Skip to main content
All CollectionsCyber Resiliency
IOC Library and Threat Intelligence
IOC Library and Threat Intelligence

Provides information about curated Threat Intelligence and IOC Library integration

Updated this week

Overview

Indicators of Compromise (IOCs) are key to effective threat intelligence. They provide actionable data for security tools to quickly detect, block, or mitigate cyber attacks.

Dell IOC Library is a central place where customers can create and maintain IOC sets belonging to different malware families. Dell supports IOCs of two types, File Hashes and File Extensions.

Before you begin, let's familiarize ourselves with some important terminologies:

  • IOC Library - a centralized place where you can create and store multiple IOC Sets for file hashes or file extensions belonging to different malware and ransomware families.

  • IOC Set is a collection of IOCs- file hashes or file extensions. IOC Library supports two types of IOC Sets:

    • Customized IOC Set: The IOC set contains file hashes or file extensions that were added or updated by the administrator.

      πŸ“ Note:

      The Default IOC Set includes IOCs (predefined file hashes) that were already created or updated from the Restore Scan > Settings tab using either the admin console or API.

    • Dell-published IOC Set: The IOC Set contains file hashes or file extensions curated and maintained by Dell. The IOCs for the Dell-published IOC Sets are sourced from widely trusted sources. For example, CISA advisories are one of the many sources referred to by Dell.

      ❗Important:

    • Dell-published IOC Set is available with only a Premium Security license.

    • You can create a custom IOC Set with the Accelerated Ransomware Recovery license.

    • File Hashes: SHA-1, SHA-256, and MD5 file hashes are supported for this feature. However, SHA1 is still the recommended input format for optimal results. For every SHA-256 and MD5 hash provided, the system will attempt to find the corresponding SHA1 hash on a best-effort basis.

    • File Extensions: All single-level file extensions are supported for this feature. For example, .tar is supported.

    • A single IOC Set can contain only up to 2,000 IOCs (File Hashes or File Extensions). You need to create a new IOC Set if the limit of the existing IOC Set exceeds the count of 2000 IOCs.

This feature allows administrators to create their own custom IOC Set or utilize the Dell-published IOC Set for scanning when using the following Cyber Resiliency features:

How does Threat Intelligence work for scanning in Cyber Resiliency features?

When you define the scan parameters for malware checks for Restore Scan, Sandbox Recovery, Curated Snapshot, and Threat Hunting features, the resources are scanned using the IOC Sets from the IOC Library to identify and report any malicious file matches for further investigation.

During the scan, both the IOC Set type and the maximum IOC count limit of 2000 are taken into consideration.

If the total count of the IOCs (customer-created sets and Dell-published) exceeds the 2000 IOC limit, only 2000 IOCs will be considered for scanning in Cyber Resiliency features. First preference is given to customer-provided IOCs, and then Dell-published IOCs.

IOC Library

This page displays a list of all the existing IOC Sets created.

Access path

From the DCP Console, go to the Global Navigation menu > Ransomware Recovery > Settings > IOC Library.

Use the IOC Library dashboard page to get a summary view of all the existing IOC Sets and view the following details:

  • IOC Set: Name of the IOC Set. The name must be unique. Multi-lingual and Unicode characters are supported. You can create an IOC Set with the name Default only for file hashes IOCs.

  • Source: The source from which the IOC was referenced. For example, CISA advisories is one of the many sources referred to by Dell. The hyphen (-) is displayed if there is no source mentioned.

  • IOC Type: The type of IOC - File Hashes or File Extensions

  • #IOC: The count of file hashes or file extensions included in the IOC Set. SHA-1, SHA-256, and MD5 file hashes are supported for this feature. All single-level file extensions are supported. For example, .tar is supported.

  • Last Modified: The date and time when the details of the IOC Set were last updated.

  • Published: The administrator who published the IOC Set.

Click on the IOC Set Name to view details for a specific IOC Set.

Use the IOC Set Details section for more information.

IOC Set Details section

Provides a detailed view for a specific IOC Set name.

  • Name: Name of the IOC Set

  • Published By: The administrator who published the IOC Set

  • Created On: The date and time when the IOC Set was created

  • Last Modified: The date and time when the details of the IOC Set were last updated.

  • IOC Type: The type of IOC - File Hashes or File Extensions

  • Source: The source from which the IOC was referenced. For example, CISA advisories is one of the many sources referred to by Dell. The hyphen (-) is displayed if there is no source mentioned.

  • Description: Summary text for the created IOC Set. The hyphen (-) is displayed if there is no description mentioned.

  • IOC Type details (File Hashes or File Extensions): This displays a list and count of all the File Hashes/File Extensions, Hash Type (For File Hashes), and the date and time when they were added to the IOC Set.

Action

Use the Download option to download the IOC Set in a CSV format for further investigation.

Filters

You can sort and filter your search results for created IOC Sets using the Filter option.

