Captive IOC - URL Actions test the effectiveness of network controls against known malicious URLs. When these Actions are run, one or multiple URLs are requested, and a small custom response is sent from the Destination Actor. The response is not representative of actual malicious content and, as such, this Action methodology only validates whether the request is allowed through network controls.
- Select Library > Actions.
- Click Add Action and select Captive IOC - URL.
Enter one or more URLs (one per line).
You must enter the entire URL (http / https, the domain, and any desired path / arguments).
- Enter Timeout (in milliseconds). This time is used for each URL attempt.
- Enter a Name.
- Enter a Description.
- Select the Attack Vector.
- Select the Attacker Location.
- Select the Behavior Type.
- Select the Covert option (Yes or No).
- Select the OS/Platform.
- Select the Stage of Attack.
- (Optional) Enter or select User Tags.
Click Save Captive IOC Action.
The Action Library is displayed. A confirmation message that your Action was created successfully is shown and the Action is selected and displayed in the Action preview.
Add Action - Captive IOC URL