Skip to main content
All CollectionsCyber ResiliencySettings IOC
IOC Library and Threat Intelligence
IOC Library and Threat Intelligence

Provides information about curated Threat Intelligence and IOC Library integration

Updated this week

Overview

In today's rapidly evolving cyber landscape, organizations must prioritize swift threat detection and response. Indicators of Compromise (IOCs) play a pivotal role in this defense, providing actionable intelligence to security teams.

The Druva IOC Library serves as a centralized platform designed to streamline the management of these crucial IOCs. By consolidating IOC sets related to diverse malware families, Druva empowers security teams to efficiently detect, block, and mitigate cyber attacks.

Key Features and Benefits:

  • Centralized IOC Management: The library acts as a single, accessible hub for creating and maintaining IOC sets.

  • Actionable Intelligence: IOCs, including File Hashes and File Extensions, provide the data needed for rapid threat response.

  • Enhanced Threat Detection: Security tools leverage IOCs to quickly identify and block malicious activity.

  • Support for Diverse Malware Families: The library facilitates the organization of IOCs by malware family, improving targeted threat response.

  • Two Core IOC Types: Druva supports File Hashes and File Extensions, covering essential indicators.

In essence, the Druva IOC Library equips security teams with the tools and data necessary to proactively combat evolving cyber threats, ensuring rapid and effective incident response.

Before you begin, let's familiarize ourselves with some important terminologies.

Key Terms

  • IOC Library - a centralized place where you can create and store multiple IOC Sets for file hashes or file extensions belonging to different malware and ransomware families.

  • IOC Set is a collection of IOCs- file hashes or file extensions.

    IOC Library supports two types of IOC Sets:

    • Customized IOC Set: The IOC set contains file hashes or extensions that the administrator added or updated.

      πŸ“ Note: The Default IOC Set includes IOCs (predefined file hashes) that were already created or updated from the Restore Scan > Settings tab using either the admin console or API.

    • Druva-published IOC Set: The IOC Set contains file hashes or file extensions curated and maintained by Druva. The IOCs for the Druva-published IOC Sets are sourced from widely trusted sources. For example, CISA advisories are one of the many sources referred to by Druva.

    This feature allows administrators to create their own custom IOC Set or utilize the Druva-published IOC Set for scanning when using the following Cyber Resiliency features:

Things to Consider

  • Druva-published IOC Set is available with only a Premium Security license.

  • You can create a custom IOC Set with the Accelerated Ransomware Recovery license.

  • File Hashes: SHA-1, SHA-256, and MD5 file hashes are supported for this feature. However, SHA1 is still the recommended input format for optimal results. For every SHA-256 and MD5 hash provided, the system will attempt to find the corresponding SHA1 hash on a best-effort basis.

  • File Extensions: All single-level file extensions are supported for this feature. For example, .tar is supported.

  • A single IOC Set can contain only up to 2,000 IOCs (File Hashes or File Extensions). You need to create a new IOC Set if the limit of the existing IOC Set exceeds the count of 2000 IOCs.

How does Threat Intelligence work for scanning in Cyber Resiliency features?

When you define the scan parameters for malware checks for Restore Scan, Sandbox Recovery, Curated Snapshot, and Threat Hunting features, the resources are scanned using the IOC Sets from the IOC Library to identify and report any malicious file matches for further investigation.

During the scan, both the IOC Set type and the maximum IOC count limit of 2000 are taken into consideration.

If the total count of the IOCs (customer-created sets and Druva-published) exceeds the 2000 IOC limit, only 2000 IOCs will be considered for scanning in Cyber Resiliency features. First preference is given to customer-provided IOCs, and then Druva-published IOCs.

IOC Library

This page displays a list of all the existing IOC Sets created.

Access path

Navigate to the IOC Library via the DCP Console: Global Navigation Menu > Ransomware Recovery > Settings > IOC Library.

IOC Library Dashboard Overview

The dashboard displays a summary of all existing IOC sets, providing key details at a glance:

  • IOC Set:

    • Unique name of the IOC set (supports multilingual and Unicode characters).

    • "Default" is reserved for file hash IOC sets.

  • Source:

    • Origin of the IOC (e.g., CISA advisories).

    • "-" indicates no source provided.

  • IOC Type:

    • File Hashes or File Extensions.

  • #IOC:

    • Count of file hashes (SHA-1, SHA-256, MD5) or file extensions (single-level, e.g., .tar).

  • Last Modified:

    • Date and time of the last update.

  • Published:

    • The administrator who published the IOC set.

    Click an IOC Set name to view detailed information.

IOC Set Details section

The details section provides comprehensive information for a selected IOC set.

  • Name:

    • IOC set name.

  • Published By:

    • Administrator who published the set.

  • Created On:

    • Date and time of creation.

  • Last Modified:

    • Date and time of the last update.

  • IOC Type:

    • File Hashes or File Extensions.

  • Source:

    • Origin of the IOC ("-" if none).

  • Description:

    • Summary of the IOC set ("-" if none).

  • IOC Type Details:

    • List and count of file hashes/extensions.

    • Hash type (for file hashes).

    • Date and time of addition.

