Best way to add latest IOC files in our IOC Scan task ?

[BigOreo]

Hello everyone, 

I deployed recently the EDR Optimum solution for my company. 

I am currently looking for where can I found recent databases of .ioc files to add them in my IOC Scan task.

I've found few resources on GitHub but they were either too old or in another format. 

I thought about an Misp or OpenCTI Instance to but I'm not sure if I can export .ioc files from them. 

Finally I found AlienVault OTX but when I try to add the .ioc file in my task it doesn't work. 

If you have any ideas I'd love to hear from you. 

Thanks in advance !

[Renan Corassa]

Were you able to export the .IOC from alienvault? Can you detail how you did it?

 

[BigOreo]

Sure, I tried from the pulse section. I choose one Pulse. Here it's a pulse related to LockBit. In the top right corner, I click on "Download". 

[Renan Corassa]

Thank you.
I downloaded it and imported it into Mandiant OpenIOC.

After that I saved it as .IOC and imported it into the task.
I imagine this might help you.

 

[BigOreo]

Thanks for your help. 

I did the same as you. But when I add the .ioc file in the task, I got this error : 

Sorry it's in french but in English it can be translated like : Impossible to get IOC datas for selected files.

I don't think the file is too heavy. (19ko)

[Renan Corassa]

Perfect. Well, this may happen because there is information in the .ioc file that is not accepted by Kaspersky. I will show you the field and you should remove it, save it and try to import it.

Try this by removing this field.

  

[BigOreo]

Thank you so much for your help !

It works well after removing the field. 

Do you know a way to automate the process ?

[Renan Corassa]

I don't know.
Unfortunately, I imagine this is done manually.

[Renan Corassa]

7 horas atrás, BigOreo disse:

Thank you so much for your help !

It works well after removing the field. 

Do you know a way to automate the process ?

https://support.kaspersky.com/KSC/15.1/en-US/211453.htm

Maybe this can help you.