IOC Files
Cori Smith edited this page May 9, 2023
·
1 revision
All about IOC files: what they are and how to write them.
IOC files are a list of MD5 hashes, IP addresses, or domains. The lists must all be of the same indicator type. Each entry must be on it's own line. No formatting, quotes, or escape characters are necessary. Entries are processed as chained OR statements (e.g. ipaddr:8.8.8.8 OR ipaddr:127.0.01).
| Field Name | Description | Carbon Black EDR | Carbon Black Enterprise EDR | Microsoft Defender for Endpoint | SentinelOne - Deep Visiblity | SentinelOne - PowerQuery | Cortex XDR |
|---|---|---|---|---|---|---|---|
| domain | Network connection to domain | Supported | Supported | Supported | Supported | Supported | Unsupported |
| ipaddr | Network connection to IPv4 address | Supported | Supported | Supported | Supported | Unsupported* | Supported |
| md5 | MD5 hash | Supported | Supported | Supported | Supported | Unsupported | Supported |
*Denotes EDR platform can support that field but Surveyor code needs to be updated