Exporting activity event data into a file of indicators of compromise

When viewing details of EDR incidents, you can export data on activity events to an IOC file if you wish to detect such activity events during the next checks of EPP applications. For example, you can use the received IOC file in IOC search tasks performed using the Endpoint Agent software component.

To export activity event data to an IOC file:

  1. On the Events and incidents in the Events section, select an EDR incident (the event marked with the EDR icon) that contains a threat development chain with the appropriate activity events.

    The details area appears in the right part of the web interface window.

  2. In the details area, go to the All activity events tab and select the appropriate activity events.

    You can select activity events of the following types: File creation, Starting a process, or Registry change.

  3. Click Export to IOC file.
  4. In the window that opens, select a condition for detecting indicators of compromise:
    • OR (any IOC detected) if you want the IOC search task to be triggered when any indicator of compromise from the IOC file is detected.
    • AND (all IOCs detected) if you want the IOC search task to be triggered when all indicators of compromise from the IOC file are detected.
  5. View the information that will be exported to the IOC file.

    Export is only available if non-zero values of the counters are displayed for any of the File creation, Starting a process, and Registry change fields. The field Non-exportable contains the number of selected activity events whose data cannot be exported to an IOC file.

  6. Click Export.
  7. If file generation takes a long time (more than 15 seconds), the operation is moved to the background. If this is the case, follow these steps to download the file:
    1. Click Icon in the form of an arrow pointing to the tray. in the application web interface menu.

      The list of background operations opens.

    2. Wait for the file generation operation to complete.
    3. Click Download file.

Your browser will save the downloaded file. Depending on your browser settings, your screen may show a window in which you can change the path and name of the saved file.

Page top