Creating an IOC Scan task from alert details

To create an IOC Scan task from the alert details:

1. Open the alert details.
2. On the All alert events tab, select the items from which you want to create an IOC Scan task.
3. Click Create IOC.
4. Select the triggering criteria for the compromise indicator:
   • If you want the indicator of compromise to be triggered when any of the selected objects is detected, select OR on the right side of the screen.
   • If you want the indicator of compromise to be triggered when all the selected objects are detected, select AND on the right side of the screen.
5. Select the actions to be taken when the IOC is triggered:
   • Isolate device from the network.
   • Run critical areas scan.
   • Put a copy in quarantine and delete the object.
6. Click Create task.

You can view created tasks in the Devices → Tasks section.

When you create an IOC Scan task for the selected object (file or process) from the alert details, an IOC with the FileItem term is automatically created. For details on IOC terms, refer to the Kaspersky Endpoint Security for Windows Help, Kaspersky Endpoint Security for Mac Help, Kaspersky Endpoint Security for Linux Help, and Kaspersky Endpoint Agent Help.

Page top