Working with custom IOC can be done via the UI or script (Powershell or Python).
This post will describe the UI way for creating a custom IOC
Go to settings and in the Rules section click on Allowed/Blocked List
You can create an IOC based on File hash, IP address and URLs/Domains
When creating a new IOC you have the options to Import (more on that later) and a wizard.
We click on the Add indicator text and start by filling in the template.
To get the filehash you can just use powershell “get-filehash” or if you have that information from another system or a list from somewhere.
You can set the Custom date for IOC expiration if you want.
You can at this point look at the impact for this IOC by clicking on the Show statistics which will get the data for that specific ile hash from the last 30 days
From this view you could take action and stop the file if needed depending on the situation.
Click next and add details for response action, alert details etc
Scope the machines to different machine groups
Click save in the summary.
Import IOC
The CSV template is comma separated
IndicatorType,IndicatorValue,ExpirationTime,Action,Severity,Title,Category,Description,RecommendedActions
New alert
Thanks, but would be nice for more detail on the options for the csv import.
🙂