Kaspersky Anti Targeted Attack Platform

Creating and configuring Standard IOC Scan task

IOC collection export

Page top

Requirements for IOC files

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

When creating IOC Scan tasks, consider the following requirements and limitations related to IOC files:

Kaspersky Endpoint Agent supports IOC files with the ioc and xml extensions. These files use open standard for IOC description – OpenIOC versions 1.0 and 1.1.
Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.
If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.
If, when creating the IOC Scan task, none of the downloaded IOC files is supported by Kaspersky Endpoint Agent, the task can be started, but as a result of the task execution, no indicators of compromise will be detected.
Semantic errors and IOC terms and tags in IOC files that are not supported by the application do not cause the task execution errors. The application just does not detect matches in such sections of IOC files.
Identifiers of all IOC files
IOC file identifier example:

<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="43e6a866-4f85-4ce2-a369-eabf786ba711" last-modified="2019-05-09T11:08:38" xmlns="http://schemas.mandiant.com/2010/ioc">

IOC file identifier example:

<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="43e6a866-4f85-4ce2-a369-eabf786ba711" last-modified="2019-05-09T11:08:38" xmlns="http://schemas.mandiant.com/2010/ioc">

that are used in the same IOC Scan task must be unique. The presence of IOC files with the same identifier can affect the correctness of the task execution results.
The size of a single IOC file must not exceed 3 MB. Using larger files results in the failure of IOC Scan tasks. In this case, the total size of all added files in the IOC collection can exceed 3 MB.
It is recommended to create one IOC file per each threat. This makes it easier to read the results of the IOC Scan task.

The table below shows the features and limitations of the OpenIOC standard supported by the application.

Features and limitations of the OpenIOC standard versions 1.0 and 1.1

Supported conditions	OpenIOC 1.0: `is` `isnot` (as an exclusion from the set) `contains` `containsnot` (as an exclusion from the set) OpenIOC 1.1: `is` `contains` `starts-with` `ends-with` `matches` `greater-than` `less-than`
Supported condition attributes	OpenIOC 1.1: `preserve-case` `negate`
Supported operators	`AND` `OR`
Supported data types	`date`: date (applicable conditions: `is`, `greater-than`, `less-than`) `int`: integer number (applicable conditions: `is`, `greater-than`, `less-than`) `string`: string (applicable conditions: `is`, `contains`, `matches`, `starts-with`, `ends-with`) `duration`: duration in seconds (applicable conditions: `is, greater-than, less-than`)
Data types interpretation details	The following data types are interpreted as string: `Boolean string`, `restricted string`, `md5`, `IP`, `sha256`, `base64Binary`. The application supports interpretation of the `Content` parameter specified as intervals for the following data types: `int` and `date`: OpenIOC 1.0: Using the `TO` operator in the `Content` field: `<Content type="int">49600 TO 50700</Content>` `<Content type="date">2009-04-28T10:00:00Z TO 2009-04-28T16:00:00Z</Content>` `<Content type="int">[154192 TO 154192]</Content>` OpenIOC 1.1: Using the `greater-than` and `less-than` conditions Using the `TO` operator in the `Content` field The application supports interpretation of the `date` and `duration` data types if the indicators are specified in the `ISO 8601, Zulu time zone, UTC` format.
Supported IOC terms	The full list of supported IOC terms is provided in a separate table.

See also

Creating and configuring Standard IOC Scan task

IOC collection export

DOWNLOAD IOC_TERMS.XLSX FILE

Page top

Supported IOC terms

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The file that can be downloaded by the following link contains a table with a full list of supported IOC terms of the OpenIOC standard.

Page top

Creating and configuring Standard IOC Scan task

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

To create and configure a Standard IOC Scan task,

depending on the required task scope, perform one of the following actions:

Start the local task creation wizard.
Start the group task creation wizard.
Group tasks are performed on the devices of the selected administration group. For more information on tasks, refer to Kaspersky Security Center documentation.

