MANDIANT IOC Editor is an editor for Indicators of Compromise (lOCs). It can also be used for generating XPath filters, and comparing two lOCs. IOCs are XML documents that help incident responders capture diverse information about threats including attributes of malicious files, characteristics of registry changes, etc.
v2.2 [Jan 24, 2013]
WHAT’S NEW
• Browse for folder dialog is displayed on application launch
• Scrolling of long definition automatically when dragging and dropping terms
• Added Grade and Threat Group to reference menu
• Added “Add Another" option with keyboard shortcut of Alt N
• Added F2 as a keyboard shortcut to edit selected item
• Added Options dialog box
o User can set default author name
o Settings for warning on delete or prune
• Added Status bar. Shows number of loaded lOCs, unsaved lOCs, and selected lOCs
• Added additional terms that should default to the ‘is’ condition (md5, int, date, shalsum, sha256sum)
• Added properties panel
o Shows all pertinent data for selected indicator item
• Allowed for comments to be added per indicator item (in properties panel)
• Added cancel buttons to the add references dialogs
• Updated list of malware categories
• Added "Save" menu option to just save the current IOC
• Added toolbar above definition area
o Moved the "add" buttons (Item, AND, OR) to the toolbar.
o Made the Item button a split button with the dropdown menu of the items that can be added
• Added created and modified dates to main view
• Description text box now allows for return character and tab.
WHAT’S BEEN FIXED
• Fixed ctrl-x bug. Ctrl X no longer exits the application
• Swapping a parent/child node will cause IOC Editor to become unresponsive
• Prevented editing of top level OR
• Reworked unsaved changes dialog with a clearer message
o Added a cancel button,
o Yes now saves changes and exits
o No just exits without saving changes
o Cancel goes back to running program
• Last modified date was not passed to new window when dragging from one to the other
• GUID for top OR was missing on initial IOC creation
• Application crashed when attempting to save when an IOC had been deleted
• New Item button wasn't always set to the most recently added item
o Added a tooltip to the Item button that will show what the most recently added item is
• Added checks in the add reference dialogs to see if the user actually entered anything when hitting save
• Currently selected IOC remains highlighted when focus changes
KNOWN ISSUES
• Non-ASCII characters in the comment field cause an unhandled exception
• Tab order from Name field doesn’t always work properly.
• No notification to user if there are duplicate IOC GUIDs
• Generating filters before selecting an IOC will cause an unhandled exception
