Managing indicators of attack

Enabling and configuring the detection of IOAs

By default, Advanced EDR assigns an indicators of attack (IOA) settings profile to all computers on the network, with all types of IOAs enabled by default. To disable the detection of a specific type of IOA:

• From the top menu, select Settings. From the side menu, select Indicators of attack (IOA).

• Click the Add button. The Add settings page opens.

• Select the IOAs that Advanced EDR must search for in the telemetry generated by the computers.

  To select specific advanced indicators of attack, you must enable all of them by clicking the toggle.

• Select the computers that you want to receive the new settings profile. Click OK.

For more information about how to manage settings profiles, see Managing settings.

Grouping of indicators of attack

To prevent too many detections in the console, the security solution groups two or more equal IOAs into one detection. The number of actual occurrences shows in the Detected occurrences field of the IOA details page (see Details page). To group two or more equal IOAs, they must be:

• The same type.

• Detected on the same computer.

• Detected close to each other in time.

The grouping algorithm that is used varies depending on the type of IOA and on whether the computer is in Audit mode. For more information about how to enable or disable Audit mode, see Audit mode.

Standard IOA grouping algorithm (Audit mode disabled)

• The solution logs the first IOA and sets the Detected occurrences field to 1.

• Equal IOAs detected in the six hours after the first IOA was logged are grouped together. The solution sends an IOA detection at the end of each six-hour interval. The Detected occurrences field indicates the total number of IOAs detected.

• If the solution does not log an equal IOA within a six-hour interval, then it does not send an IOA detection for the interval.

• After four intervals (24 hours), the process starts again.

Advanced IOA grouping algorithm (Audit mode disabled)

• The solution logs the first IOA and sets the Detected occurrences field to 1.

• Equal IOAs detected every hour after the first IOA was logged are grouped together. The solution sends an IOA at the end of each 1-hour interval. The Detected occurrences field indicates the total number of IOAs detected.

• If the solution does not log an equal IOA within the hour interval, then it does not send an IOA detection for the interval.

• After 24 hours, the process starts again.

Advanced IOA grouping algorithm (Audit mode enabled)

Advanced IOAs are not grouped if the computer is in Audit mode. The solution sends a detection for each IOA detected on a computer in Audit mode. (The Detected occurrences field is set to 1).

RDP attack IOA grouping algorithm

For more information about the network attack detection algorithm, see Detection and protection against RDP attacks.

If the same network attack is repeated several times, Advanced EDR reports a maximum of 50 incidents every 24 hours for each computer. For two or more network attack IOAs to be considered the same, they must meet all these conditions:

• The target computer must be the same.

• The process involved on the target computer must be the same. Depending on the stage of the attack, this is the process that listens for the operating system RDP requests or any other process that is run remotely on the computer after a successful login preceded by multiple failed login attempts.

Viewing all IOAs detected on a network

• From the top menu, select Status. From the side menu, select Indicators of attack (IOA).

• At the top of the page, you can see the time period to show.

• The Threat Hunting Service widget shows the events, indicators, and indicators of attack detected during that period.

• Click the Indicators of attack area. The Indicators of attack (IOA) list opens. This list shows all the IOAs detected during the selected period.

For more information about this widget, see Threat Hunting Service.

Finding all computers where a specific IOA was detected

• From the top menu, select Status. From the side menu, select Indicators of attack (IOA).

• In the Detected indicators of attack (IOA) or Indicators of attack (IOA) mapped to the MITRE ATT&CK matrix panel, click a type of IOA.

• The Indicators of attack (IOA) list opens filtered by the specified type of attack.

For more information about these widgets, see Indicators of attack (IOA) mapped to the MITRE ATT&CK matrix and Indicators of attack (IOA).

Finding all IOAs detected on a computer

• From the top menu, select Status. From the side menu, select Indicators of attack (IOA).

• In the Indicators of attack (IOA) by computer panel, select a computer. The Indicators of attack (IOA) list opens filtered by the selected computer.

For more information about this widget, see Indicators of attack (IOA) by computer.

Finding computers and related IOAs

Each IOA shown in the indicators of attack (IOA) list has a context menu with these options:

• View the IOAs detected on this computer : Shows the Indicators of attack (IOA) list filtered by the Computer field.

• View the computers on which this IOA was detected : Shows the Indicators of attack (IOA) list filtered by the Indicator of attack field.

For more information about these lists, see Indicators of attack (IOA) module lists.

Archiving one or more indicators of attack

When the event that triggered an IOA is resolved, or when it is found to be a false positive, you can archive the IOA:

• From the top menu, select Status. From the side menu, click the Add link in My lists. The Add list window opens and shows the available templates.

• In the Security section, select the Indicators of attack (IOA) template. The list of IOAs detected opens without filters.

• Set the required filters and click the Filter button.

• Click the context menu for the indicator you want to archive. Select Archive IOA . The status of the indicator of attack changes to Archived.

Or:

• Select the checkboxes for the indicators of attack you want to archive.

• In the toolbar, click Archive IOA . The status of the indicators of attack changes to Archived.

Marking one or more IOAs as pending

Advanced EDR marks detected IOAs as pending to indicate they require attention. Additionally, when you have not analyzed or resolved the pattern of an IOA, you can mark the IOA as pending further review.

• From the top menu, select Status. From the side menu, click the Add link in My lists. The Add list window opens and shows the available templates.

• In the Security section, select the Indicators of attack (IOA) template. The list opens with no filters.

• Set the required filters and click the Filter button.

• Click the indicator context menu. Select Mark IOA as pending . The indicator status changes to Pending.

Or:

• Select the checkboxes for the indicators of attack you want to archive.

• In the toolbar, click Mark IOA as pending . The status of the indicators of attack changes to Pending.

Showing details of an IOA and recommendations for resolving the issue

• From the top menu, select Status. From the side menu, click the Add link in My lists. The Add list window opens and shows the available templates.

• In the Security section, select the Indicators of attack (IOA) template. The list opens with no filters.

• Set the required filters and click the Filter button.

• From the list, select an indicator of attack. The Details page opens. See Details page.