Adding a threat to an IoC scan

When configuring regular scans for threats on devices or after a threat is already detected on one of your users' devices, you can add a threat to an IoC scan, so that it will check other devices for that threat.

To each IoC scan, you can add a maximum of 200 threats.

To add a threat to an IoC scan:

1. Open Kaspersky Endpoint Security Cloud Management Console.
2. Select the Security management → Endpoint Detection and Response section.
3. Click the IoC scan button.
4. Add a threat in either of the following ways:
   • To add a threat to Proactive scan, click the Add a threat button.
   • To add a threat to any scan, click the View link on the respective tile, and then click the Add button.

   The Add a threat window opens.

5. Enter the threat name.
6. If necessary, enter the threat description.
7. Under Indicators of compromise (IoCs), specify IoCs of this threat:
   1. If you plan to specify two or more IoCs, in the Detection criteria list, select the detection criteria (the logical operator):
      • Match ANY of the following, if you want an alert to occur if at least one of the IoCs is found on a device (the OR logical operator).
      • Match ALL of the following, if you want an alert to occur only if all of the IoCs are found on a device simultaneously (the AND logical operator).
   2. Under Indicator 1, select the IoC type, and then specify its value.

      When adding a registry key as an IoC, start from a registry hive (for example, HKEY_LOCAL_MACHINE\Software\Microsoft).
      When you add a registry key as an IoC, Kaspersky Endpoint Security for Windows scans only some of the registry keys.

   3. If you want to add more IoCs to the threat, click + Add an indicator, and then specify another IoC.

      To each threat, you can add a maximum of 100 IoCs.

8. Click Save to save the changes.

The threat is added to the selected IoC scan.