Configuring an IOC scan schedule

You can configure the schedule for searching for indicators of compromise using IOC files on hosts with the Endpoint Agent component.

Users with Security auditor and Security officer roles cannot configure the schedule for searching for indicators of compromise using IOC files.

To configure the schedule for searching for indicators of compromise using IOC files on hosts with the Endpoint Agent component:

1. In the window of the application web interface, select the Settings section, Endpoint Agents subsection, IOC scanning schedule group of settings.
2. In the Start time drop-down lists, select the start time of the indicator of compromise search.
3. In the Maximum scan duration drop-down list, select a time limit for completing the indicator of compromise search.
4. Click Apply.

The new schedule for searching for indicators of compromise using IOC files on hosts with the Endpoint Agent component becomes active immediately after changes are saved. Results of the indicator of compromise search are displayed in the alert table.

Managing the search for indicators of compromise using IOC files is limited to the functionality provided by the web interface of Kaspersky Anti Targeted Attack Platform. No alternative ways of managing the search for indicators of compromise are provided.

If you are using Kaspersky Endpoint Security for Windows in the role of the Endpoint Agent component, make sure that the IOC files comply with the requirements. You must also take into account that when adding the RegistryItem data type to the IOC search scope, the application analyzes only certain registry keys.

For more details on the requirements for IOC files and the scanned registry keys, refer to the Online Help for Kaspersky Endpoint Security for Windows:

• IOC scan scope in the registry (RegistryItem).
• IOC file requirements.