An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the computer (compromise of data). For example, many unsuccessful attempts to sign in to the system can constitute an Indicator of Compromise. The IOC Scan tasks allows finding Indicators of Compromise on the computer and take threat response measures.
Kaspersky Endpoint Security searches for indicators of compromise using IOC files. IOC files are files containing the sets of indicators that the application tries to match to count a detection. IOC files must conform to the OpenIOC standard.
IOC Scan task run mode
Kaspersky Endpoint Detection and Response lets you create standard IOC Scan tasks to detect compromised data. Standard IOC scan task is a group or local task that is created and configured manually in the Web Console. Tasks are run using IOC files prepared by the user. If you want to add an indicator of compromise manually, please read the requirements for IOC files.
The file that you can download by clicking the link below, contains a table with the full list of IOC terms of the OpenIOC standard.
DOWNLOAD THE IOC_TERMS.XLSX FILE
Kaspersky Endpoint Security also supports stand-alone IOC scan tasks when the application is used as part of the Kaspersky Sandbox solution.
Creating an IOC Scan task
You can create IOC Scan tasks manually:
Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details include, for example, the history of files appearing on the computer. For details about managing alert details, refer to the Kaspersky Endpoint Detection and Response Optimum Help and the Kaspersky Endpoint Detection and Response Expert Help.
You can configure the task for EDR Optimum in Web Console and Cloud Console. Task settings for EDR Expert are available only in Cloud Console.
To create an IOC Scan task:
The list of tasks opens.
The Task Wizard starts.
By default, Kaspersky Endpoint Security starts the task as the system user account (SYSTEM).
The system account (SYSTEM) does not have permission to perform the IOC Scan task on network drives. If you want to run the task for a network drive, select the account of a user that has access to that drive.
For standalone IOC Scan tasks on network drives, in the task properties you need to manually select the user account that has access to this drive.
A new task will be displayed in the list of tasks.
The task properties window opens.
After loading the IOC files, you can view the list of indicators from IOC files.
Adding or removing IOC files after running the task is not recommended. This can cause the IOC scan results to display incorrectly for prior runs of the task. To search indicators of compromise by new IOC files, it is recommended to add new tasks.
Kaspersky Endpoint Security automatically selects data types (IOC documents) for the IOC Scan task in accordance with the content of loaded IOC files. It is not recommended to deselect data types.
You can additionally configure scan scopes for the following data types:
By default, Kaspersky Endpoint Security scans for IOCs only in important areas of the computer, such as the Downloads folder, the desktop, the folder with temporary operating system files, etc. You can also manually add the scan scope.
For the Windows registry - RegistryItem data type, Kaspersky Endpoint Security scans a set of registry keys.
Wake-on-LAN is not available for this task. Make sure the computer is turned on to run the task.
As a result, Kaspersky Endpoint Security runs the search for indicators of compromise on the computer. You can view the results of the task in task properties in the Results section. You can view the information about detected indicators of compromise in the task properties: Application settings → IOC Scan Results.
IOC scan results are kept for 30 days. After this period, Kaspersky Endpoint Security automatically deletes the oldest entries.
Page top