Creating IOC Scan task from the incident card

To create an IOC Scan task from the incident card:

  1. Open the incident card.
  2. On the All incident events tab, select the items from which you want to create an IOC Scan task.
  3. Click the IOC Scan task creation button.
  4. Do one of the following:
    • If you want the compromise indicator to be triggered when any of the selected objects is detected, select AND (all IOC found) on the right side of the screen.
    • If you want the compromise indicator to be triggered when all the selected objects are detected, select OR (any IOC found) on the right side of the screen.
  5. In the Actions when IOC is found group of settings, select one of the following actions:
    • Isolate device from the network to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
    • Quarantine and delete to quarantine the detected object and remove it from the device.
    • Run Endpoint Protection Platform scan of critical areas on the device to make Kaspersky Endpoint Agent send a command to EPP application to scan critical areas on all the devices of the administration group on which indicator of compromise is detected.
  6. Click Create task.

The default settings of the IOC Scan tasks created from the incident card are described in the following table. You can change these values in the settings of the created task.

Default settings of the IOC Scan task created from the incident card

Parameter

Default value

Description

Settings on the Schedule tab

Run by schedule

Selected.

The task is started according to the schedule, with the specified settings.

Frequency

At specified time

The task is started once, at the specified date and time.

Start time

15 minutes after the task creation.

The task is started at the specified time.

Start date

Task creation date.

The task is started at the specified date.

Stop task if runs longer than

Selected. The default value is one hour.

The application quits the task after the specified time since the task is started, regardless of the task execution progress.

Cancel schedule from

Not selected.

Automatic cancellation of the task start schedule is not used.

Run missed tasks

Selected.

The application restarts the task that was not started by schedule for some reason. For example, if Kaspersky Endpoint Agent was not running at the scheduled task start time.

Randomize the task start time within the interval

Selected. The default value is 10 minutes.

The task will start at an arbitrary time within the specified interval since the moment specified in the Start time field.

Settings in the Advanced section

Select data types (IOC documents) to analyze during IOC scanning

 

When analyzing data on files (FileItem), the Analyze data of files (FileItem) option is selected.

In the additional settings of the IOC document, in the Search for Indicators of Compromise in the following areas group of settings, the Critical file areas on the device option is selected.

The application checks critical areas on the device, and the folder where a dangerous object was initially detected.

The following areas are considered critical:

  • Temporary files in the folders of the system and user accounts.
  • Temporary files in the operating system folder and in the %TEMP% folder for the Local System account, if the paths are different.

When analyzing data in the Windows registry (RegistryItem), the Analyze data of Windows Registry (RegistryItem) option is selected.

The application checks the paths of user-defined registry keys.

By default, Kaspersky Endpoint Agent 3.9 uses the settings specified in the Kaspersky Sandbox integration section, in the Threat Response group of the settings, for IOC Scan tasks created from the incident card. For detailed information refer to Kaspersky Sandbox Help.

Page top