Here is my own experience when I was trying to understand on how to built my own IOC's based on TAC case that we received while ago. The issue was with uploading IOC's. So let me share my experience hope this will be helpful to you.

Error Received:

From reviewing the specific error message it looks like the IOC was missing a required attribute “group-id” in the Element “IndicatorItem”.

However, I think this message is bit misleading. I was curious if I can replicate the same and I did. I was not sure what program CU was using at first to write the IOC’s but later found out the were using Open IOC by FireEye

After some test/trial I found the issue is with the app and how it saves the file. I’m not familiar with this app, but I download the copy and just created super simple file for testing purposes when I saved that file and try to upload to my AMP instance I got this same error as you can see above.

I also thought I’m missing some fields, but when I look in to the IOC’s that are already uploaded they don’t have “Group ID” either so I start comparing the code and notice some differences between each other and when I save the code on my PC and try to import it to the FireEye app it was telling me that the code is in old format and if I want to transform in to updated format.

That put me in to idea that there must be something about how the IOC file is formatted. I try manually change few things, but I was still getting errors so I decide to hunt for something that will write IOC in to simple IOC format and I ran across this online tool.

https://www.iocbucket.com/openioceditor#

What I did here is that I created the exact same IOC using the exact same attributes or fields and save it. When I upload this file it worked. Here is couple screenshots that should help.

Here showing the exact same fields between the online editor and OpenIOC by FireEye

This screenshot is showing both IOC’s uploaded where one prints with same error as above and the other was accepted just fine

Lastly here is the code for both:

Created by FireEye App

<?xml version="1.0" encoding="utf-8"?>
<OpenIOC xmlns:xsd=http://www.w3.org/2001/XMLSchema xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance id="439ec429-c8e3-4ac9-bd91-eb5e1234343c" last-modified="2022-07-06T18:08:20Z" published-date="0001-01-01T00:00:00" xmlns=http://openioc.org/schemas/OpenIOC_1.1>
  <metadata>
    <short_description>TEST FireEye</short_description>
    <authored_date>2022-07-06T17:04:40Z</authored_date>
    <links />
  </metadata>
  <criteria>
    <Indicator operator="OR" id="d4bfefb5-43a5-445b-b6be-f13b6da9ff11">
      <IndicatorItem id="ca88e619-443b-424e-9659-d1340a4a6ade" condition="contains" preserve-case="false" negate="false">
        <Context document="FileItem" search="FileItem/FileExtension" type="endpoint" />
        <Content type="string">txt</Content>
      </IndicatorItem>
      <Indicator operator="AND" id="f964a5a8-7a63-472c-b7b6-aea3c712088a">
        <IndicatorItem id="b78c33ee-8b10-426d-abe6-03b6ad31f8a9" condition="contains" preserve-case="false" negate="false">
          <Context document="FileItem" search="FileItem/FileName" type="endpoint" />
          <Content type="string">TEST</Content>
        </IndicatorItem>
      </Indicator>
    </Indicator>
  </criteria>
  <parameters />
</OpenIOC>

Created by Online Tool

<ioc
    xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
    xmlns:xsd='http://www.w3.org/2001/XMLSchema'
    xmlns='http://schemas.mandiant.com/2010/ioc' id='d1e70bb6-271e-4226-a0ab-ccb9ecf19fd3' last-modified='2022-07-06T17:37:26.403Z'>
    <short_description>TEST File</short_description>
    <description>TEST File</description>
    <authored_by>Roman Valenta</authored_by>
    <authored_date>2022-07-06T17:37:26.403Z</authored_date>
    <links/>
    <definition>
        <Indicator operator='OR' id='516413c2-9476-42af-90ca-2f5354be211d'>
            <IndicatorItem condition='contains' id='015e5c2b-43a3-4567-9469-4faf97f1e461'>
                <Context document='FileItem' search='FileItem/FileExtension' type='mir'/>
                <Content type='string'>txt</Content>
            </IndicatorItem>
            <Indicator operator='AND' id='a1594e35-69c0-4320-a18e-14727a5fcaa6'>
                <IndicatorItem condition='contains' id='0968b744-72a7-4239-88cb-f7414e337f51'>
                    <Context document='FileItem' search='FileItem/FileName' type='mir'/>
                    <Content type='string'>TEST</Content>
                </IndicatorItem>
            </Indicator>
        </Indicator>
    </definition>
</ioc>

  *   You might also find the documentation that we have available on IOCs helpful: https://docs.amp.cisco.com/Cisco%20Endpoint%20IOC%20Attributes.pdf

  *   IOC: https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20User%20Guide.pdf

The document states that the IOC has to be in OpenIOC format and the file that will be created in new version of IOCe is most likely in STIX format in XML. You will need to create the IOC in OpenIOC format, or you might be able to find a converter online to assist with that.

When this document you mentioned was created in 2015 the version was IOCe 2.2.0 the one you can download now is IOCe 3.2.0. There is possibility that in 2015 this app was still using the old formatting which is currently the only one supported in our portal.

So being said , if you want to use IOCe software you will need to download older version. I did found a place where you can get one but please make your own judgement before downloading this file or use software that can save the IOC in simple format

https://mandiant-ioce.software.informer.com/versions/

I download version 2.2.0 in to my lab and check the installer and yes it’s old from 2015 hence the certs are expired but the MSI is signed by legit CA as you can see from this screenshot. Make sure you only downloads the zip file from that site , it will ask you to install some updater just cancel that, you should end up only with this file mandiant_ioc_editor.zip


Here is pic once unpacked and check for signing certs.