This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.
To create an IOC Scan task from the incident card:
The default settings of the IOC Scan tasks created from the incident card are described in the following table. You can change these values in the settings of the created task.
Default settings of the IOC Scan task created from the incident card
Parameter |
Default value |
Description |
---|---|---|
Settings on the Schedule tab |
||
Run by schedule |
Selected. |
The task is started according to the schedule, with the specified settings. |
Frequency |
At specified time |
The task is started once, at the specified date and time. |
Start time |
15 minutes after the task creation. |
The task is started at the specified time. |
Start date |
Task creation date. |
The task is started at the specified date. |
Stop task if runs longer than |
Selected. The default value is one hour. |
The application quits the task after the specified time since the task is started, regardless of the task execution progress. |
Cancel schedule from |
Not selected. |
Automatic cancellation of the task start schedule is not used. |
Run missed tasks |
Selected. |
The application restarts the task that was not started by schedule for some reason. For example, if Kaspersky Endpoint Agent was not running at the scheduled task start time. |
Randomize the task start time within the interval |
Selected. The default value is 10 minutes. |
The task will start at an arbitrary time within the specified interval since the moment specified in the Start time field. |
Settings in the Advanced section |
||
Select data types (IOC documents) to analyze during IOC scanning
|
When analyzing data on files (FileItem), the Analyze data of files (FileItem) option is selected. In the additional settings of the IOC document, in the Search for Indicators of Compromise in the following areas group of settings, the Critical file areas on the device option is selected. |
The application checks critical areas on the device, and the folder where a dangerous object was initially detected. The following areas are considered critical:
|
When analyzing data in the Windows registry (RegistryItem), the Analyze data of Windows Registry (RegistryItem) option is selected. |
The application checks the paths of user-defined registry keys. |
By default, Kaspersky Endpoint Agent 3.9 uses the settings specified in the Kaspersky Sandbox integration section, in the Threat Response group of the settings, for IOC Scan tasks created from the incident card. For detailed information refer to Kaspersky Sandbox Help.
Page top