When working in the program web interface, users with the Senior security officer and Security officer role can use IOC files to search for signs of targeted attacks, infected and probably infected objects in the database of events and alerts, and to scan local computers that have the Endpoint Sensors component installed.
Depending on the program operating mode and the server to which the IOC files are uploaded, the uploaded files can be one of the following types:
Users with the Senior security officer role can manage scans of events based on IOC files: add, edit, delete, and download IOC files to the computer, enable and disable scanning of events based on IOC files, and manage object scan settings.
Users with the Security officer role can only view information about IOC files and download IOC files to a computer.
If you are working with events that were previously detected by the program, a repeated match between the data of these events and indicators of compromise does not always indicate a possible alert.