Managing user-defined IOC rules

You can use IOC files to search indicators of compromise in the event database and on computers with Kaspersky Endpoint Agent installed. For example, if you have received third-party information about a piece of malware spreading, you can:

1. Upload an IOC file containing indicators of compromise corresponding to the malware to Kaspersky Anti Targeted Attack Platform.
2. Find events corresponding to the criteria of the selected IOC file.

   You can view such events, and if you want Kaspersky Anti Targeted Attack Platform to generate alerts for selected events, you can create a TAA (IOA) rule.

3. Enable automatic use of the selected IOC file to search indicators of compromise on Kaspersky Endpoint Agent computers.

   If while scanning the computers, Kaspersky Anti Targeted Attack Platform discovers indicators of compromise, Kaspersky Anti Targeted Attack Platform generates an alert.

4. Configure the schedule for searching for indicators of compromise using IOC files on Kaspersky Endpoint Agent computers.

In

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

• Local—IOC files uploaded to an SCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the SCN server.
• Global—IOC files uploaded to the PCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the PCN server and all SCN servers connected to the PCN server.

To view the list of supported OpenIOC indicators of compromise, you can download this file.

Users with the Senior security officer role can import, delete, download IOC files to their computer, enable or disable the search of indicators of compromise using IOC files, as well as configure the schedule for searching indicators of compromise on computers with Kaspersky Endpoint Agent program installed.

Users with the Security officer and Security auditor roles can view the list of IOC files and information about the selected file, and export IOC files to their computer.

Viewing the table of IOC files

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

The table of IOC files contains information about IOC files used for scanning on computers with the Kaspersky Endpoint Agent program installed; you can find the table in the Custom rules section, IOC subsection of the program web interface window.

The table of IOC files contains the following information:

1.  —Importance level that will be assigned to an alert generated using this IOC file.

   The importance level can have one of the following values:

   •  – Low importance.
   •  – Medium importance.
   •  – High importance.
2. Type—Type of IOC file depending on the program operating mode and the server to which the IOC file was uploaded:
   • Local—IOC files uploaded to an SCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the SCN server.
   • Global—IOC files uploaded to the PCN server. These IOC files are used to search for indicators of compromise on Kaspersky Endpoint Agent hosts connected to the PCN server and all SCN servers connected to the PCN server.
3. Name—Name of the IOC file.
4. Servers—Name of the server with the Central Node component.
5. Autoscan—The IOC file is used when automatically scanning Kaspersky Endpoint Agent hosts:

   Host scanning using this IOC file can have one of the following statuses:

   • Enabled
   • Disabled

Viewing information about an IOC file

To view IOC file details:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.

   This opens the table of IOC files.

2. Select the IOC file for which you want to view information.

This opens a window containing information about the IOC file.

The window contains the following information:

• Clicking the Find alerts link opens the Alerts section with the filter condition populated with the name of your selected IOC file.
• Clicking the Find events link opens the Threat Hunting section with the search condition populated with indicators of compromise of your selected IOC file.
• Clicking the Download link opens the IOC file download window.
• Autoscan—The IOC file is used when automatically scanning Kaspersky Endpoint Agent hosts.
• Name—Name of the IOC file.
• Importance—Importance level that will be assigned to an alert generated using this IOC file.

  The importance level can have one of the following values:

  •  – Low importance.
  •  – Medium importance.
  •  – High importance.
• Apply to—Displays the name of the tenant and the names of servers associated with events scanned based on this IOC file (in distributed solution and multitenancy mode).
• XML—Displays the IOC file contents in XML format.

Uploading an IOC file

IOC files having UserItem properties for domain users are not supported.

To upload an IOC file:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.

   This opens the table of IOC files.

2. Click Upload.

   This opens the file selection window on your local computer.

3. Select the file that you want to upload and click Open.
4. Specify the following parameters:
   1. Autoscan—The IOC file is used when automatically scanning Kaspersky Endpoint Agent hosts:
      • Enabled
      • Disabled
   2. Name—Name of the IOC file.
   3. Importance—Importance level that will be assigned to an alert generated using this IOC file:
      • Low.
      • Medium.
      • High.
   4. Apply to—Name of the tenant and names of the servers which you want to scan using this IOC file (in distributed solution and multitenancy mode).
5. Click Save.

