Configuring indicators of attack (IOA)
Accessing the settings
-
From the top menu, select Settings. From the side menu, select Indicators of attack (IOA).
-
Click Add. The Add settings page opens.
You can assign indicators of attack (IOA) settings profiles to Windows, Linux, and macOS workstations and servers.
Required permissions
Permission | Access type |
---|---|
Configure indicators of attack (IOA) |
Create, edit, delete, copy, or assign indicators of attack (IOA) settings profiles. |
View indicators of attack (IOA) settings |
View the indicators of attack (IOA) settings profiles defined. |
Enabling and modifying IOA detection
By default, Advanced EDR assigns an indicators of attack (IOA) settings profile to all computers on the network, with all types of IOAs enabled. To disable the detection of a specific type of IOA:
-
From the top menu, select Settings. From the side menu, select Indicators of attack (IOA).
-
Click the Add button. The Add settings page opens.
-
Select the IOAs that Advanced EDR must search for in the telemetry generated by the computers.
To select specific advanced indicators of attack, you must enable all of them by clicking the toggle.
-
Select the computers that you want to receive the new settings profile. Click OK.
For more information about how to manage settings profiles, see Managing settings.
Indicators of attack (IOA) settings options
To enable and disable the IOAs that you want to monitor, use the corresponding toggle:
Field | Description |
---|---|
Brute-force attack against RDP Credentials compromised after brute-force attack on RDP |
Detects large numbers of remote login attempts over the RDP protocol. |
Other IOAs |
Cytomic periodically updates the list of indicators of attack to reflect new strategies used by cybercriminals. |
Advanced indicators of attack |
List of the advanced indicators of attack you want to search for on workstations and servers. Available only for Windows computers. |
Enabling and disabling advanced IOA technology
Advanced IOA generation leverages new technologies and collects more telemetry data from devices. This technology could affect device performance on multi-user servers and in specific situations. To disable this technology completely, disable the Advanced IOA toggle.
Disabling advanced IOAs individually does not disable the technology and does not substantially improve performance.
Information associated with IOAs
From the Indicators of attack (IOA) list, click the icon next to the name of an IOA. A dialog box opens that shows information about the IOA (name, risk, description, recommendations, MITRE, etc.). For more information, see Fields on the IOA Details page.
Automatic response to RDP attacks
Field | Description |
---|---|
Response on workstations |
|
Response on servers |
|
Trusted IPs
Enter a list of IP addresses for computers you consider secure. These IPs are reported but not blocked. You can enter individual IP addresses separated by commas, or IP address ranges separated by a dash.