.

Deleting an IOC

Click the context menu of the IOC you want to delete and select Delete. The IOC is deleted from the list. The detected IOC statistics up until the time of deletion are kept in the Detected IOCs list and in the widgets on the IOCs dashboard.

Deleting multiple IOCs

  • In the IOC list, select the items you want to delete using the checkboxes.

  • Click the drop-down menu icon. Click Delete. The Delete option also appears in the toolbar at the top of the page.

The detected IOC statistics up until the time of deletion are kept in the Detected IOCs list and in the widgets on the IOCs dashboard.

Importing and exporting IOCs

You cannot import an IOC that has the same ID as another IOC that is part of a task that is in progress, regardless of the status of the task. If you try to do so, an error message appears.

Importing an IOC

To import an IOC, follow these steps:

  • Click the icon in the upper-right corner of the page. The import page opens.

  • Click Select file. Choose a file compatible with STIX, YARA, or comma-separated values.

  • Click Import. The new IOC is added to the IOC gallery.

  • If the IOC already exists, you are prompted for the action to take:

    • Replace: Replaces the existing IOC with the new one.

    • Ignore: Disregards the new IOC, keeping the existing one.

Approving an imported IOC

IOCs imported from external sources require an additional step before you can use them in searches. This is necessary to ensure that the IOC can be interpreted by Advanced EDR correctly, as not all entities supported by the STIX 2.x specification are taken into account when running a search.

After the IOC has been imported, follow these steps:

  • If the IOC has not been approved, the message (Pending approval) appears in the Type column of the list.

  • Click the IOC you want to approve. The Edit IOC page opens.

  • If there is a rule in the IOC that cannot be interpreted by Advanced EDR, a red box appears indicating the situation. The data displayed on the editing page corresponds to the sections of the IOC that are correctly interpreted by Advanced EDR.

  • If the rules displayed are correct, click Approve search statement and save to be able to use the IOC in searches.

Advanced EDR only deletes rules in an imported IOC when running a search. However, the complete IOC is stored on the Cytomic server and you can see its entities and relationships as well as the original source code.

Exporting a single IOC

  • In the list of IOCs, click the icon of the IOC you want to export. A drop-down menu appears.

  • Select Export. A JSON file with the IOC definition downloads to your computer.

Exporting multiple IOCs

  • In the list of IOCs, use the checkboxes to select the IOCs you want to export.

  • Click Export in the toolbar. A single JSON file downloads with the definition of all the selected IOCs.

Viewing imported IOCs

Graphical representation of an IOC

Click the context menu of an IOC. Select View original STIX file. The STIX file page opens with a graphical representation and the code of the IOC.

Graphical representation of an IOC

The STIX file page has the following features:

  • Arrange the items in the diagram (1) by clicking and dragging them.

  • Click Legend(3) to see the meaning of each icon in the graph.

  • Use the Visualization/Code (3) buttons to toggle between a graphical representation and a definition of the IOC. The IOC code is shown in tab format and can be copied to the clipboard.

Although the IOC code is displayed as it was imported, Advanced EDR may omit certain sections that are not compatible with its implementation. For this reason, the search results may not always be as expected.

Filtering imported IOCs

To filter items in the IOC list, use the search bar in the IOC gallery panel. Enter the name or description of an IOC as search parameters to show only items from the list that meet the search criteria.