Applies To: WatchGuard Advanced EPDR
Indicators of Compromise (IOCs) are an industry standard to describe conditions on IT systems which, if met, could compromise the security of an organization. The concept is similar to that of a signature file but IOCs use an open format that enables collaboration and the exchange of security intelligence.
There are several IOC formats that describe suspicious patterns of behavior. WatchGuard Advanced EPDR is compatible with the STIX 2.x standard.
STIX (Structured Threat Information Expression)
STIX is a JSON-based language that describes security threats in a structured and interrelated way for better readability and understanding. It is based on graphs that intuitively represent objects and their relationships.
Each IOC contains a number of entities and relationships that describe in detail an artifact or indicator that identifies the attack. For example, these could include IP addresses or domains that could host Command & Control servers, or MD5 or SHA hashes of suspicious files that might contain viruses and other threats.
STIX also enables you to use the information described in other formats, such as YARA rules.
YARA (Yet Another Recursive Acronym)
YARA is a rule-based language used to create descriptions of malware families with text or binary patterns. These rules include a set of strings and boolean expressions to define their logic and are used in searches on files that are possibly infected.
An IOC can include only one YARA rule in its definition, although this rule can be complex enough to detect entire families of malware.
Other Formats
There are currently several other IOC open formats for the exchange of security intelligence which provide similar features to STIX and YARA. These other formats include OpenIOC and TAXII. An IOC format can also contain versions that are not compatible with each other (for example, STIX 1.x and 2.x).
To use an IOC in a format that is not supported by WatchGuard Advanced EPDR, you can use a free tool to convert the IOC into STIX 2.x format.