About the IOC Scan task

May 2, 2024

ID 220373

An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the device (data compromise). For example, repeated unsuccessful attempts to sign in to the system may constitute an Indicator of Compromise. The IOC Scan task lets you detect Indicators of Compromise on the device and perform threat response actions.

IOC files are used to search for IOCs. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the EPP application considers the event to be alert. IOC files must conform to the OpenIOC standard.

Kaspersky Endpoint Detection and Response Optimum provides the following modes for running IOC Scan tasks:

  • Standard IOC Scan task

    A group or local task that is created and configured manually in Kaspersky Security Center Web Console. IOC files that you have prepared are used to run the tasks.

  • Autonomous IOC Scan task

    A group task that is automatically created when reacting to a threat detected by Kaspersky Sandbox. The EPP application automatically generates an IOC file. Operations with custom IOC files are not supported. Tasks are automatically deleted in seven days after the last start or after creation if tasks were never started. For more information about autonomous IOC Scan tasks, refer to the Kaspersky Sandbox Help.

When an IOC is detected on a device, Kaspersky Endpoint Detection and Response Optimum performs the specified response action. The following response actions are available for detected IOCs:

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.