Scan for indicators of compromise

An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the computer (compromise of data). For example, many unsuccessful attempts to sign in to the system can constitute an Indicator of Compromise. The IOC Scan task allows finding Indicators of Compromise on the computer and taking threat response measures.

Kaspersky Endpoint Security searches for indicators of compromise using IOC files. IOC files are files containing the sets of indicators that the application tries to match to count a detection. IOC files must conform to the OpenIOC standard.

IOC Scan task run mode

Kaspersky Endpoint Detection and Response lets you create standard IOC Scan tasks to detect compromised data. Standard IOC scan task is a group or local task that is created and configured manually in the Web Console. Tasks are run using IOC files prepared by the user. If you want to add an indicator of compromise manually, please read the requirements for IOC files.

Creating an IOC Scan task

You can create IOC Scan tasks manually:

• In alert details (only for EDR Optimum).

  Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details include, for example, the history of files appearing on the computer. For details about managing alert details, refer to the Kaspersky Endpoint Detection and Response Optimum Help.

• Using the Task Wizard.

To create an IOC Scan task:

1. In the main window of the Web Console, select Devices > Tasks.

   The list of tasks opens.

2. Click Add.

   The New task wizard starts.

3. Configure the task settings:
   1. In the Application drop-down list, select Kaspersky Endpoint Security for Mac (12.1).
   2. In the Task type drop-down list, select IOC Scan.
   3. In the Task name field, enter a brief description.
   4. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option.
5. In the IOC Scan settings section, load the IOC files to search for indicators of compromise.

   After loading the IOC files, you can view the list of indicators from IOC files.

   Note: Adding or removing IOC files after running the task is not recommended. This can cause the IOC scan results to display incorrectly for prior runs of the task. To search indicators of compromise by new IOC files, it is recommended to add new tasks.

6. Configure actions on IOC detection:
   • Isolate computer from the network. If this option is selected, Kaspersky Endpoint Security isolates the computer from the network to prevent the threat from spreading. You can configure the duration of the isolation in Endpoint Detection and Response component settings.
   • Move copy to Quarantine, delete object. If this option is selected, Kaspersky Endpoint Security deletes the malicious object found on the computer. Before deleting the object, Kaspersky Endpoint Security creates a backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup copy to Quarantine.
   • Run scan of critical areas. If this option is selected, Kaspersky Endpoint Security runs the Quick Scan task. By default, Kaspersky Endpoint Security scans the memory, startup objects, and system folders.
7. Go to the Advanced section.
8. Select data types (IOC documents) that must be analyzed as part of the task.

   Note: Kaspersky Endpoint Security automatically selects data types (IOC documents) for the IOC Scan task in accordance with the content of loaded IOC files. It is not recommended to deselect data types.

   You can additionally configure scan scopes for the following data types:

   • Files - FileItem
   • User accounts - UserItem
   • Hosts - SystemInfoItem
9. Click OK.
10. Enter the account credentials of the user whose rights you want to use to run the task. Click Next.

    Note: By default, Kaspersky Endpoint Security starts the task as the system user account (root).

11. At the Finish task creation step, click the Finish button to create the task and close the wizard.

    If you enabled the Open task details when creation is complete option, the task settings window opens. In this window, you can check the task parameters, modify them, or configure a task start schedule, if necessary.

12. Click the new task.

    The task properties window opens.

13. Select the Schedule tab.
14. Configure the task schedule.

    Note: Make sure the computer is turned on to run the task.

15. Click the Save button.
16. To run the task immediately regardless of the configured schedule, do the following:
    1. Select the checkbox next to the task.
17. Click the Run button.

    As a result, Kaspersky Endpoint Security runs the search for indicators of compromise on the computer. You can view the results of the task in task properties in the Results section. You can view the information about detected indicators of compromise in the task properties: Application settings > IOC Scan Results.

Note: IOC scan results are kept for 30 days. After this period, Kaspersky Endpoint Security automatically deletes the oldest entries.