On the All incident events tab, select the items from which you want to create an IOC Scan task.
Click the IoC Scan task creation button.
Do one of the following:
If you want the compromise indicator to be triggered when any of the selected objects is detected, select AND on the right side of the screen.
If you want the compromise indicator to be triggered when all the selected objects are detected, select OR on the right side of the screen.
In the Actions group of settings, select one of the following actions:
Isolate host from the network to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
Remove and quarantine to quarantine the detected object and remove it from the device.
Push critical areas scanning to make Kaspersky Endpoint Agent send a command to EPP application to scan critical areas on all the devices of the administration group on which indicator of compromise is detected.