An indicator of compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the device (data compromise). For example, many unsuccessful attempts to sign in to the system can constitute an Indicator of Compromise. The IOC Scan task allows finding Indicators of Compromise on the device and performing threat response actions.
IOC files are used to search for IOCs. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the EPP application considers the event to be alert. IOC files must conform to the OpenIOC standard.
Kaspersky Endpoint Detection and Response Optimum provides the following modes for running IOC Scan tasks:
When an IOC is detected on a device, Kaspersky Endpoint Detection and Response Optimum performs the specified response action. The following response actions are available for the detected IOCs:
As part of threat response, Kaspersky Endpoint Detection and Response Optimum and Kaspersky Sandbox can automatically create IOC Scan tasks. You can also create a task manually from the alert details window, in Kaspersky Endpoint Security for Windows or in Kaspersky Endpoint Agent.
For details on how to run IOC Scan tasks, refer to Kaspersky Endpoint Security for Windows Help and Kaspersky Endpoint Agent Help.