An indicator of compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the device (data compromise). For example, repeated unsuccessful attempts to sign in to the system may constitute an indicator of compromise. The IOC Scan task lets you detect indicators of compromise on the device and perform threat response actions.
IOC files are used to search for IOCs. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the EPP application considers the event to be alert. IOC files must conform to the OpenIOC standard.
Kaspersky Endpoint Detection and Response Optimum lets you create and manually configure group and local IOC Scan tasks in Kaspersky Security Center Web Console and Cloud Console. IOC files that you have prepared are used to run the tasks.
In Kaspersky Endpoint Security for Mac 12.2 or later, IOC Scan task functionality is expanded:
When an IOC is detected on a device, Kaspersky Endpoint Detection and Response Optimum performs the specified response action. The following response actions are available for detected IOCs:
In Kaspersky Endpoint Security for Mac 12.2 or later you can manually isolate a device or quarantine a file when viewing an IOC Scan task execution report.
You can create a task manually from the alert details window or in Kaspersky Endpoint Security for Windows.
For details on how to run IOC Scan tasks, refer to the Kaspersky Endpoint Security for Windows Help, Kaspersky Endpoint Security for Mac Help, and Kaspersky Endpoint Security for Linux Help.
Page top