IOC management

Accessing the IOC gallery

To access the IOC gallery, from the top menu, select Settings. From the side menu, select IOC gallery. A list appears that shows all imported IOCs.

Required permissions

To view and access the IOCs feature, the Search for and manage IOCs permission must be assigned to the user account role. For more information about this permission, see section Search for and manage IOCs.

IOC search tasks are compatible with Windows computers.

IOC gallery

The IOC gallery shows a list of all IOCs imported or created with the wizard. For each IOC, this information is provided:

Field Description Values

Name

Name assigned to the IOC when it was created or imported.

Character string

Description

IOC description field.

Character string

Type

IOC status:

  • STIX (Pending approval): IOC was imported from an external source and requires approval to update it to the format supported by Advanced EDR.

  • STIX: IOC was imported from an external source and was approved for use by IOC searches in Advanced EDR.

  • Created by the user: IOC was created through the web console wizard. It does not require approval to use in searches.

For more information, see Approving an imported IOC.

Enumeration

Modified

Date the IOC was modified.

Date

Created

Date the IOC was created.

Date

List of IOCs created or imported

Creating an IOC

  • In the upper-right corner of the page, click Add. The Add IOC page opens.

  • Enter a Name, Author, and Description.

  • From the Select a property drop-down menu, select the attack feature you want to detect

    • File MD5: Searches for a file with the specified MD5 hash.

    • File SHA-256: Searches for a file with the specified SHA-256 hash.

    • File name: Searches for a file with the specified name.

    • File path: Searches for a file with the specified path.

    • Domain: Searches for a network connection through TCP or UDP to or from the specified domain.

    • IPv4: Searches for a TCP or UDP connection to or from the specified IPv4 address.

    • IPv6: Searches for a TCP or UDP connection to or from the specified IPv6 address.

    • YARA rule: Searches for a file with content that matches the pattern described in the YARA rule.

  • Select an operator: Specify how you want to compare the properties found on the computer with the reference value you set in the IOC.

    • In: A property found on the computer must match at least one property value specified in the Value text box.

    • Is equal to: All properties found on the computer must match exactly the property values you specify in the Value text box.

  • Value: Type a value for the property you selected.

    • To enter more than one value, type a value and then press Enter.

    • Wildcards are not supported.

  • New condition: Add more conditions to the rule. You can apply logical operators AND/OR.

Logical operators

To combine two or more conditions in the same rule, use the logical Boolean operators AND and OR. When you add two or more conditions to a rule, a drop-down menu appears with available operators. Operators apply to the adjacent conditions.

Rule condition groupings

In a logical expression, parentheses alter the order in which operators that relate rule conditions are evaluated.

To group two or more conditions in parentheses, you must create a group. A gray line connects the rules that are part of the grouping.

Parentheses enable you to group operators at different levels in a logical expression.

Conditions for using YARA rules

An IOC cannot include more than one YARA rule. If you add a YARA rule to an empty IOC,you cannot use other properties. Similarly, if you add other properties to an IOC, the YARA rules are disabled.

If a rule does not comply with the YARA syntax, an error message appears and you cannot save the IOC.

Copying an IOC

To copy an IOC from the IOC gallery list:

  • Click the icon. A context menu opens.

  • Select the Make a copy option. The Edit IOC dialog box opens and shows the same data as the original IOC except for:

  • Name: Shows the same name as the original IOC, preceded by the “Copy of” text string.

  • ID: This is not shown. A new ID is automatically generated when you save the IOC.

Deleting an IOC

You cannot delete IOCs that are part of a task that is in progress. If you try to do so, an error message appears.

Deleting a single IOC

In the row of the IOC you want to delete, click the context menu icon and select Delete. The IOC is deleted from the list. When you delete an IOC, historical data for the IOC remains in the Detected IOCs list and IOCs dashboard.

Deleting multiple IOCs

  • In the IOC list, select the checkbox for each IOC you want to delete.

  • Click the drop-down menu icon. Click Delete. The Delete option also appears in the toolbar at the top of the page.

When you delete multiple IOCs, historical data for the IOC remains in the Detected IOCs list and IOCs dashboard.

Importing and exporting IOCs

You cannot import an IOC that has the same ID as another IOC that is part of a search task that is in progress. If you try to do so, an error message appears.

Importing an IOC

To import an IOC:

  • In the upper-right corner of the page, click . The Import dialog box opens.

  • Click Select file. Select a file. Compatible files are in STIX, YARA, or comma-separated value format.

  • Click Import. The IOC is added to the IOC gallery.

  • If an IOC in the import file already exists, you select to:

    • Replace: Replaces the existing IOC with the new one.

    • Ignore: Ignores the new IOC and keeps the existing one.

Approving an imported IOC

IOCs imported from an external source require an additional step before a search task can use them. This is necessary to make sure that Advanced EDR can interpret the IOC correctly, because not all entities supported by the STIX 2.x specification are considered when you run a search.

After the IOC has been imported, follow these steps:

  • IOCs that require approval display as STIX (Pending approval) in the Type column of the list.

  • Select the IOC you want to approve. The Edit IOC dialog box opens.

  • If there is a rule in the IOC that Advanced EDR cannot interpret, a red box appears that reports the situation. The data shown on the edit page corresponds to the sections of the IOC that Advanced EDR interprets correctly.

  • If the rules shown are correct, click Approve search statement and save to use the IOC in search tasks.

Advanced EDR deletes rules in an imported IOC only when running a search task. However, the complete IOC is stored on the Cytomic server and you can see its entities and relationships as well as the original source code.

Exporting a single IOC

  • In the row of the IOC you want to export, click . A drop-down menu opens.

  • Select Export. A JSON file with the IOC definition downloads to your computer.

Exporting multiple IOCs

  • Select the checkbox for each IOC you want to export.

  • In the toolbar, click Export. A JSON file with the IOC definitions downloads to your computer..

Viewing imported IOCs

Graphical representation of an IOC

Click the context menu of an IOC. Select View original STIX file. The STIX file page opens with a graphical representation and the code of the IOC.

Graphical representation of an IOC

In the STIX file window, you can:

  • Click and drag items in the diagram (1).

  • Click Legend (3) to view an explanation of each icon in the graph.

  • Click Visualization and Code (3) to review the graphical representation or a code definition of the IOC. The IOC code appears in tab format. You can copy the IOC code to the clipboard.

Although the IOC code displays as it was imported, Advanced EDR might omit sections that are not compatible with its implementation. Search results might not show as expected

Filtering imported IOCs

To filter items in the IOC list, use the search bar in the IOC gallery. Enter the name or description of an IOC to show only items from the list that meet the search criteria.