You can use IOC files to search indicators of compromise in the event database and on computers with the Endpoint Agent component. For example, if you have received third-party information about a piece of malware currently spreading, you can:
You can view such events, and if you want Kaspersky Anti Targeted Attack Platform to generate alerts for selected events, you can create a TAA (IOA) rule.
If while scanning the computers, the Endpoint Agent component detects indicators of compromise, Kaspersky Anti Targeted Attack Platform generates an alert.
In distributed solution and multitenancy mode, IOC files can have the following types:
When creating the IOC file, review the list of IOC terms supported by the application that you are using in the Endpoint Agent role. You can view the list of supported IOC terms by downloading the files from the links below.
Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Security for Windows
Kaspersky Endpoint Security 12 for Linux
Kaspersky Endpoint Security 11.4 for Linux does not support IOC files.
Users with the Senior security officer role can import, delete, download IOC files to their computer, enable or disable the search of indicators of compromise using IOC files, as well as configure the schedule for searching indicators of compromise on computers with the Endpoint Agent component.
Users with the Security officer and Security auditor roles can view the list of IOC files and information about the selected file, and export IOC files to their computer.