Manage IOCs
Applies To: WatchGuard Advanced EPDR
In the IOC Gallery, you manage the list of IOCs available for search tasks. You can add, copy, edit, approve, and delete IOCs.
You can also import and export IOCs from the IOC Gallery. For more information, go to Import and Export IOCs.
Create an IOC
When you create an IOC, it is automatically available for use in WatchGuard Advanced EPDR. You can create an IOC from scratch or copy an existing IOC and edit it.
To create an Indicator of Compromise:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- Select IOC Gallery.
- Click Add.
- Enter a Name , Author, and Description.
-
From the Select a Property drop-down list, select the attack feature you want to detect:
- File MD5: Searches for a file with the specified MD5 hash.
- File SHA-256: Searches for a file with the specified SHA-256 hash
- File Name: Searches for a file with the specified name.
- File Path: Searches for a file with the specified path.
- Domain: Searches for a network connection through TCP or UDP to or from the specified domain.
- IPv4: Searches for a TCP or UDP connection to or from the specified IPv4 address.
- IPv6: Searches for a TCP or UDP connection to or from the specified IPv6 address.
- YARA Rule: Searches for a file with content that matches the pattern described in the YARA rule.
- From the Select an Operator drop-down list, specify how you want to compare the properties found on the computer with the reference value you set in the IOC.
- In: A property found on the computer must match at least one property value specified in the Value text box.
- Is equal to: All properties found on the computer must match exactly the property values you specify in the Value text box.
- In the Value text box, type a value for the property you selected.
To enter more than one value, type a value and then press Enter. Wildcards are not supported. - To add another condition, click New Condition. Repeat steps 6 to 8.
- To combine two or more conditions into a single rule, select the check box beside each condition you want to combine and select the logical operator (AND or OR). Click Group Conditions.
A gray line connects the rules that are part of the grouping, similar to how parentheses group conditions in a logical expression. Parentheses enable you to group operands at different levels in a logical expression.
An IOC cannot include more than one YARA rule. If you add a YARA rule to an empty IOC,you cannot use other properties. Similarly, if you add other properties to an IOC, the YARA rules are disabled. If a rule does not comply with the YARA syntax, an error message appears and you cannot save the IOC.
To copy an IOC:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- Select IOC Gallery.
- In the row of the IOC you want to copy, click and select Make a Copy.
The Edit IOC dialog box opens. - In the Name text box, type a new name for the IOC.
- In the Description text box, type a new description for the IOC.
- Edit the IOC settings. For more information, see steps 6 to 8 in the procedure to create an IOC.
- Click OK.
Edit and Approve IOCs
When you import IOCs, you must review and approve the search statement before a search task can use the IOC. IOCs that require approval display as STIX (Pending Approval).
For information on how to import an IOC, go to Import and Export IOCs.
To edit and approve an IOC:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- Select IOC Gallery.
- Select the IOC you want to edit or approve.
The Edit IOC dialog box opens. - Edit the Name and Description, if required.
- Edit the characteristics used to detect computers, if required.
- Click Approve Search Statement.
- Click Save.
Delete an IOC
You cannot delete IOCs that are part of a task that is in progress. When you delete an IOC, historical data for the IOC remains in the Detected IOCs list and IOC dashboard.
To delete a single IOC:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- Select IOC Gallery.
- In the row of the IOC you want to delete, click and select Delete.
The IOC is deleted from the list.
To delete multiple IOCs:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- Select IOC Gallery.
- Select the check box for each IOC you want to delete.
- In the toolbar, click Delete.