Configuring indicators of attack (IOA)

Accessing the settings

Click the Settings menu at the top of the console. Click Indicators of attack (IOA) from the side menu.
Click Add. The Add settings page opens.

You can assign Indicators of attack (IOA) settings profiles to Windows, Linux, and macOS workstations and servers.

Required permissions

Permission	Access type
Configure indicators of attack (IOA)	Create, edit, delete, copy, or assign Indicators of attack (IOA) settings profiles.
View indicators of attack (IOA) settings	View the Indicators of attack (IOA) settings profiles defined.
Permissions required to access the Indicators of attack (IOA) settings

Indicators of attack (IOA) settings options

To enable/disable the IOAs that you want to monitor, use the corresponding toggle:

Field	Description
Brute-force attack against RDP Credentials compromised after brute-force attack on RDP	Detects large numbers of remote login attempts over the RDP protocol.
Other IOAs	Cytomic periodically updates the list of indicators of attack to reflect the new strategies used by cybercriminals.
Advanced indicators of attack	List of the advanced indicators of attack you want to search for on workstations and servers. Available only for Windows computers.
Types of indicators available in the Indicators of attack (IOA) settings

Enabling and disabling advanced IOA technology

Advanced IOA generation leverages new technologies and collects more telemetry data from devices. This technology could affect device performance on multi-user servers and in specific situations. To disable this technology completely, disable the Advanced IOA toggle.

Disabling advanced IOAs individually does not disable the technology and does not substantially improve performance.

Information associated with IOAs

From the Indicators of attack and behavior list, click the icon next to the name of an IOA. A window opens that shows information about the IOA (name, risk, description, recommendations, MITRE, etc.). For more information, see Fields in the IOA details page.

Automatic response to RDP attacks

Field	Description
Response on workstations	Report and block RDP attacks: Generates an IOA and blocks RDP attacks. See Detection and protection against RDP attacks. Report only: Generates an IOA.
Response on servers	Report and block RDP attacks: Generates an IOA and blocks RDP attacks. See Detection and protection against RDP attacks. Report only: Generates an IOA.
Automatic response actions to RDP IOAs

Trusted IPs

Enter the list of IPs of the computers that you consider secure. The RDP connections whose sources are in the list are not blocked, but generate indicators on the Indicators of attack (IOA) dashboard. Use commas to separate individual IPs and hyphens to separate IP ranges.