Action

Use the Download option to download the IOC Set in a CSV format for further investigation.

Filters

You can sort and filter your search results for created IOC Sets using the Filter option.

  • Choose the IOC Type filter to sort and view IOC Sets based on the type - File Hashes or File Extensions

  • Choose the Published By filter to sort and view IOC Sets created by a specific administrator. If you have a Premium Security license, you can also view and download IOC Sets published by Druva.

πŸ“ Note: You cannot update or delete Druva-published IOC Sets.

Use the Apply button to apply the filters and Reset to cancel the filters applied for sorting.

Create a new IOC Set

To create a new IOC Set, perform the following steps:

  1. From the DCP dashboard, go to the Global Navigation menu > Ransomware Recovery > Settings > IOC Library.

  2. On the IOC Library landing page, click New IOC Set to create a new IOC Set according to your requirements. You can also import the IOC Set via a sample CSV file for file extensions and file hashes. Maximum 1 MB file size is supported.

  3. Enter the following details on the New IOC Set pop-up and click Save to add the new IOC Set to the IOC Library:

    1. IOC Set Name. If you are using import the IOC Set via a sample CSV file, ensure that the file type is CSV and the file size does not exceed 1 MB.

    2. Source (Optional)

    3. Description (Optional)

    4. Select the IOC Type- File Hashes or File Extensions and provide the values. You can also import the IOC Type via a CSV file.

A single IOC Set can contain only up to 2,000 IOCs (File Hashes or File Extensions). You need to create a new IOC Set if the limit of the existing IOC Set exceeds the count of 2000 IOCs.

Update an IOC Set

To update and add IOCs (file hashes or file extensions) to an existing IOC Set, perform the following steps:

  1. From the DCP dashboard, go to the Global Navigation menu > Ransomware Recovery. > Settings > IOC Library.

  2. On the IOC Library landing page, click on the IOC Set name that you want to update.

    1. For File Hashes: Click Add File Hashes. Add the file hashes and click Save. If you want to add multiple SHA1 hash values, then use the Import CSV option.

    2. For File Extensions: Click Add File Extensions. Add the file extensions and click Save. If you want to add multiple file extensions, then use the Import CSV option.

Delete an IOC Set

Use this option if you want to delete an existing IOC Set from the IOC Library.

To delete the IOC Set, perform the following steps:

  1. From the DCP dashboard, go to the Global Navigation menu > Ransomware Recovery. > Settings > IOC Library.

  2. On the IOC Library landing page, select the IOC Set you want to remove and click Delete. In the confirmation box, provide a reason for deletion and click Continue.

πŸ“ Note: You can also delete IOCs (file hashes and file extensions) from an IOC Set. However, the IOC Set cannot be empty. There should be at least one IOC present in the IOC Set. This is applicable only for Custom IOC Sets.

Search for file hashes or file extensions in existing IOC Sets

If you want to look for all the IOC Sets containing specific file hashes or extensions, use the IOC Check option.

To search for file hashes or file extensions, perform the following steps:

  1. From the DCP dashboard, go to the Global Navigation menu > Ransomware Recovery > Settings > IOC Library.

  2. On the IOC Library landing page, click IOC Check.

  3. Enter the file hashes and/or file extensions in the IOC Check pop-up and click Search. All the IOC Sets containing these values are displayed.

    To search for a file extension, input the extension prefixed with a dot. For example, to search for tar extensions, enter .tar.

Download Report for an IOC Set

Use the Download option to download the IOC Set in a CSV format for further investigation.

Following is the file naming convention of the downloaded file:

File name format: <IOC Set Name>.CSV. 
For example, if the IOC Set Name is Test published IOC Jan 8,2025, the report will be downloaded as <Test published IOC Jan 8,2025.csv>.

The downloaded report includes the following information related to the IOC type it contains:

  • IOC type-File Hashes/File Extensions list

  • Hash Type (Applicable only for FIle Hash IOC) - SHA-1, SHA-256, and MD5 file hashes

  • The date and time when the IOC type was added to the IOC Set

  • The administrator details who added the file hashes/file extensions to the IOC Set.

πŸ“ Note: While downloading IOC set with the name having emojis and/or Unicode characters, the filename will have "_"

Monitor Threat Intelligence

All the Threat Intelligence actions performed such as IOC Set creation, IOC Set deletion, IOC Set download, IOC deletion, and IOC addition are captured in the Cyber Resiliency > Audit Trails > Threat Intelligence Service. You can click on the specific audit trail to view its details.

Troubleshooting and FAQs for Threat Intelligence (IOC Library)

Error: Not able to find <n>/<n1> SHA-1 corresponding file hash

Description: This error occurs when no corresponding SHA1 values are found for the files with SHA-256/MD5 file hashes as scan input criteria.

Action Required: To resolve this issue, provide the SHA1 file hash as input.

Related Keywords

Threat Intelligence,IOC, Threat Intel, file hash, file extension, ioc library, ioc set, ioc

Related Articles
Create a New Threat Hunt
Threat Hunting Dashboard
Troubleshooting and FAQ's for Threat Hunting
Download Report for a Threat Hunt job
Release Notes - Cyber Resiliency
Did this answer your question?