Configuring indicators of attack (IOA)

Accessing the settings

From the top menu, select Settings. From the side menu, select Indicators of attack (IOA).
Click Add. The Add settings page opens.

You can assign indicators of attack (IOA) settings profiles to Windows, Linux, and macOS workstations and servers.

Required permissions

Permission	Access type
Configure indicators of attack (IOA)	Create, edit, delete, copy, or assign indicators of attack (IOA) settings profiles.
View indicators of attack (IOA) settings	View the indicators of attack (IOA) settings profiles defined.
Permissions required to access the indicators of attack (IOA) settings

Enabling and modifying IOA detection

By default, Advanced EDR assigns an indicators of attack (IOA) settings profile to all computers on the network, with all types of IOAs enabled. To disable the detection of a specific type of IOA:

From the top menu, select Settings. From the side menu, select Indicators of attack (IOA).
Click the Add button. The Add settings page opens.
Select the IOAs that Advanced EDR must search for in the telemetry generated by the computers.

To select specific advanced indicators of attack, you must enable all of them by clicking the toggle.
Select the computers that you want to receive the new settings profile. Click OK.

For more information about how to manage settings profiles, see Managing settings.

Indicators of attack (IOA) settings options

To enable and disable the IOAs that you want to monitor, use the corresponding toggle:

Field	Description
Brute-force attack against RDP Credentials compromised after brute-force attack on RDP	Detects large numbers of remote login attempts over the RDP protocol.
Other IOAs	Cytomic periodically updates the list of indicators of attack to reflect new strategies used by cybercriminals.
Advanced indicators of attack	List of the advanced indicators of attack you want to search for on workstations and servers. Available only for Windows computers.
Types of indicators available in the indicators of attack (IOA) settings

Enabling and disabling advanced IOA technology

Advanced IOA generation leverages new technologies and collects more telemetry data from devices. This technology could affect device performance on multi-user servers and in specific situations. To disable this technology completely, disable the Advanced IOA toggle.

Disabling advanced IOAs individually does not disable the technology and does not substantially improve performance.

Information associated with IOAs

From the Indicators of attack (IOA) list, click the icon next to the name of an IOA. A dialog box opens that shows information about the IOA (name, risk, description, recommendations, MITRE, etc.). For more information, see Fields on the IOA Details page.

Automatic response to RDP attacks

Field	Description
Response on workstations	Report and block RDP attacks: Generates an IOA and blocks RDP attacks. See Detection and protection against RDP attacks. Report only: Generates an IOA.
Response on servers	Report and block RDP attacks: Generates an IOA and blocks RDP attacks. See Detection and protection against RDP attacks. Report only: Generates an IOA.
Automatic response actions for RDP IOAs

Trusted IPs

Enter a list of IP addresses for computers you consider secure. These IPs are reported but not blocked. You can enter individual IP addresses separated by commas, or IP address ranges separated by a dash.