When configuring regular scans for threats on devices or after a threat is already detected on one of your users' devices, you can add a threat to an IOC scan, so that it will check other devices for that threat.
To each IOC scan, you can add a maximum of 200 threats.
Select the Security management → Endpoint Detection and Response section.
Click the IOC scan button.
Add a threat in either of the following ways:
To add a threat to Proactive scan, click the Add a threat button.
To add a threat to any scan, click the View link on the respective tile, and then click the Add button.
The Add a threat window opens.
Enter the threat name.
If necessary, enter the threat description.
Under Indicators of compromise (IOCs), specify IOCs of this threat:
If you plan to specify two or more IOCs, in the Detection criteria list, select the detection criteria (the logical operator):
Match ANY of the following, if you want an alert to occur if at least one of the IOCs is found on a device (the OR logical operator).
Match ALL of the following, if you want an alert to occur only if all of the IOCs are found on a device simultaneously (the AND logical operator).
Under Indicator 1, select the IOC type, and then specify its value.
When adding a registry key as an IOC, start from a registry hive (for example, HKEY_LOCAL_MACHINE\Software\Microsoft). When you add a registry key as an IOC, the security application scans only some of the registry keys.
If you want to add more IOCs to the threat, click + Add an indicator, and then specify another IOC.
To each threat, you can add a maximum of 100 IOCs.