The IOC file will be uploaded in XML format.

Downloading an IOC file to a computer

You can download a previously uploaded IOC file to a computer.

To download an IOC file:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.
2. This opens the IOC file table. Select the IOC file that you want to download.

   This opens a window containing information about the IOC file.

3. Depending on your browser settings, click the Download link to save the file to the default folder or specify a folder in which to save the file.

The IOC file will be saved to the computer in the browser's downloads folder.

Enabling and disabling the automatic use of an IOC file when scanning hosts

You can enable or disable the automatic use of an IOC file for searching for indicators of compromise on Kaspersky Endpoint Agent hosts.

To enable or disable the automatic use of an IOC file for searching for indicators of compromise on Kaspersky Endpoint Agent hosts:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.

   This opens the table of IOC files.

2. In the row containing the IOC file whose use you want to enable or disable, in the State column, set the toggle switch to one of the following positions:
   • Enabled
   • Disabled

Automatic use of an IOC file for searching for indicators of compromise on Kaspersky Endpoint Agent hosts is enabled or disabled.

Users with the Security auditor and Security officer roles cannot enable or disable automatic application of an IOC file when scanning events.

Deleting an IOC file

To delete an IOC file:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.
2. This opens the IOC file table. Select the IOC file that you want to delete.

   This opens a window containing information about the IOC file.

3. Click Delete.

The IOC file will be deleted.

Users with the Security auditor and Security officer roles cannot delete IOC files.

Searching for alerts in IOC scan results

To find and view scan results for the selected IOC file:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.

   This opens the table of IOC files.

2. Select the IOC file for which you want to view scan results.

   This opens a window containing information about the IOC file.

3. Go to the alert database by clicking Find alerts.

   The alert table is opened in a new browser tab.

You can also view scan results for all IOC files by filtering alerts by technology name.

Searching for events using an IOC file

To view events found using an IOC file:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.

   This opens the table of IOC files.

2. Select the IOC file to use for searching for events in the event database.

   This opens a window containing information about the IOC file.

3. Go to the event database by clicking Find events.

   The event table is opened in a new browser tab.

Filtering and searching IOC files

To filter or search for IOC files by required criteria:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.
2. This opens the IOC file table. Do the following depending on the filtering criterion:
   • By importance
     1. Click the icon to open the filter configuration window for IOC files.
     2. Select one or several of the following importance levels:
        • Low.
        • Medium.
        • High.
     3. Click Apply.
   • By file name
     1. Click the Name link to open the IOC file filter configuration window.
     2. Enter one or several characters of the IOC file name.
     3. Click Apply.
   • By the state of the automatic scan (enabled / disabled)
     1. Click the Autoscan link to open the filter configuration window for IOC files.
     2. Select one of the following options:
        • Enabled
        • Disabled

The table of IOC files will display only IOC files that match the filter criteria you have set.

You can use multiple filters at the same time.

Clearing an IOC file filter

To clear the IOC file filter for one or more filtering criteria:

1. In the window of the program web interface, select the Custom rules section, IOC subsection.
2. This opens the IOC file table. Click to the right of the header of the IOC file table column for which you want to clear the filtering conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The table of IOC files will display only IOC files that match the filter criteria you have set.

Configuring an IOC scan schedule

You can configure the schedule for searching for indicators of compromise using IOC files on Kaspersky Endpoint Agent hosts.

To configure the schedule for searching for indicators of compromise using IOC files on Kaspersky Endpoint Agent hosts:

1. In the window of the application web interface, select the Settings section, Endpoint Agents subsection, IOC scanning schedule section.
2. In the Start time drop-down lists, select the start time of the indicator of compromise search.
3. In the Maximum scan duration drop-down list, select a time limit for completing the indicator of compromise search.
4. Click Apply.

The new schedule for searching for indicators of compromise using IOC files on Kaspersky Endpoint Agent hosts becomes active immediately after changes are saved. Results of the indicator of compromise search are displayed in the alert table.

Users with Security auditor and Security officer roles cannot configure the schedule for searching for indicators of compromise using IOC files on Kaspersky Endpoint Agent hosts.