About IOC Scan

An indicator of compromise (IOC) is a set of data about an object or activity that indicates unauthorized access to the device (data compromise). For example, many unsuccessful attempts to sign in to the system can constitute an Indicator of Compromise. The IOC Scan task allows finding Indicators of Compromise on the device and performing threat response actions.

IOC files are used to search for IOCs. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the EPP application considers the event to be alert. IOC files must conform to the OpenIOC standard.

Kaspersky Industrial CyberSecurity Endpoint Detection and Response provides an IOC Scan task. It is a group or local task that is created and configured manually in Kaspersky Security Center Web Console. The IOC files that you prepared are used to run the task.

When an IOC is detected on a device, Kaspersky Industrial CyberSecurity Endpoint Detection and Response performs the specified response action. The following response actions are available for the detected IOCs:

• Isolate device from the network.
• Run scan of critical areas.
• Move the copy of the object to the quarantine, and delete the object.

When responding to threats, Kaspersky Industrial CyberSecurity Endpoint Detection and Response can automatically create IOC Scan tasks. You can also create a task manually from the alert details window or in Kaspersky Endpoint Agent.