To create a group task:
1. Open Kaspersky Security Center Administration Console.
2. Do one of the following:
  - In the Administration Console tree, select the Managed devices folder to create a group task for all devices managed using Kaspersky Security Center.
  - In the Managed devices folder of the Administration Console tree, select the folder with the name of the administration group, which includes the required devices.
3. In the workspace, select the Tasks tab.
4. Click Create a task.
  The task creation wizard will start.
5. Select the required task and click Next.
6. Follow the instructions of the task creation wizard.

The task creation wizard allows you to configure the following settings:

IOC collection
To configure IOC collection:
1. In the IOC collection group of settings click Browse.
2. In the context menu, do one of the following:
  - Select the Select folder item to add a group of IOC files to the IOC collection.
  - Select the Select file item to add one IOC file to the IOC collection.
3. Depending on your choice, do one of the following in the window that opens:
  - Specify the path to the folder with IOC files and click OK.
  - Specify the path to IOC file and click Open.
  If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.
4. To view the list of all IOC files that are included in the IOC collection, as well as to get information about each IOC file, click View.
  The Select folder window opens. In this window, you can exclude any file from the database by clearing the check box next to the name of the IOC file.
5. Click OK to save the changes and close the Select folder window.
6. To export the created IOC collection, click Export.
  In the window that opens, specify the name of the file and select the folder where you want to save it.
7. Click the Save button.
  The application creates a ZIP file in the specified folder.
Data types (IOC documents) to be analyzed during IOC scan
To select data types (IOC documents) that you want to analyze during IOC scan and configure the additional scan settings:
1. Click the Configure IOC terms and documents button.
  The IOC terms and documents window opens.
2. In the Select data types (IOC documents) to analyze during IOC scanning group of settings, select the check boxes next to the required IOC documents.
  Depending on the loaded IOC files, some check boxes may be disabled.
  
  Kaspersky Endpoint Agent automatically selects data types (IOC documents) for the IOC Scan task in accordance to the contents of the downloaded IOC files. It is not recommended to unselect data types manually.
3. To configure additional settings for the selected ProcessItem IOC document:
  1. Click the Advanced (ProcessItem) button.
    The ProcessItem document scan settings window opens.
  2. In the Indicators group of settings, select data that you want to analyze during the task execution.
  3. Click OK to save the changes and close the ProcessItem document scan settings window.
4. To configure additional settings for the selected FileItem IOC document:
  1. Click the Advanced (FileItem) button.
    The FileItem document scan settings window opens.
  2. On the Scan areas tab, select data that you want to analyze during the task execution.
  3. On the Scan areas tab, select the areas on protected device drives where to look for indicators of compromise.
    You can select one of the predefined areas, or specify the paths to the desired areas manually.
  4. On the Exclusions tab, select the Apply exclusions check box and specify the paths to the areas on the protected device drives that do not need to be scanned during the task execution.
  5. Click OK to save the changes and close the FileItem document scan settings window.
5. To configure additional settings for the selected RegistryItem IOC document:
  1. Click the Advanced (RegistryItem) button.
    The RegistryItem document scan settings window opens.
  2. Specify the Windows registry keys to be scanned during the task execution.
    You can select to scan predefined registry keys or specify the list of required registry keys manually.
  3. Click OK to save the changes and close the RegistryItem document scan settings window.
6. To configure additional settings for the selected EventLogItem IOC document:
  1. Click the Advanced (EventLogItem) button.
    The EventLogItem document scan settings window opens.
  2. To ignore the events that were logged before the specified moment, select the Scan only events logged during the specified period check box and specify date and time.
  3. If necessary, in the bottom of the window, edit the predefined list of channels that are analyzed during the task execution.
  4. Click OK to save the changes and close the EventLogItem document scan settings window.
7. Click OK to save the changes and close the window.
The saved settings will be applied when the task is executed.
Retrospective IOC scan
Retrospective IOC scan is an operation mode of the IOC Scan task, when Kaspersky Endpoint Agent searches for indicators of compromise based on the data received during a time interval specified by the user. This mode is intended for searching for indicators of compromise based on the data on network activity of protected devices. Kaspersky Endpoint Agent analyzes data in the operating system logs and in browsers on devices.

