While executing IOC Scan tasks Kaspersky Endpoint Agent uses IOC files (indicators of compromise files of the OpenIOC open description standard) to search for these indicators on devices.
Kaspersky Endpoint Agent supports three types of IOC Scan tasks:
Different tasks are managed in different ways, have different configurable settings, and different task scopes. Description of each type of IOC Scan task is provided in the table below.
IOC Scan task types
Task type |
Task description |
Task scope |
---|---|---|
Standard IOC Scan tasks |
These tasks are created and configured manually in Kaspersky Security Center or through the command line interface, without integration with third-party systems. IOC files prepared by the user are used to run the tasks. Task settings do not depend on the policies. You can specify the following actions to respond to the detected IOCs (not available when running the tasks from the command line):
|
Local or group |
Autonomous IOC Scan tasks |
These tasks are created automatically if in Kaspersky Endpoint Agent policy, the Run IOC scanning on a managed group of hosts action is selected in response to the threats detected by Kaspersky Sandbox. Kaspersky Endpoint Agent generates an IOC file automatically. Operations with custom IOC files are not supported. Limited task management in Kaspersky Security Center is available for the user. In the policy settings you can specify the task start schedule and the scan area for the task. Tasks are automatically deleted in seven days after the last start or after creation if tasks were never started. You can specify the following actions to respond to the detected IOCs:
|
Group |
IOC Scan by IOC files downloaded manually via Kaspersky Anti Targeted Attack Platform web interface |
IOC files are downloaded manually via Kaspersky Anti Targeted Attack Platform web interface. It is also possible to configure IOC scan schedule for computers with Kaspersky Endpoint Agent in the web interface of Kaspersky Anti Targeted Attack Platform. Task management in Kaspersky Security Center or through the command line is not supported. No actions are automatically performed when IOC is detected. Task settings do not depend on Kaspersky Endpoint Agent policies. |
Not applicable |
The results of group IOC Scan tasks execution can be viewed in Kaspersky Security Center within 7 days since the task execution completed, or until the task is removed.
Page top