IOC scan of events

When working in the program web interface, users with the Senior security officer and Security officer role can use IOC files to search for signs of targeted attacks, infected and probably infected objects in the database of events and alerts, and to scan local computers that have the Endpoint Sensors component installed.

Depending on the program operating mode and the server to which the IOC files are uploaded, the uploaded files can be one of the following types:

• Local—Uploaded to a SCN server. These IOC files are used to scan events on this SCN server. Scanned events belong to the organization which the user is managing in the program web interface (in the distributed solution and multitenancy mode).

  Operation mode in which the program can be used to protect the infrastructure of several organizations simultaneously.

  Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a master control server (Primary Central Node (PCN)) and slave servers (Secondary Central Nodes (SCN)).

• Global—Uploaded to the PCN server. These IOC files are used to scan events on this PCN server and on all SCN servers connected to this PCN server. Scanned events belong to the organization which the user is managing in the program web interface (in the distributed solution and multitenancy mode).

Users with the Senior security officer role can manage scans of events based on IOC files: add, edit, delete, and download IOC files to the computer, enable and disable scanning of events based on IOC files, and manage object scan settings.

Users with the Security officer role can only view information about IOC files and download IOC files to a computer.

If you are working with events that were previously detected by the program, a repeated match between the data of these events and indicators of compromise does not always indicate a possible alert.

In this Help section Viewing the table of IOC files Viewing information about an IOC file Uploading an IOC file Downloading an IOC file to a computer Enabling and disabling the automatic use of an IOC file when scanning events Deleting an IOC file Searching IOC scan results Filtering and searching IOC files Clearing an IOC file filter Configuring an IOC scan schedule Supported OpenIOC Indicators of Compromise

Page top