Indicators with Operators
If an uploaded OpenIOC file contains conditions that use operators to combine
indicators, Trend Micro Apex Central
extracts the OpenIOC indicators as suspicious objects and automatically configures
scan
actions based on the operator used in the OpenIOC indicator condition.
|
Operator
|
Scan Action
|
|
OR
|
Extracted objects apply the user-defined scan action
|
|
AND
|
Extracted objects always apply the
Logscan action |
Trend Micro Apex Central supports the
following OpenIOC indicator conditions (
IndicatorItemCondition):-
is -
contains
Suspicious Object Mapping
The following table outlines the corresponding Trend Micro Apex Central suspicious object
type for each supported OpenIOC indicator (
IndicatorItem) extracted.|
Object Type
|
OpenIOC Indicators
|
|
File SHA-1
|
FileItem/Sha1sum
|
|
Taskitem/ActionList/Action/ExecProgramSha1sum
|
|
|
DriverItem/Sha1sum
|
|
|
URL
|
Network/URI
|
|
FileDownloadHistoryItem/SourceURL
|
|
|
UrlHistoryItem/URL
|
|
|
Domain
|
Network/DNS
|
|
DnsEntryItem/Host
|
|
|
DnsEntryItem/RecordData/Host
|
|
|
UrlHistoryItem/HostName
|
|
|
CookieHistoryItem/HostName
|
|
|
FormHistoryItem/HostName
|
|
|
IP Address
|
ArpEntryItem/IPv4Address
|
|
DnsEntryItem/RecordData/IPv4Address
|
|
|
Email/ReceivedFromIP PortItem/localIP
|
|
|
PortItem/remoteIP
|
|
|
ProcessItem/PortList/PortItem/localIP
|
|
|
ProcessItem/PortList/PortItem/remoteIP
|
|
|
RouteEntryItem/Destination RouteEntryItem/Gateway
|
|
|
SystemInfoItem/networkArray/networkInfo/dhcpServerArray/dhcpServer
|
|
|
SystemInfoItem/networkArray/networkInfo/ipGatewayArray/ipGateway
|