Adding a threat to an IoC scan
March 5, 2024
ID 231840
When configuring regular scans for threats on devices or after a threat is already detected on one of your users' devices, you can add a threat to an IoC scan, so that it will check other devices for that threat.
To each IoC scan, you can add a maximum of 200 threats.
To add a threat to an IoC scan:
- Open Kaspersky Endpoint Security Cloud Management Console.
- Select the Security management → Endpoint Detection and Response section.
- Click the IoC scan button.
- Add a threat in either of the following ways:
- To add a threat to Proactive scan, click the Add a threat button.
- To add a threat to any scan, click the View link on the respective tile, and then click the Add button.
The Add a threat window opens.
- Enter the threat name.
- If necessary, enter the threat description.
- Under Indicators of compromise (IoCs), specify IoCs of this threat:
- If you plan to specify two or more IoCs, in the Detection criteria list, select the detection criteria (the logical operator):
- Match ANY of the following, if you want an alert to occur if at least one of the IoCs is found on a device (the OR logical operator).
- Match ALL of the following, if you want an alert to occur only if all of the IoCs are found on a device simultaneously (the AND logical operator).
- Under Indicator 1, select the IoC type, and then specify its value.
When adding a registry key as an IoC, start from a registry hive (for example,
HKEY_LOCAL_MACHINE\Software\Microsoft
).
When you add a registry key as an IoC, Kaspersky Endpoint Security for Windows scans only some of the registry keys. - If you want to add more IoCs to the threat, click + Add an indicator, and then specify another IoC.
To each threat, you can add a maximum of 100 IoCs.
- If you plan to specify two or more IoCs, in the Detection criteria list, select the detection criteria (the logical operator):
- Click Save to save the changes.
The threat is added to the selected IoC scan.