Searching for IOCs on the network

Advanced EDR enables you to use its task engine to configure and run IOC searches on the computers on your network. You can access this engine from the Tasks menu and from the IOC gallery section. See Tasks for more information about how to manage tasks in Advanced EDR..

Permissions required to manage Detect IOCs tasks

To manage Detect IOCs tasks, the user account used to access the web console must have the Search for and manage IOCs permission assigned to its role. For more information about the permission system, see Understanding permissions.

Accessing the IOC search

You can perform searches only with pre-approved IOCs.

From the Tasks menu

  • Select Tasks in the top menu. Click Add task. Select Search for IOCs.

From the IOC gallery list

  • Select Settings in the top menu. Select IOC gallery from the side panel.

  • Use the checkboxes to select the IOC or group of IOCs you want to search for.

  • To search for IOCs, if you have selected a single item, click the computer’s context menu and select Search for IOCs. If you have selected more than one, select Search for IOCs in the toolbar above. A new IOC search task is created. For more information about how to configure it, see Configuring an IOC search task.

Configuring an IOC search task

  • Enter general details about the task in the Name and Description fields.

  • Click the Recipients (No recipients selected yet) link. Click Close to save the task. A page opens where you can select the computers to receive the configured task.

  • Select the types of computers that will receive the task: Workstation, Laptop, or Server.

  • Click the button to add individual computers or computer groups. Click the button to remove them.

  • Click the View computers button to view the computers that will receive the task.

  • Schedule the task timing:

    • Starts: Indicate the task start date/time.

    • Value Description

      As soon as possible (selected)

      The task is launched immediately provided the computer is available (turned on and accessible from the cloud), or as soon as it becomes available within the time interval specified if the computer is turned off.

      As soon as possible (cleared)

      The task is launched on the date selected in the calendar. Specify whether the time on the computer or the Advanced EDR server time should be considered.

      If the computer is turned off

      If the computer is turned off or cannot be accessed, the task will not run. The task scheduler enables you to establish the task expiration time, from 0 (the task expires immediately if the computer is not available) to infinite (the task is always active and waits indefinitely for the computer to be available).

      • Do not run: The task is immediately canceled if the computer is not available at the scheduled time.

      • Run the task as soon as possible, within: Define a time interval during which the task will be run if the computer becomes available.

      • Run when the computer is turned on: There is no time limit. The solution waits indefinitely for the computer to be available to launch the task.

      Task launch parameters

    • Maximum run time: Indicate the maximum time that the task can take to complete. After that time, the task is canceled returning an error.

    • Value Description

      No limit

      There is no time limit for the task to complete.

      1, 2, 8, or 24 hours

      There is a time limit for the task to complete. After that time, if the task has not finished, it is canceled returning an error.

      Task duration parameters

    • Click Save. The task is added to the list of configured tasks. However, it shows the Unpublished label, meaning that it is not yet active.

    • To publish a task, click the Publish button. The task is added to the Advanced EDR task scheduler, which launches it in accordance with its settings.

Priority of IOC search tasks

Task Behavior

Detection of IOCs

Waits for the search task in progress to finish and then runs the new task.

Patch installation

The IOC search task is run concurrently with the patch installation task. The patch installation task is not interrupted as this could represent a risk for the integrity of the system.

Scan or disinfection

The scan or disinfection task is canceled and the IOC search task is run.

Scan or disinfection tasks created when there is an IOC search task running are not run until the IOC search task is complete.

Cytomic Data Watch search

The IOC search task is run without canceling or stopping the Cytomic Data Watch task.

Cytomic Data Watch indexing

The IOC search task is run and the Cytomic Data Watch task is temporarily stopped.

Priority order when running IOC search tasks

Behavior of IOC search tasks with respect to system restarts

The running of search tasks is automatically canceled and restarted from scratch when possible on the user computer in these cases:

  • When the administrator requests a restart of the computer from the web console.

  • When the local user requests a restart of the computer locally from the computer itself.

  • When the computer is restarted automatically to update any components of the security software installed.

Behavior when an IOC search task is canceled manually

If the administrator manually interrupts the task from the web console, the behavior is as follows:

  • The IOC search stops as soon as possible on the target computer.

  • The detection results up until the time of cancellation are recorded.