An Indicator of Compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to a device (compromised data). For example, an indicator of compromise could be a high number of failed login attempts. When Kaspersky Endpoint Security is integrated with Detection and Threat Response solutions, you can detect indicators of compromise on protected devices and perform threat response actions.
The IOC Scan functionality is available in the Kaspersky Endpoint Security application if one of the following conditions is satisfied:
When integrated with Kaspersky Endpoint Detection and Response (KATA), the IOC scan is performed in the Kaspersky Endpoint Detection and Response (KATA) solution.
When integrated with Kaspersky Endpoint Detection and Response Optimum, an IOC Scan is performed using the IOC Scan task. You can create IOC Scan tasks:
The IOC Scan task checks for IOC terms (properties of IOC objects, for example, a file hash) only in the operating system's main namespace. The IOC Scan task does not calculate hashes of files larger than 200 MB.
To search for indicators of compromise, Kaspersky Endpoint Security uses IOC files prepared by the user. If you want to add an indicator of compromise manually, please see IOC file requirements. If the IOC file does not meet the requirements, the application will not be able to use it.
IDs of all IOC files used in an IOC Scan task must be unique. If you load multiple IOC files with the same ID, the application only uses one of those IOC files. The other IOC files will be automatically excluded.