Configuring indicators of attack (IOA)

Accessing the settings

  • From the top menu, select Settings. From the side menu, select Indicators of attack (IOA).

  • Click Add. The Add settings page opens.

You can assign indicators of attack (IOA) settings profiles to Windows, Linux, and macOS workstations and servers.

Required permissions

Permission Access type

Configure indicators of attack (IOA)

Create, edit, delete, copy, or assign indicators of attack (IOA) settings profiles.

View indicators of attack (IOA) settings

View the indicators of attack (IOA) settings profiles defined.

Permissions required to access the indicators of attack (IOA) settings

Enabling and modifying IOA detection

By default, Advanced EDR assigns an indicators of attack (IOA) settings profile to all computers on the network, with all types of IOAs enabled. To disable the detection of a specific type of IOA:

  • From the top menu, select Settings. From the side menu, select Indicators of attack (IOA).

  • Click the Add button. The Add settings page opens.

  • Select the IOAs that Advanced EDR must search for in the telemetry generated by the computers.

    To select specific advanced indicators of attack, you must enable all of them by clicking the toggle.

  • Select the computers that you want to receive the new settings profile. Click OK.

For more information about how to manage settings profiles, see Managing settings.

Indicators of attack (IOA) settings options

To enable and disable the IOAs that you want to monitor, use the corresponding toggle:

Field Description

Brute-force attack against RDP

Credentials compromised after brute-force attack on RDP

Detects large numbers of remote login attempts over the RDP protocol.

Other IOAs

Cytomic periodically updates the list of indicators of attack to reflect new strategies used by cybercriminals.

Advanced indicators of attack

List of the advanced indicators of attack you want to search for on workstations and servers. Available only for Windows computers.

 

Types of indicators available in the indicators of attack (IOA) settings

Enabling and disabling advanced IOA technology

Advanced IOA generation leverages new technologies and collects more telemetry data from devices. This technology could affect device performance on multi-user servers and in specific situations. To disable this technology completely, disable the Advanced IOA toggle.

Disabling advanced IOAs individually does not disable the technology and does not substantially improve performance.

Information associated with IOAs

From the Indicators of attack (IOA) list, click the icon next to the name of an IOA. A dialog box opens that shows information about the IOA (name, risk, description, recommendations, MITRE, etc.). For more information, see Fields on the IOA Details page.

Automatic response to RDP attacks

Field Description

Response on workstations

Response on servers

Automatic response actions for RDP IOAs

Trusted IPs

Enter a list of IP addresses for computers you consider secure. These IPs are reported but not blocked. You can enter individual IP addresses separated by commas, or IP address ranges separated by a dash.