An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to a device (compromised data). For example, an indicator of compromise could be a high number of failed login attempts. When Kaspersky Industrial CyberSecurity for Linux Nodes is integrated with Detection and Threat Response solutions, you can detect indicators of compromise on protected devices and perform threat response actions.
The IOC Scan functionality is available in the Kaspersky Industrial CyberSecurity for Linux Nodes application if integration of Kaspersky Industrial CyberSecurity for Linux Nodes with the Kaspersky Industrial CyberSecurity Endpoint Detection and Response solution is enabled and the ICS EDR component is enabled.
When integrated with Kaspersky Industrial CyberSecurity Endpoint Detection and Response, an IOC Scan is performed using the IOC Scan task. You can create IOC Scan tasks:
The IOC Scan task checks for IOC terms (properties of IOC objects, for example, a file hash) only in the operating system's main namespace. The IOC Scan task does not calculate hashes of files larger than 200 MB.
To scan for indicators of compromise, Kaspersky Industrial CyberSecurity for Linux Nodes uses IOC files prepared by the user. If you want to add an indicator of compromise manually, please see IOC file requirements. If the IOC file does not meet the requirements, the application will not be able to use it.
IDs of all IOC files used in an IOC Scan task must be unique. If you load multiple IOC files with the same ID, the application only uses one of those IOC files. The other IOC files will be automatically excluded.