Managing user-defined IOC rules

You can use IOC files to search indicators of compromise on computers with Kaspersky Endpoint Agent installed.

Users with the Senior security officer role can upload, delete, download IOC files to their computer, enable or disable the search of indicators of compromise using IOC files, as well as configure the schedule for searching indicators of compromise on computers with Kaspersky Endpoint Agent program installed.

Users with the Security officer and Security auditor roles can view the list of IOC files and information about the selected file, and download IOC files to the computer.

IOC files can have the following types:

• Local—IOC files uploaded to an SCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the SCN server.
• Global—IOC files uploaded to the PCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the PCN server and all SCN servers connected to the PCN server.

To view the list of supported OpenIOC indicators of compromise, you can download this file.

In this Help section Viewing the table of IOC files Viewing information about an IOC file Uploading an IOC file Downloading an IOC file to a computer Enabling and disabling the automatic use of an IOC file when scanning hosts Deleting an IOC file Searching for alerts in IOC scan results Searching for alerts using an IOC file Filtering and searching IOC files Clearing an IOC file filter Configuring an IOC scan schedule

Page top