Make sure, that the On the Administration Server for (days) check box is selected in the Save information about results section, and specify for how many days you want to store the task execution results.
By default, task execution results are stored on the Administration Server for 7 days.
In the IOC collection group of settings click Browse.
In the context menu, do one of the following:
Select the Browse for folder item to add a group of IOC files to the IOC collection.
Select the Browse for file item to add one IOC file to the IOC collection.
Depending on your choice, do one of the following in the window that opens:
Specify the path to the folder with IOC files and click OK.
Specify the path to IOC file and click Open.
If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.
To view the list of all IOC files that are included in the IOC collection, as well as information about each IOC file, click View.
The Browse for folder window opens. In this window, you can exclude any file from the database by clearing the check box next to the name of the IOC file.
Click OK to save the changes and close the Browse for folder window.
To export the created IOC collection, click Export.
In the window that opens, specify the name of the file and select the folder where you want to save it.
Click the Save button.
The application creates a ZIP file in the specified folder.
To configure Kaspersky Endpoint Agent actions on IOC detection:
In the Actions section, select the Take response actions when an Indicator of Compromise is detected check box.
Select the Isolate device from the network check box to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
Select the Push Endpoint Protection Platform (EPP) scanning on critical areas check box so that Kaspersky Endpoint Agent sends a command to EPP application to scan critical areas on all the devices of the administration group on which indicators of compromise are detected.
To configure the schedule settings for IOC Scan task:
In the Task schedule section, select the Run by schedule check box.
In the Frequency list select one of the following options to run IOC Scan tasks: At specified time, Every hour, Every day, every week or On application launch.
If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
If you select one of the following options: Every hour, Every day or every week, configure the following settings in the Run by schedule section:
In the Every list, select the task run frequency. For example, once a day or twice a week on Tuesdays and Thursdays.
In the Start time and Start date lists, select the date and time from which the schedule applies.
To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
If you want to set maximum timeout for the task execution, select the Quit task, running longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
If you want the application to start IOC Scan tasks that were not completed on time as soon as possible, select the Run missed tasks check box.
If you want to avoid simultaneous access of a large number of workstations to the Administration Server and run the task on workstations not according to the schedule, but randomly within a certain time interval, select the Randomize the task run to every check box and specify the start interval in minutes.
To exclude groups of devised from the task scope, in the Exclusions from task scope section, select the groups of devices to which the task will not be applied.
Only the subgroups of the administration group to which the task applies can be excluded.