0

OpenIOC.org has several schemas defining Indicators of Compromise. The Schema is defined here:

http://schemas.mandiant.com/2010/ioc/ioc.xsd

While under IndicatorItemContext/search says it is xs:string, the actual list of search terms is listed here:

http://openioc.org/terms/Current.iocterms

Is there something similar for IndicatorItem/condition? So far I'm only aware of "contains" and "is" but there doesn't seem to be a definitive list.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
A G
  • 161
  • 1
  • 6

1 Answers1

0

Unsure of where you can get a list from, but the IOC Editor may have visibly similar options. Meaning, you can browse the options to see what is available, and how it works. I'd also have a look at IOC Finder to see what options are available on that as well.

Elhitch
  • 403
  • 3
  • 11
munkeyoto
  • 8,682
  • 16
  • 31
  • Hi, thanks the IOC editor has contains, is, contains not and is no, which I guess is definitive enough. I didn't think to use the IOCe! – A G May 30 '13 at 08:51
  • "is no" in your comment should be "is not" - so the list of options would be: "contains", "is" "contains not" and "is not". I'm just repeating this because without the quotes your comment is hard to read. – Scott C Wilson Nov 07 '15 at 13:26