Managing user-defined IOC rules

You can use IOC files to search indicators of compromise in the event database and on computers with the Endpoint Agent component. For example, if you have received third-party information about a piece of malware currently spreading, you can:

1. Create an IOC file with indicators of compromise for the malware and upload it to the web interface of Kaspersky Anti Targeted Attack Platform.
2. Find events corresponding to the criteria of the selected IOC file.

   You can view such events, and if you want Kaspersky Anti Targeted Attack Platform to generate alerts for selected events, you can create a TAA (IOA) rule.

3. Enable automatic use of the selected IOC file to search indicators of compromise on computers with the Endpoint Agent component.
4. If while scanning the computers, the Endpoint Agent component detects indicators of compromise, Kaspersky Anti Targeted Attack Platform generates an alert.

   You can find these alerts in the table of alerts by filtering by technology name.

5. Configure the schedule for searching for indicators of compromise using IOC files on computers with the Endpoint Agent component.

In distributed solution and multitenancy mode, IOC files can have the following types:

• Local—IOC files uploaded to an SCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the SCN server.
• Global—IOC files uploaded to the PCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the PCN server and all SCN servers connected to the PCN server.

An IOC file is a text file saved with the .ioc extension. When creating the IOC file, review the list of IOC terms supported by the application that you are using in the Endpoint Agent role. You can view the list of supported IOC terms by downloading the files from the links below.

Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Security for Windows

Kaspersky Endpoint Security 12 for Linux

Kaspersky Endpoint Security 11.4 for Linux and Kaspersky Endpoint Security for Mac do not support IOC files.

Example of an IOC file for finding a file by its hash

Each IOC file can contain only one rule. The rule can be of any complexity.

Users with the Senior security officer role can import, delete, download IOC files to their computer, enable or disable the search of indicators of compromise using IOC files, as well as configure the schedule for searching indicators of compromise on computers with the Endpoint Agent component.

Users with the Security officer and Security auditor roles can view the list of IOC files and information about the selected file, and export IOC files to their computer.

In this section Viewing the table of IOC files Viewing information about an IOC file Uploading an IOC file Downloading an IOC file to a computer Enabling and disabling the automatic use of an IOC file when scanning hosts Deleting an IOC file Searching for alerts in IOC scan results Searching for events using an IOC file Filtering and searching IOC files Clearing an IOC file filter Configuring an IOC scan schedule

Page top