The Retrospective IOC scan mode is available only for Standard IOC Scan tasks.

To enable the Retrospective IOC scan mode:
1. In the Retrospective IOC Scan group of settings enable the Perform Retrospective IOC Scan within the interval option.
2. Specify the time interval.
  During the task execution, the application analyzes data collected during the specified time interval, including the boundaries of the specified interval (from 00:00 on the start date until 23:59 on the end date). The default interval starts at 00:00 on the day preceding the task creation day and ends at 23:59 on the day when the task was created.
If during execution of the IOC Scan task with the Perform Retrospective IOC Scan within the interval option enabled the application does not find any data for the specified time interval to be analyzed, it does not inform about this. In this case, the application shows no indicators of compromise in the task completion report.
Application actions on IOC detection
To configure Kaspersky Endpoint Agent actions on IOC detection:
1. In the Actions section, select the Take response actions when indicator of compromise is found check box.
2. Select the Isolate device from the network check box to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
3. Select the Run critical areas scan on the device check box so that Kaspersky Endpoint Agent sends a command to EPP application to scan critical areas on all the devices of the administration group on which indicators of compromise are detected.
When configuring the task settings in Kaspersky Security Center Administration Console, the Do not perform actions on critical system files check box is available only if the Quarantine and delete response action is selected for the task (this setting can be configured only in Kaspersky Security Center Web Console).
Task start schedule
To configure the schedule settings for IOC Scan task:
1. In the Task schedule section, select the Run by schedule check box.
2. In the Frequency list select one of the following options to run IOC Scan tasks: At specified time, Every hour, Every day, Every week or On application launch.
3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
  1. In the Every list, select the task run frequency. For example, once a day or twice a week on Tuesdays and Thursdays.
  2. In the Time and Date lists, select the date and time from which the schedule applies.
5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
  1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
  2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
  3. If you want the application to start IOC Scan tasks that were not completed on time as soon as possible, select the Run missed tasks check box.
  4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task run to every check box and specify the start interval in minutes.
  5. Click OK.
Running the task from a Kaspersky Security Center user account
To select Kaspersky Security Center user account, under which you want to run the task,

perform one of the following actions in the group of settings for selecting an account to start the task:
- Select the default account and click Next.
- Enter the name and password of the user whose account permissions will be used to start the task.
Task name
The task name cannot be longer than 100 characters long and cannot contain special characters ("* <>? \: |).

Identifiers of all IOC files that are used in the same IOC Scan task must be unique. The presence of IOC files with the same identifier can affect the correctness of the task execution results.

If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.

Semantic errors and IOC terms and tags in IOC files that are not supported by the application do not cause the task execution errors. The application just does not detect matches in such sections of IOC files.

See also

Requirements for IOC files

IOC collection export

Requirements for IOC files

Page top

Configuring Standard IOC Scan task

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Only the files with IOC rules can be specified for the IOC Scan task. Files with other types of rules are not supported for the IOC Scan task.

To configure the Standard IOC Scan task settings:

Open Kaspersky Security Center Administration Console.
In Kaspersky Security Center Administration Console tree, open the Tasks folder.
The list of tasks is displayed in the workspace.
Open the settings of the required task in one of the following ways:
- Double-click the task name.
- Open the policy context menu and select Properties.
- Select a task and click Configure task in the right part of the window.
The Properties: <Task name> window will open.
In the left part of the window, select the group of settings that you want to configure.
In the right part of the window, make the necessary changes and click Apply, and then click OK.
Configuration of the Standard IOC Scan task settings is now finished.

