Creating IOC Scan task from the incident card

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To create an IOC Scan task from the incident card:

  1. Open the incident card.
  2. On the All incident events tab, select the items from which you want to create an IOC Scan task.
  3. Click the IOC Scan task creation button.
  4. Do one of the following:
    • If you want the compromise indicator to be triggered when any of the selected objects is detected, select OR on the right side of the screen.
    • If you want the compromise indicator to be triggered when all the selected objects are detected, select AND on the right side of the screen.
  5. In the Actions group of settings, select one of the following actions:
    • Isolate device from the network to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
    • Quarantine and delete to quarantine the detected object and remove it from the device.
    • Run critical areas scan to make Kaspersky Endpoint Agent send a command to EPP application to scan critical areas on all the devices of the administration group on which indicator of compromise is detected.
  6. Click Create task.

The default settings of the IOC Scan tasks created from the incident card are described in the following table. You can change these values in the settings of the created task.

Default settings of the IOC Scan task created from the incident card

Parameter

Default value

Description

Settings on the Schedule tab

Run by schedule

Selected.

The task is started according to the schedule, with the specified settings.

Frequency

At the specified time

The task is started once, at the specified date and time.

Start time

15 minutes after the task creation.

The task is started at the specified time.

Start date

Task creation date.

The task is started at the specified date.

Quit task, running longer than

Selected. The default value is one hour.

The application quits the task after the specified time since the task is started, regardless of the task execution progress.

Cancel schedule

Not selected.

Automatic cancellation of the task start schedule is not used.

Run missed tasks

Selected.

The application restarts the task that was not started by schedule for some reason. For example, if Kaspersky Endpoint Agent was not running at the scheduled task start time.

Randomize the task start time within the interval

Selected. The default value is 10 minutes.

The task will start at an arbitrary time within the specified interval since the moment specified in the Start time field.

Settings in the Advanced section

Select IOC documents for which data is collected

 

When analyzing data on files (FileItem), the Analyze file data (FileItem) option is selected.

In the additional settings of the IOC document, in the Search for indicators of compromise in the following areas group of settings, the Critical areas on device option is selected.

The application checks critical areas on the device, and the folder where a dangerous object was initially detected.

The following areas are considered critical:

  • Temporary files in the folders of the system and user accounts.
  • Temporary files in the operating system folder and in the %TEMP% folder for the Local System account, if the paths are different.

When analyzing data in the Windows registry (RegistryItem), the Analyze Windows registry (RegistryItem) option is selected.

The application checks the paths of user-defined registry keys.

By default, Kaspersky Endpoint Agent 3.9 uses the settings specified in the Integration with Kaspersky Sandbox section, in the Threat response group of the settings, for IOC Scan tasks created from the incident card. For detailed information refer to Kaspersky Sandbox Help.

Page top