About IOC Scan tasks in Kaspersky Endpoint Agent
While executing IOC Scan tasks Kaspersky Endpoint Agent uses IOC files (indicators of compromise files of the OpenIOC open description standard) to search for these indicators on devices.
Standard IOC Scan tasks are group or local tasks that are created and configured manually in Kaspersky Security Center or through the command line interface. IOC files prepared by the user are used to run the tasks.
Autonomous IOC Scan tasks are group tasks that are created automatically in response to the threats detected by Kaspersky Sandbox. Kaspersky Endpoint Agent generates an IOC file automatically. Operations with custom IOC files are not supported. Tasks are automatically deleted in seven days after the last start or after creation if tasks were never started. For more information about autonomous IOC Scan tasks, see Kaspersky Sandbox Help.
You can specify the following actions to respond to the detected IOCs (not available when running the tasks from the command line):
- Isolate device from the network to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
Not available for Autonomous IOC Scan tasks.
- Quarantine and delete to quarantine the detected object and remove it from the device.
- Run critical areas scan to make Kaspersky Endpoint Agent send a command to EPP application to scan critical areas on all the devices of the administration group on which indicators of compromise are detected.
The task execution report the can be viewed in the task execution results as a pivot table, and on the IOC incident card.
The results of group IOC Scan tasks execution can be viewed in Kaspersky Security Center within 7 days since the task execution completed, or until the task is removed.
Page top