  • Choose the IOC Type filter to sort and view IOC Sets based on the type - File Hashes or File Extensions

  • Choose the Published By filter to sort and view IOC Sets created by a specific administrator. If you have a Premium Security license, you can also view and download IOC Sets published by Dell.

πŸ“ Note:

You cannot update or delete Dell-published IOC Sets.

Use the Apply button to apply the filters and Reset to cancel the filters applied for sorting.

Create a new IOC Set

To create a new IOC Set, perform the following steps:

  1. From the DCP dashboard, go to the Global Navigation menu > Ransomware Recovery > Settings > IOC Library.

  2. On the IOC Library landing page, click New IOC Set to create a new IOC Set according to your requirements. You can also import the IOC Set via a sample CSV file for file extensions and file hashes. Maximum 1 MB file size is supported.

  3. Enter the following details on the New IOC Set pop-up and click Save to add the new IOC Set to the IOC Library:

    1. IOC Set Name. If you are using import the IOC Set via a sample CSV file, ensure that the file type is CSV and the file size does not exceed 1 MB.

    2. Source (Optional)

    3. Description (Optional)

    4. Select the IOC Type- File Hashes or File Extensions and provide the values. You can also import the IOC Type via a CSV file.

A single IOC Set can contain only up to 2,000 IOCs (File Hashes or File Extensions). You need to create a new IOC Set if the limit of the existing IOC Set exceeds the count of 2000 IOCs.

Update an IOC Set

To update and add IOCs (file hashes or file extensions) to an existing IOC Set, perform the following steps:

  1. From the DCP dashboard, go to the Global Navigation menu > Ransomware Recovery. > Settings > IOC Library.

  2. On the IOC Library landing page, click on the IOC Set name that you want to update.

    1. For File Hashes: Click Add File Hashes. Add the file hashes and click Save. If you want to add multiple SHA1 hash values, then use the Import CSV option.

    2. For File Extensions: Click Add File Extensions. Add the file extensions and click Save. If you want to add multiple file extensions, then use the Import CSV option.

Delete an IOC Set

Use this option if you want to delete an existing IOC Set from the IOC Library.

To delete the IOC Set, perform the following steps:

  1. From the DCP dashboard, go to the Global Navigation menu > Ransomware Recovery. > Settings > IOC Library.

  2. On the IOC Library landing page, select the IOC Set you want to remove and click Delete. In the confirmation box, provide a reason for deletion and click Continue.

πŸ“ Note:

You can also delete IOCs (file hashes and file extensions) from an IOC Set. However, the IOC Set cannot be empty. There should be at least one IOC present in the IOC Set. This is applicable only for Custom IOC Sets.

Search for file hashes or file extensions in existing IOC Sets

If you want to look for all the IOC Sets containing specific file hashes or extensions, use the IOC Check option.

To search for file hashes or file extensions, perform the following steps:

  1. From the DCP dashboard, go to the Global Navigation menu > Ransomware Recovery > Settings > IOC Library.

  2. On the IOC Library landing page, click IOC Check.

  3. Enter the file hashes and/or file extensions in the IOC Check pop-up and click Search. All the IOC Sets containing these values are displayed.

    To search for a file extension, input the extension prefixed with a dot. For example, to search for tar extensions, enter .tar.

Download Report for an IOC Set

Use the Download option to download the IOC Set in a CSV format for further investigation.

Following is the file naming convention of the downloaded file:

<IOC Set Name>.CSV. For example, if the IOC Set Name is Test published IOC Jan 8,2025, the report will be downloaded as <Test published IOC Jan 8,2025.csv>.

The downloaded report includes the following information related to the IOC type it contains:

  • IOC type-File Hashes/File Extensions list

  • Hash Type (Applicable only for FIle Hash IOC) - SHA-1, SHA-256, and MD5 file hashes

  • The date and time when the IOC type was added to the IOC Set

  • The administrator details who added the file hashes/file extensions to the IOC Set.

πŸ“ Note:

While downloading IOC set with the name having emojis and/or Unicode characters, the filename will have "_"

Monitor Threat Intelligence

All the Threat Intelligence actions performed such as IOC Set creation, IOC Set deletion, IOC Set download, IOC deletion, and IOC addition are captured in the Cyber Resiliency > Audit Trails > Threat Intelligence Service. You can click on the specific audit trail to view its details.

Troubleshooting and FAQs for Threat Intelligence (IOC Library)

Error: Not able to find <n>/<n1> SHA-1 corresponding file hash

Description: This error occurs when no corresponding SHA1 values are found for the files with SHA-256/MD5 file hashes as scan input criteria.

Action Required: To resolve this issue, provide the SHA1 file hash as input.

Related Keywords

Threat Intelligence

IOC

Threat Intel

file hash

file extension

ioc library

ioc set

ioc

Related Articles
Create a New Threat Hunt
Threat Hunting Dashboard
Troubleshooting and FAQ's for Threat Hunting
Download Report for a Threat Hunt job
Release Notes - Cyber Resiliency
Did this answer your question?