Searching for indicators of compromise

You can search for indicators of compromise on the device and perform threat response actions using the IOC Scan task.

To search for indicators of compromise, Kaspersky Endpoint Security uses IOC files prepared by the user. IOC files must comply with the IOC file requirements.

You can create and run the IoC Scan task, as well as edit its settings in the Web Console:

You cannot create, run, or configure the IOC Scan task on the command line. You cannot view an IoC Scan task created in the Web Console on the command line with the kesl-control --get-task-list command.

The Wake-on-LAN functionality is not available for this task in schedule settings. For the task to run, make sure the device is powered on.

IOC Scan task settings

Setting

Description

Redefine IOC files

This button opens the Redefine IOC files panel.

Clicking the Add IOC files button located in the Redefine IOC files panel opens a window where you can select and download the IOC files on the device that are necessary to search for indicators of compromise. After uploading the IOC files, you can view a list of indicators from the IOC files.

Export IOC collection

Clicking this button downloads IOC files to the device.

Apply response actions when an IOC is detected

This check box enables or disables the application of response actions when indicators of compromise are detected.

If the check box is selected, then when indicators of compromise are detected, the application performs the actions you selected:

  • Isolate device from the network.

    If this check box is selected, then when indicators of compromise are detected, the application isolates the device from the network to prevent the spread of the threat. You can configure the isolation duration.

  • Start critical areas scan.

    If this check box is selected, then when indicators of compromise are detected, the application starts the Critical Areas Scan task.

    By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and boot sectors.

If the check box is cleared, the application does not perform any response actions when indicators of compromise are detected. Information about detected indicators of compromise is displayed in the window with alert details and in the task properties.

Scan scopes

The file scan areas are displayed: the critical areas of the system disks and the path from the IOC.

We do not recommend adding or deleting IOC files after starting this task. This may result in incorrect display of IOC scan results for previous runs of the task. We recommend adding a new task to run an IOC scan based on new IOC files.

You can see the result of the IOC Scan in the Assets (Devices) section → Tasks → <task name> → Application settings → IOC Scan results.

The table in the IOC Scan results section contains a list of devices on which the IOC Scan task has been run, as well as the results of the task. In the Device drop-down list, you can select the task results for all managed devices in the administration group or for a specific device.

The table contains the following columns:

You can also view the result of the task in the Assets (Devices)Tasks → <task name> section, on the Results tab in the Description column.

IOC Scan results are stored for 30 days. After this time expires, Kaspersky Endpoint Security automatically deletes old entries.

Page top