You can search for indicators of compromise on the device and perform threat response actions using the IOC Scan task.
To search for indicators of compromise, Kaspersky Endpoint Security uses IOC files prepared by the user. IOC files must comply with the IOC file requirements.
You can create and run the IoC Scan task, as well as edit its settings in the Web Console:
You cannot create, run, or configure the IOC Scan task on the command line. You cannot view an IoC Scan task created in the Web Console on the command line with the kesl-control
--get-task-list
command.
The Wake-on-LAN functionality is not available for this task in schedule settings. For the task to run, make sure the device is powered on.
IOC Scan task settings
Setting |
Description |
---|---|
Redefine IOC files |
This button opens the Redefine IOC files panel. Clicking the Add IOC files button located in the Redefine IOC files panel opens a window where you can select and download the IOC files on the device that are necessary to search for indicators of compromise. After uploading the IOC files, you can view a list of indicators from the IOC files. |
Export IOC collection |
Clicking this button downloads IOC files to the device. |
Apply response actions when an IOC is detected |
This check box enables or disables the application of response actions when indicators of compromise are detected. If the check box is selected, then when indicators of compromise are detected, the application performs the actions you selected:
If the check box is cleared, the application does not perform any response actions when indicators of compromise are detected. Information about detected indicators of compromise is displayed in the window with alert details and in the task properties. |
Scan scopes |
The file scan areas are displayed: the critical areas of the system disks and the path from the IOC. |
We do not recommend adding or deleting IOC files after starting this task. This may result in incorrect display of IOC scan results for previous runs of the task. We recommend adding a new task to run an IOC scan based on new IOC files.
You can see the result of the IOC Scan in the Assets (Devices) section → Tasks → <task name> → Application settings → IOC Scan results.
The table in the IOC Scan results section contains a list of devices on which the IOC Scan task has been run, as well as the results of the task. In the Device drop-down list, you can select the task results for all managed devices in the administration group or for a specific device.
The table contains the following columns:
Status of indicator of compromise detection, displayed as an icon.
Name of the device on which the IOC Scan task was run.
Date and time when the IOC Scan task was performed.
Information about the result of the IOC Scan task. A completed task can have one of the following statuses:
This status is displayed as a link; clicking the link opens a window with the alert details.
You can also view the result of the task in the Assets (Devices) → Tasks → <task name> section, on the Results tab in the Description column.
IOC Scan results are stored for 30 days. After this time expires, Kaspersky Endpoint Security automatically deletes old entries.
Page top