Viewing information about an IOC detection

To view information about an IOC detection:

1. in the main window of Web Console, go to the Devices → Tasks section.
2. This opens a window; in this window, select the IOC scanning task.
3. Go to the Application settings tab.
4. Select the IOC scanning results section.

   This opens the IOC scanning results table.

5. In the Computer drop-down list, select workstations for which you want to view the results of the IOC scanning task.

   This displays a summary table of task results for selected workstations.

   If indicators of compromise are found on workstations, Results column displays IOC detected.

6. If you want to view detailed information about detected indicators of compromise on a specific workstation:
   1. Click IOC detected in the row that contains the name of the relevant workstation.

      This opens the IOC Results window with the list of all IOC files used by the task. If the selected workstation contains an object that matches a certain indicator of compromise, the Status column displays Matched.

   2. Click Matched in the row with the name of the relevant IOC file.

      The Alert Details window opens.

The processing results window for the IOC detection contains the following information:

• The Result section:
  • UUID is the ID of the IOC file from the IOC file structure header.
  • Description is the name of the IOC file from the IOC file structure header.

  The title of the section displays the ID of the IOC file.

• The File section:
  • Full path is the full path to the file for which the Indicator of Compromise was triggered.
  • MD5 is the MD5 hash of the file for which the Indicator of Compromise was triggered.
  • SHA256 is the SHA256 hash of the file for which the Indicator of Compromise was triggered.
  • Size in bytes is the size of the file for which the Indicator of Compromise was triggered.
• The IOC field displays the structure of the IOC file.

Page top