Managing indicators of attack detections

To create, edit, or delete settings profiles or resources associated with indicators of attack, the user account that accesses the Advanced EDR console requires the Configure indicators of attack (IOA) permission. To list settings profiles or resources associated with indicators of attack, you require the View indicators of attack (IOA) settings permission. See Managing roles and permissions

Advanced EDR enables you to manage indicators of attack detections and show computers on your network where indicators of attack were detected:

• Showing IOA detections on the network

• Searching for computers where a specific IOA was detected

• Searching for IOA detections for a computer

• Searching for interrelated computers and IOAs

• Archiving one or more IOA detections

• Marking IOA detections as pending

• Showing a detection details and recommendations

Showing IOA detections on the network

• From the top menu, select Status. From the side menu, select Indicators of attack (IOA).

• At the top of the page, select the time period for which you want to show data.

• The Threat Hunting Service widget shows the events, indicators, and indicators of attack detected during the selected time period.

• Click the Indicators of attack area. The Indicators of attack (IOA) list opens and shows all IOAs detected during the selected time period.

For more information about this widget, see Threat Hunting Service.

Searching for computers where a specific IOA was detected

• From the top menu, select Status. From the side menu, select Indicators of attack (IOA).

• In the Detected indicators of attack (IOA) or Indicators of attack (IOA) mapped to the MITRE ATT&CK matrix panel, click a type of IOA.

• The Indicators of attack (IOA) list opens filtered by the selected type of attack.

For more information about these widgets, see Indicators of attack (IOA) mapped to the MITRE ATT&CK matrix and Indicators of attack (IOA).

Searching for IOA detections for a computer

• From the top menu, select Status. From the side menu, select Indicators of attack (IOA).

• In the Indicators of attack (IOA) by computer panel, select a computer. The Indicators of attack (IOA) list opens filtered by the selected computer.

For more information about this widget, see Indicators of attack (IOA) by computer.

Searching for interrelated computers and IOAs

• From the top menu, select Status.

• From the side menu, click Add. A dialog box opens that shows all available lists.

• In the Security section, select Indicators of attack (IOA). The New list: Indicators of attack (IOA) page opens.

• Each detection that appears in the Indicators of attack (IOA) list has a context menu with these options:

  • View the IOAs detected on this computer : Shows the Indicators of attack (IOA) list filtered by the Computer field.

  • View computers on which this IOA was detected : Shows the Indicators of attack (IOA) list filtered by the Indicator of attack field.

For more information about these lists, see Indicators of Attack (IOA) module lists.

Archiving one or more IOA detections

When the cause for a detection is resolved, or the detection is a false positive, you can archive it:

• From the top menu, select Status. From the side menu, in My lists, click the Add link. The Add list dialog box opens and shows the available templates.

• In the Security section, select the Indicators of attack (IOA) template. The list of IOAs detected opens with no filters applied.

• Set the required filters and click the Filter button.

• Click the context menu for the detection you want to archive. Select Archive IOA . The detection status changes to Archived.

Or:

• Select the checkboxes for the detections you want to archive.

• In the toolbar, click Archive IOA . The detection status changes to Archived.

Marking IOA detections as pending

Advanced EDR marks the detections it adds as pending to indicate they require attention. Additionally, when you have not analyzed or resolved the cause of a detection, you can mark it as pending further review. You can also change an archived detection to pending.

• From the top menu, select Status. From the side menu, in My lists, click the Add link. The Add list dialog box opens and shows the available templates.

• In the Security section, select the Indicators of attack (IOA) template. The list opens with no filters applied.

• Set the required filters and click the Filter button.

• Click the context menu for the detection you want to investigate. Select Mark IOA as pending . The status of the indicator of attack changes to Pending.

Or:

• Select the checkboxes for the detections you want to investigate.

• In the toolbar, click Mark IOA as pending . The detection status changes to Pending.

Showing a detection details and recommendations

• From the top menu, select Status. From the side menu, in My lists, click the Add link. The Add list dialog box opens and shows the available templates.

• In the Security section, select the Indicators of attack (IOA) template. The list opens with no filters applied.

• Set the required filters and click the Filter button.

• From the list, select an indicator of attack. The Details page opens. See Details page.