Configuring Standard IOC Scan task

Task creation is performed before, as an individual step.

If you selected the Open task properties window after creation check box on the Finish creating the task page during the task creation, proceed to step 4 of the following instruction.

To configure the settings of a Standard IOC Scan task:

  1. On the Devices tab select Tasks.
  2. To open the task settings window, click the task name.
  3. Select the Application settings tab.
  4. In the IoC scan settings section, configure the IOC collection by following these steps:
    1. In the IoC files group of settings click the Redefine IoC files button.
    2. In the dialog that opens, click the Add IoC files button and specify the IOC files that you want to use for the task.

      You can select multiple IOC files for a single IOC Scan task.

    3. Click OK to close the dialog box.

      If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.

    4. To view the list of all IOC files that are included in the IOC collection, as well as to obtain information about each IOC file, do the following:
      1. Click the link with the names of all downloaded IOC files in the IoC files group of settings.

        The IoC contents () window opens.

      2. To view detailed information about an individual IOC file, click the name of the required IOC file in the list of files on the IoC collection tab.

        In the window that opens, information about the selected IOC file is displayed.

      3. To close the window with information about the selected IOC file, click the OK or Cancel.
      4. To view information about all downloaded IOC files at once, open the IoC data tab.

        Information about each downloaded IOC file is displayed in the workspace of the window.

      5. If you do not want to use a specific IOC file when the IOC Scan task is executed, on the IoC collection tab, switch the toggle button next to the IOC file name from Include to Exclude.
      6. Click OK to save the changes and close the IoC contents () window.
    5. To export the created IOC collection, click Export IoC data.

      In the window that opens, specify the name of the file and select the folder where you want to save it.

    6. Click the Save button.

      The application creates a ZIP file in the specified folder.

  5. In the IoC scan settings configure the response actions when indicator of compromise is found:
    1. In the Actions group of settings, select the Take remediation actions after an indicator of compromise is found check box.
    2. Select the Isolate host from the network check box to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
    3. Select the Remove and quarantine check box to quarantine the detected object and remove it from the device.
    4. Select the Push critical areas scanning check box so that Kaspersky Endpoint Agent sends a command to EPP application to scan critical areas on all the devices of the administration group on which indicators of compromise are detected.

      If the Quarantine and delete or Run critical areas scan option is enabled, Kaspersky Endpoint Agent may recognize the detected files as infected and delete them from the device as a response action.

  6. Select IOC terms and IOC documents used to search for IOCs:
    1. Select the Advanced section.
  7. Select the IOC terms and IOC documents that you want to analyze during the execution of the IOC Scan task.

    Selection of the data types to be analyzed (IOC terms and IOC documents) for the IOC Scan task is mandatory.

  8. Click the Save button.

The created task can be started manually or automatically according to a schedule.

Page top