You can configure the following task settings:

Task name
Do the following:
1. Select the General section.
2. Change the task name in the top line.
Storage time for the task execution results on the Administration Server
Do the following:
1. Select the Notification section.
2. Make sure, that the On the Administration Server for (days) check box is selected in the Save information about results section, and specify for how many days you want to store the task execution results.
  By default, task execution results are stored on the Administration Server for 7 days.
IOC collection
To configure IOC collection:
1. In the IOC collection group of settings click Browse.
2. In the context menu, do one of the following:
  - Select the Select folder item to add a group of IOC files to the IOC collection.
  - Select the Select file item to add one IOC file to the IOC collection.
3. Depending on your choice, do one of the following in the window that opens:
  - Specify the path to the folder with IOC files and click OK.
  - Specify the path to IOC file and click Open.
  If, when creating the IOC Scan task, you upload some IOC files that are not supported by Kaspersky Endpoint Agent then when the task starts, the application will use only supported IOC files.
4. To view the list of all IOC files that are included in the IOC collection, as well as to get information about each IOC file, click View.
  The Select folder window opens. In this window, you can exclude any file from the database by clearing the check box next to the name of the IOC file.
5. Click OK to save the changes and close the Select folder window.
6. To export the created IOC collection, click Export.
  In the window that opens, specify the name of the file and select the folder where you want to save it.
7. Click the Save button.
  The application creates a ZIP file in the specified folder.
Retrospective IOC scan
Retrospective IOC scan is an operation mode of the IOC Scan task, when Kaspersky Endpoint Agent searches for indicators of compromise based on the data received during a time interval specified by the user. This mode is intended for searching for indicators of compromise based on the data on network activity of protected devices. Kaspersky Endpoint Agent analyzes data in the operating system logs and in browsers on devices.

The Retrospective IOC scan mode is available only for Standard IOC Scan tasks.

To enable the Retrospective IOC scan mode:
1. In the Retrospective IOC Scan group of settings enable the Perform Retrospective IOC Scan within the interval option.
2. Specify the time interval.
  During the task execution, the application analyzes data collected during the specified time interval, including the boundaries of the specified interval (from 00:00 on the start date until 23:59 on the end date). The default interval starts at 00:00 on the day preceding the task creation day and ends at 23:59 on the day when the task was created.
If during execution of the IOC Scan task with the Perform Retrospective IOC Scan within the interval option enabled the application does not find any data for the specified time interval to be analyzed, it does not inform about this. In this case, the application shows no indicators of compromise in the task completion report.
Application actions on IOC detection
To configure Kaspersky Endpoint Agent actions on IOC detection:
1. In the Actions section, select the Take response actions when indicator of compromise is found check box.
2. Select the Isolate device from the network check box to enable network isolation of the device on which indicator of compromise is detected by Kaspersky Endpoint Agent.
3. Select the Run critical areas scan on the device check box so that Kaspersky Endpoint Agent sends a command to EPP application to scan critical areas on all the devices of the administration group on which indicators of compromise are detected.
When configuring the task settings in Kaspersky Security Center Administration Console, the Do not perform actions on critical system files check box is available only if the Quarantine and delete response action is selected for the task (this setting can be configured only in Kaspersky Security Center Web Console).
Data types (IOC documents) to be analyzed during IOC scan
To select data types (IOC documents) that you want to analyze during IOC scan and configure the additional scan settings:
1. Open the Advanced section.
2. In the Select data types (IOC documents) to analyze during IOC scanning group of settings, select the check boxes next to the required IOC documents.
  Depending on the loaded IOC files, some check boxes may be disabled.
  
