Autonomous IOC Scan tasks are group tasks that are created automatically in response to the threats detected by Kaspersky Sandbox. Kaspersky Endpoint Agent generates an IOC file automatically. Operations with custom IOC files are not supported. Tasks are automatically deleted in seven days after the last start or after creation if tasks were never started.
Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.
Autonomous IOC scanning tasks are automatically created on the Kaspersky Security Center server if the Run IOC Scan on a managed group of devices Threat Response action is configured in Kaspersky Endpoint Security policies.
You can configure the IOC scaning task, view task results, export a file with IOC rules (IOC collection).
By default, autonomous IOC scanning tasks are stored on the Kaspersky Security Center server for 7 days after last run. If the number of tasks exceeds 100, the tasks are rotated.
Kaspersky Endpoint Agent deletes the autonomous IOC scanning task regardless of which workstation the object was first detected on and whether the Threat Response action was executed. The deleted task becomes unavailable for all workstations in the administration group.
Unused autonomous IOC scanning tasks are deleted automatically. The user cannot configure settings of automatic IOC scanning task deletion.
If autonomous IOC scanning task deletion works incorrectly or you want to modify the behavior of the application, contact Kaspersky Technical Support.
By default, the autonomous IOC scanning task stores all types of events resulting from running group tasks. By default, IOC scanning task results are stored for 7 days.