Re: IOCs upload to Secure Endpoint

larry.siegelman · ‎02-24-2022

Hello,

I have hash values that I would like to upload to the Secure Endpoint platform.

Is there any logical publication showing how to do so?

I see that an XML file format is needed.

What are some samples, so it would match?

Troja007 · ‎02-24-2022

Hello @larry.siegelman ,
the CloudIOC detections generated by backend engines are fully managed by Cisco. The customer cannot generate custom "Real Time IOC detections". You are able to do Endpoint IOC Scans. What do you want to do?
Greetings,
Thorsten

larry.siegelman · ‎02-26-2022

I have experience with other security platforms from other leading vendors,
and to upload hash files from threat feeds or from our national CIRT, is
much easier.
Why does Cisco have to make you jump through hoops in order to upload
hashes?

johnosn · ‎02-25-2022

You can check the Cisco Endpoint IOC Attributes document available from the Secure Endpoint Documentation portal. The document contains links to several examples in OpenIOC format. There are several other resources available online from various vendors related to the OpenIOC format including those found at openioc.com.

larry.siegelman · ‎02-26-2022

Hello,
Thank you for the information, but that is not what I am looking for.
I have experience with other security platforms from other leading vendors,
and to upload hash files from threat feeds or from our national CIRT, is
much easier.
Why does Cisco have to make you jump through hoops in order to upload
hashes?

Troja007 · ‎02-28-2022

Hello @larry.siegelman ,
I´m working on Feature Requests for Secure Endpoint. Just to be specific defining the Feature request.

When uploading hashes from Threat Feeds, what should be the action?

Generating an alert that the file has been seen?
Block the execution of the file?
Quarantine the file?

Thanks and Greetings,
Thorsten

larry.siegelman · ‎02-28-2022

Hello @Troja007

If we can upload hashes, then I would expect that it would block the file
or executable from being able to propagate.
As with any other malware/IOC that gets blocked in our environment, these
too would be shown that their presence was blocked.
We already have Cisco threat Response to verify that it was not present.

Ken Stieers · ‎03-01-2022

Hey Larry,
What format are the files you're trying to upload? Is it something standard?
Ken

larry.siegelman · ‎03-01-2022

Hi Ken,

Yes, basically, hashes of recognized files.
I have experience with other globally leading vendors, where I was able to
upload, albeit to our direct environment, hash values.

Ken Stieers · ‎03-02-2022

I meant csv, json, xml, stix, yara?

larry.siegelman · ‎03-02-2022

Sorry, more than likely .csv format.
I would require the format of the table beforehand in order to upload
accordingly.

Ken Stieers · ‎03-02-2022

I guess I'm confused as to what the issue is...

Outbreak Control/Custom detections, create or add to a current one... you can add SHAs there...

larry.siegelman · ‎03-02-2022

You know what, it says "Simple" and I never took it to be that!
How silly do I feel now?
Having said that, is there a required format for the file?
Any examples to download and use as a template?

Ken Stieers · ‎03-02-2022

One SHA per line for a set of SHA's, they all get the same note...
Hey Torsten, and ehn would be to be able to pull the note from the CSV... so the SHA's get their own note.