  Kaspersky Endpoint Agent automatically selects data types (IOC documents) for the IOC Scan task in accordance to the contents of the downloaded IOC files. It is not recommended to unselect data types manually.
3. To configure additional settings for the selected ProcessItem IOC document:
  1. Click the Advanced (ProcessItem) button.
    The ProcessItem document scan settings window opens.
  2. In the Indicators group of settings, select data that you want to analyze during the task execution.
  3. Click OK to save the changes and close the ProcessItem document scan settings window.
4. To configure additional settings for the selected FileItem IOC document:
  1. Click the Advanced (FileItem) button.
    The FileItem document scan settings window opens.
  2. On the Scan areas tab, select data that you want to analyze during the task execution.
  3. On the Scan areas tab, select the areas on protected device drives where to look for indicators of compromise.
    You can select one of the predefined areas, or specify the paths to the desired areas manually.
  4. On the Exclusions tab, select the Apply exclusions check box and specify the paths to the areas on the protected device drives that do not need to be scanned during the task execution.
  5. Click OK to save the changes and close the FileItem document scan settings window.
5. To configure additional settings for the selected RegistryItem IOC document:
  1. Click the Advanced (RegistryItem) button.
    The RegistryItem document scan settings window opens.
  2. Specify the Windows registry keys to be scanned during the task execution.
    You can select to scan predefined registry keys or specify the list of required registry keys manually.
  3. Click OK to save the changes and close the RegistryItem document scan settings window.
6. To configure additional settings for the selected EventLogItem IOC document:
  1. Click the Advanced (EventLogItem) button.
    The EventLogItem document scan settings window opens.
  2. To ignore the events that were logged before the specified moment, select the Scan only events logged during the specified period check box and specify date and time.
  3. If necessary, in the bottom of the window, edit the predefined list of channels that are analyzed during the task execution.
  4. Click OK to save the changes and close the EventLogItem document scan settings window.
7. Click OK to save the changes and close the window.
The saved settings will be applied when the task is executed.
IOC Scan task schedule
To configure the schedule settings for IOC Scan task:
1. In the Task schedule section, select the Run by schedule check box.
2. In the Frequency list select one of the following options to run IOC Scan tasks: At specified time, Every hour, Every day, Every week or On application launch.
3. If you select the At specified time option, specify the day and time to start the task in the Run by schedule section.
4. If you select one of the following options: Every hour, Every day or Every week, configure the following settings in the Run by schedule section:
  1. In the Every list, select the task run frequency. For example, once a day or twice a week on Tuesdays and Thursdays.
  2. In the Time and Date lists, select the date and time from which the schedule applies.
5. To configure advanced schedule settings, click the Advanced button and perform the following actions in the Advanced window:
  1. If you want to set maximum timeout for the task execution, select the Stop tasks that run longer than check box and specify the number of hours and minutes after which the task will automatically terminate.
  2. If you want the task schedule to be valid until a certain date, select the Cancel schedule from check box and specify the expiration date for the schedule.
  3. If you want the application to start IOC Scan tasks that were not completed on time as soon as possible, select the Run missed tasks check box.
  4. If you want to avoid simultaneous access of a large number of workstations to the Administration Server as well as to run the task on workstations not precisely according to the schedule, but randomly within a certain time interval, select the Randomize the task run to every check box and specify the start interval in minutes.
  5. Click OK.
Kaspersky Security Center user account to run the task
To select Kaspersky Security Center user account, under which you want to run the task,

perform one of the following actions in the group of settings for selecting an account to start the task:
- Select the default account and click Next.
- Enter the name and password of the user whose account permissions will be used to start the task.
Excluding groups of devices from the task scope
To exclude groups of devices from the task scope, in the Exclusions from task scope section, select the groups of devices to which the task will not be applied.

Only the subgroups of the administration group to which the task applies can be excluded.

Page top

IOC collection export

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To export an IOC collection:

Open Kaspersky Security Center Administration Console.
In Kaspersky Security Center Administration Console tree, open the Tasks folder.
A list of tasks appears.
In the Run IOC Scan section, select the task in the list and right-click it to open the task action menu.
Select the Properties menu item.
The task properties window opens.
Select the IOC Scan settings section.
In the IOC collection section click Export.
In the window that opens, specify the name of the file and select the folder where you want to save it.
Click the Save button.
The application creates a ZIP file in the folder you specified.

See also

Creating and configuring Standard IOC Scan task